Essential maintenance and troubleshooting commands for Ubuntu servers. Each entry includes a quick explanation so operators understand the effect before running it - use the Copy button to move the command to your clipboard instantly.

• sudo apt update && sudo apt upgrade -y

  Refresh package indexes and apply all available upgrades unattended to keep the system patched.

  Copy
• sudo apt autoremove --purge

  Remove orphaned packages and their configuration files to reclaim disk space after upgrades.

  Copy
• sudo systemctl status ssh

  Check the current state, recent logs, and unit metadata for the OpenSSH service.

  Copy
• sudo systemctl restart nginx

  Gracefully restart NGINX to load updated configuration without rebooting the host.

  Copy
• sudo journalctl -u nginx --since "-30m"

  Tail the last 30 minutes of NGINX unit logs for quick incident triage.

  Copy
• df -h

  Display disk usage across mounted filesystems using human-readable units.

  Copy
• sudo ufw status verbose

  Show firewall mode, defaults, and active allow/deny rules.

  Copy
• sudo adduser analyst

  Create the analyst account interactively, prompting for password and profile data.

  Copy
• sudo usermod -aG sudo analyst

  Add the analyst user to the sudo group to grant administrative privileges.

  Copy
• sudo tail -f /var/log/syslog

  Stream system log entries in real time to monitor warnings and errors as they happen.

  Copy
• sudo ss -tulnp

  List active TCP/UDP listeners and their owning processes to spot unexpected services.

  Copy
• sudo du -sh /var/* | sort -h

  Summarize directory sizes under /var and sort ascending to find heavy usage.

  Copy
• sudo systemctl list-timers --all

  Review every systemd timer with its next trigger time and linked service.

  Copy
• crontab -l

  Show the current user’s cron jobs for quick schedule verification.

  Copy
• sudo systemctl list-units --failed

  List services stuck in a failed state after the most recent boot.

  Copy
• sudo journalctl -p err..alert -b

  Review high-severity journal entries from the current boot.

  Copy
• sudo ss -tulpen

  Show listening TCP/UDP sockets along with owning processes.

  Copy
• sudo du -sh /var/log/* | sort -h

  Find the heaviest log directories and sort them from smallest to largest.

  Copy
• sudo apt-mark showhold

  List packages pinned on hold to avoid unintended upgrades.

  Copy
• sudo do-release-upgrade -c

  Check whether a new Ubuntu release is available without upgrading.

  Copy
• hostnamectl

  Display the current hostname, chassis details, kernel, and virtualization state in one summary.

  Copy
• free -h

  Show RAM and swap usage with human-readable units for quick memory checks.

  Copy
• lsblk -f

  List block devices, filesystems, labels, and mount points to verify storage layout.

  Copy
• ip -br addr

  Print interface names, states, and assigned IP addresses in a compact network summary.

  Copy
• sudo timedatectl status

  Verify local time, UTC, NTP sync state, and the active timezone configuration.

  Copy
• sudo journalctl --disk-usage

  Report how much disk space the systemd journal is consuming before cleanup.

  Copy
• sudo systemd-analyze blame

  Rank slow boot services so you can spot units delaying startup.

  Copy
• sudo netplan get

  Dump the effective Netplan configuration to review interfaces, routes, and DNS settings.

  Copy
• sudo systemctl list-units --type=service --state=running

  List only running services to confirm what is actively loaded on the host.

  Copy
• sudo apt list --upgradable

  Show packages with pending upgrades before you schedule maintenance.

  Copy
• uname -a

  Print the running kernel version and machine details when you need a fast system fingerprint.

  Copy
• uptime

  Show system uptime together with current load averages to judge how busy the host is.

  Copy
• lscpu

  Display CPU model, core counts, architecture, and virtualization capabilities.

  Copy
• ps aux --sort=-%mem | head

  List the top memory-consuming processes so you can find runaway applications quickly.

  Copy
• ps aux --sort=-%cpu | head

  List the top CPU-consuming processes to spot hot loops or overloaded services.

  Copy
• sudo apt-cache policy nginx

  Show the installed and candidate package versions plus the apt source priorities.

  Copy
• apt search redis

  Search the apt repositories when you know the software name but not the exact package.

  Copy
• sudo snap list

  List installed snap packages and their channels to audit non-apt software quickly.

  Copy
• sudo systemctl reload nginx

  Reload NGINX configuration without dropping active connections when only the config changed.

  Copy
• sudo nginx -t

  Validate NGINX syntax before a reload or restart so you do not ship a broken config.

  Copy
• sudo systemctl enable --now ufw

  Enable UFW immediately and make sure it also starts automatically on future boots.

  Copy
• sudo ufw allow OpenSSH

  Allow SSH through the firewall using Ubuntu's built-in application profile name.

  Copy
• ip route

  Print the routing table so you can verify default gateways and subnet paths.

  Copy
• ping -c 4 1.1.1.1

  Send four ICMP probes to confirm basic network reachability and latency.

  Copy
• dig +short example.com

  Resolve a hostname quickly and return only the answer records without verbose DNS output.

  Copy
• sudo resolvectl status

  Inspect active DNS servers, search domains, and resolver state per interface.

  Copy
• curl -I https://example.com

  Fetch only HTTP response headers when checking status codes, redirects, or TLS termination.

  Copy
• sudo tar -czf backup-etc-$(date +%F).tar.gz /etc

  Create a dated compressed backup of /etc before major configuration changes.

  Copy
• sudo rsync -a --delete /srv/data/ /backup/data/

  Mirror one directory into another while preserving metadata and deleting stale backup files.

  Copy
• sudo fail2ban-client status

  Check Fail2ban jail status and confirm whether abusive clients are being blocked.

  Copy
• sudo passwd -l analyst

  Lock a local account password to prevent interactive logins without deleting the user.

  Copy
• sudo docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}"

  List running Docker containers with names, status, and published ports in a readable table.

  Copy
• journalctl --since today

  Filter journal logs to only entries from today when reviewing the current day's activity.

  Copy
• who

  Show who is currently logged in so you can see active interactive sessions.

  Copy
• last -n 10

  Review the most recent successful logins to audit who accessed the machine.

  Copy
• sudo lastb | head

  Review failed login attempts from the btmp database to spot brute-force activity.

  Copy
• id analyst

  Display a user's UID, primary group, and supplementary groups in one line.

  Copy
• groups analyst

  List the group memberships for a specific account.

  Copy
• sudo chage -l analyst

  Inspect password aging, expiry, and account validity settings for a user.

  Copy
• findmnt

  Display mounted filesystems in a cleaner tree view than the classic mount output.

  Copy
• vmstat 1 5

  Sample CPU, memory, swap, and IO counters repeatedly for quick performance triage.

  Copy
• iostat -xz 1 3

  Show extended disk utilization metrics so you can identify saturated storage devices.

  Copy
• sudo lsof -i -P -n | head

  List open network sockets with process names while skipping slow DNS lookups.

  Copy
• sudo lsof /var/log/syslog

  Show which process currently has a specific file open before rotating or deleting it.

  Copy
• sudo tcpdump -ni any port 53

  Capture DNS packets on every interface when debugging resolver or forwarding issues.

  Copy
• traceroute 1.1.1.1

  Trace the network path to a remote host and identify where latency or drops begin.

  Copy
• sudo iptables -S

  Print the raw iptables ruleset when you need to inspect lower-level firewall policy.

  Copy
• ss -s

  Show a protocol-level socket summary to gauge connection counts at a glance.

  Copy
• du -sh ~/* | sort -h

  Summarize disk usage under the current home directory and sort it from small to large.

  Copy
• sudo find / -xdev -type f -size +1G

  Find files larger than 1 GB on the local filesystem when chasing disk pressure.

  Copy
• sudo apt clean

  Clear downloaded apt package archives to reclaim space in the package cache.

  Copy
• sudo apt-mark showmanual

  List manually installed packages to separate your intent from dependencies.

  Copy
• dpkg -l | grep nginx

  Search the installed package database for matching package names.

  Copy
• systemctl is-enabled nginx

  Check whether a service is enabled to start automatically at boot.

  Copy
• journalctl -u ssh -n 50 --no-pager

  Show the latest SSH service log lines without opening a pager.

  Copy
• sudo systemctl daemon-reload

  Reload systemd unit files after editing service definitions or drop-ins.

  Copy
• sudo loginctl list-sessions

  List current user sessions known to systemd-logind.

  Copy
• sudo localectl status

  Show the configured locale and keyboard layout for the host.

  Copy

Practical Windows Command Prompt commands for troubleshooting, networking, file work, account administration, and system repair. Every entry is ready to copy so users can paste instead of retyping long commands.

Handy display filters for Wireshark. Copy a filter, drop it into the display bar, and fine-tune live captures faster.

• ip.addr == 192.168.1.42

  Show all packets where either source or destination IP matches 192.168.1.42.

  Copy
• tcp.port == 443

  Display only TLS traffic by filtering for packets on TCP port 443.

  Copy
• http.request

  Audit HTTP client activity by listing every HTTP request frame.

  Copy
• dns && udp.port == 53

  Focus on DNS queries and responses travelling over standard UDP 53.

  Copy
• tls.handshake.extensions_server_name

  Extract TLS ClientHello packets to review SNI hostnames offered by clients.

  Copy
• tcp.analysis.retransmission

  Surface TCP retransmissions to hunt for congestion or packet loss.

  Copy
• tcp.flags.syn == 1 && tcp.flags.ack == 0

  Watch for connection attempts by isolating SYN packets without ACK.

  Copy
• eth.src == 00:11:22:33:44:55

  Track traffic from a specific device by matching its source MAC address.

  Copy
• wlan.fc.type_subtype == 0x08

  Filter Wi-Fi beacon frames while surveying wireless AP broadcasts.

  Copy
• frame.time >= "2025-10-03 15:00:00" && frame.time <= "2025-10-03 15:15:00"

  Narrow a capture to a fifteen-minute incident window using frame timestamps.

  Copy
• icmp

  Highlight all ICMP traffic, including ping and error messages.

  Copy
• icmp.type == 8

  Show only ICMP echo requests to spot ping probes.

  Copy
• arp

  List ARP requests and replies to study local network discovery.

  Copy
• tcp.flags.reset == 1

  Spot abrupt TCP resets that may indicate dropped sessions.

  Copy
• tcp.flags.fin == 1 && tcp.len == 0

  Watch graceful TCP closes where FIN packets carry no payload.

  Copy
• tcp.analysis.zero_window

  Identify endpoints advertising a zero receive window.

  Copy
• tcp.window_size_value < 1024

  Find sessions with very small TCP receive windows.

  Copy
• tcp.len == 0 && tcp.flags.ack == 1

  Catch TCP keepalive ACKs that keep idle sessions open.

  Copy
• tcp.analysis.fast_retransmission

  Surface fast retransmissions triggered by duplicate ACKs.

  Copy
• tcp.analysis.spurious_retransmission

  Reveal spurious retransmissions caused by out-of-order packets.

  Copy
• tcp.segment.lost

  Highlight segments flagged as lost by TCP analysis.

  Copy
• tcp.stream == 7

  Jump directly to stream number 7 for deep inspection.

  Copy
• udp.port == 67 || udp.port == 68

  Inspect DHCP client/server exchanges on UDP 67 and 68.

  Copy
• bootp.option.type == 53 && bootp.option.value == 3

  Filter DHCP request messages from clients.

  Copy
• radius

  Collect RADIUS authentication and accounting packets.

  Copy
• ntp

  List Network Time Protocol traffic for time-sync troubleshooting.

  Copy
• dhcpv6

  Monitor DHCPv6 address assignment conversations.

  Copy
• icmpv6

  Inspect ICMPv6 control messages on IPv6 networks.

  Copy
• ipv6

  Show only IPv6 traffic across the capture.

  Copy
• ipv6.addr == fe80::1

  Watch IPv6 packets involving the link-local address fe80::1.

  Copy
• tcp.port == 22

  Filter SSH control and data sessions.

  Copy
• tcp.port == 25 || tcp.port == 587

  Focus on SMTP traffic across submission and relay ports.

  Copy
• smtp

  Display full SMTP conversations, including headers and commands.

  Copy
• imap

  List IMAP traffic for mailbox synchronization issues.

  Copy
• pop

  Inspect POP3 sessions downloading mail.

  Copy
• ftp || ftp-data

  Capture FTP control and data channels together.

  Copy
• ssh

  Find SSH tunnels and interactive sessions.

  Copy
• rdp

  Monitor Remote Desktop Protocol connections.

  Copy
• http.request.method == "POST"

  Isolate HTTP POST requests that carry form submissions or uploads.

  Copy
• http.response.code >= 400

  Show HTTP responses that return client or server errors.

  Copy
• http.user_agent contains "curl"

  Spot automation scripts or curl-based clients.

  Copy
• http.host contains "login"

  Locate HTTP requests targeting login-related hostnames.

  Copy
• http.cookie

  Extract HTTP packets carrying cookies for session analysis.

  Copy
• http.authorization

  Review HTTP requests that include Authorization headers.

  Copy
• http2

  Filter modern HTTP/2 traffic over TLS or cleartext.

  Copy
• quic

  Inspect QUIC streams for HTTP/3 troubleshooting.

  Copy
• tls.record.content_type == 23

  Focus on TLS application data records.

  Copy
• tls.record.version == 0x0304

  Highlight TLS 1.3 encrypted sessions.

  Copy
• tls.alert_message.level == 2

  Find fatal TLS alerts that tear down sessions.

  Copy
• dns.qry.name contains "example.com"

  Show DNS lookups referencing example.com or its subdomains.

  Copy
• dns.flags.response == 0

  Collect outbound DNS queries waiting on answers.

  Copy
• dns.a && dns.qry.name == "internal.local"

  Zero in on A-record answers for internal.local hosts.

  Copy
• sip

  Surface SIP signaling when troubleshooting VoIP registrations and calls.

  Copy
• rtp

  List RTP media streams to analyze audio or video quality.

  Copy
• rtcp

  Inspect RTP control traffic conveying QoS statistics.

  Copy
• mgcp

  Capture Media Gateway Control Protocol messages.

  Copy
• smb2

  Focus on modern SMB2/SMB3 file sharing traffic.

  Copy
• smb2.command == 5

  Highlight SMB2 CREATE requests to monitor file access.

  Copy
• kerberos

  Collect Kerberos authentication exchanges.

  Copy
• kerberos.msg_type == 10

  Spot Kerberos AS-REQ messages during initial authentication.

  Copy
• ldap

  Inspect LDAP directory queries and responses.

  Copy
• mysql

  Show MySQL client/server conversations.

  Copy
• pgsql

  Display PostgreSQL wire protocol traffic.

  Copy
• mqtt

  Monitor MQTT publish/subscribe messages for IoT systems.

  Copy
• coap

  Filter CoAP traffic common in constrained IoT deployments.

  Copy
• modbus

  Capture Modbus/TCP commands to industrial controllers.

  Copy
• icmpv6.type == 135

  Track IPv6 Neighbor Solicitation messages.

  Copy
• icmpv6.type == 136

  Track IPv6 Neighbor Advertisement messages.

  Copy
• ospf

  Inspect OSPF link-state advertisements across routers.

  Copy
• bgp

  Monitor BGP updates between peers.

  Copy
• stp

  Review Spanning Tree Protocol BPDUs in switched networks.

  Copy
• ip.proto == 47

  Show GRE encapsulated tunnels by protocol number 47.

  Copy
• vxlan

  Flag VXLAN overlay packets for data center fabrics.

  Copy
• ip.ttl <= 1

  Catch packets that arrived with TTL of 1 or less—possible routing loop evidence.

  Copy
• tcp.analysis.flags

  Expose any TCP segments flagged as noteworthy by Wireshark analysis.

  Copy
• tcp.port == 3389

  Focus on RDP sessions specifically on TCP 3389.

  Copy
• tls.handshake.extensions_supported_groups

  Review supported groups (elliptic curves) advertised in TLS handshakes.

  Copy
• tls.handshake.extensions_alpn

  Inspect ALPN negotiation inside TLS ClientHello messages.

  Copy
• tls.handshake.ciphersuite

  List the cipher suites offered during TLS handshakes.

  Copy
• icmp.type == 3 && icmp.code == 3

  Detect ICMP Destination Unreachable / Port Unreachable messages.

  Copy
• dns.qry.type == 28

  Filter IPv6 AAAA DNS queries.

  Copy
• dns.mx

  Identify DNS MX record lookups for mail routing.

  Copy
• ftp.command == "STOR"

  Spot FTP uploads by filtering STOR commands.

  Copy
• mqtt.topic contains "alerts"

  Watch MQTT messages published to topics containing 'alerts'.

  Copy
• sctp

  Capture SCTP traffic used by SIGTRAN or WebRTC data channels.

  Copy
• diameter

  Inspect Diameter signaling in LTE/5G core networks.

  Copy
• gsmtap

  Analyze GSM TAP captures over IP.

  Copy
• radius.code == 2

  Isolate Access-Accept responses in RADIUS flows.

  Copy
• lldp

  Display Link Layer Discovery Protocol frames.

  Copy
• cdp

  Find Cisco Discovery Protocol advertisements.

  Copy
• mdns

  Capture multicast DNS traffic used by Bonjour services.

  Copy
• nbns

  Look at NetBIOS Name Service broadcasts.

  Copy
• ip.dsfield.dscp == 46

  Hunt for Expedited Forwarding (EF) DSCP-marked packets.

  Copy
• ip.fragment == 1

  Show IP fragments to diagnose MTU or fragmentation issues.

  Copy
• tcp.options.mss < 1200

  List TCP sessions advertising very small MSS values.

  Copy
• tcp.options.sack_perm == 1

  Verify endpoints that negotiated selective acknowledgements.

  Copy
• tcp.analysis.out_of_order

  Highlight out-of-order TCP segments.

  Copy
• tcp.analysis.duplicate_ack

  Show duplicate ACKs that often precede retransmissions.

  Copy
• tcp.analysis.ack_lost_segment

  Identify ACKs for segments that Wireshark believes were lost.

  Copy
• tcp.analysis.window_full

  Find packets where the receiver reported a full TCP window.

  Copy
• tcp.analysis.bytes_in_flight > 200000

  Flag bursts with very large TCP bytes in flight.

  Copy
• tcp.analysis.keep_alive

  List TCP keepalive probes.

  Copy
• tcp.analysis.keep_alive_ack

  List TCP keepalive acknowledgements.

  Copy
• tcp.analysis.expert_message

  Collect expert info messages generated by the TCP dissector.

  Copy
• ip.checksum_bad == 1

  Surface IP packets that failed checksum validation.

  Copy
• ip.flags.mf == 1

  Show IP packets with the More Fragments flag set.

  Copy
• ip.frag_offset > 0

  Inspect non-initial IP fragments (offset greater than zero).

  Copy
• frame.len > 1500

  Find jumbo frames exceeding the standard Ethernet MTU.

  Copy
• frame.len == 64

  Check for minimum-sized Ethernet frames, often keepalives.

  Copy
• frame.number >= 100 && frame.number <= 200

  Limit view to frames 100 through 200 for quick review.

  Copy
• tcp.options.timestamp

  Confirm TCP conversations that negotiated timestamps.

  Copy
• ip.geoip.country == "CN"

  List packets geolocated to China (requires GeoIP database).

  Copy
• http.request.uri contains "/login"

  Target HTTP requests that reference a login URI.

  Copy
• http.file_data

  Locate HTTP packets carrying downloadable file data.

  Copy
• http.content_type contains "json"

  Highlight HTTP responses returning JSON payloads.

  Copy
• http.response.code >= 500

  Spot HTTP server errors (status 5xx).

  Copy
• http.request.full_uri contains ".php"

  Inspect requests hitting PHP resources.

  Copy
• tls.handshake.type == 1

  Show TLS ClientHello packets to review offered ciphers, SNI names, and extensions.

  Copy
• tls.handshake.type == 2

  Show TLS ServerHello packets to verify the version and parameters the server selected.

  Copy
• tls.handshake.session_id_length == 0

  Find TLS sessions using session resumption tickets (no session ID).

  Copy
• ssl.record.version < 0x0303

  Spot legacy SSLv3/TLS1.0 records.

  Copy
• dns.resp.name contains "internal"

  Show DNS responses that resolve hosts under 'internal'.

  Copy
• dns.qry.class == 3

  Filter DNS CHAOS class queries (e.g., version.bind).

  Copy
• mqtt.msgtype == 3

  Show MQTT publish messages only.

  Copy
• coap.code.class == 0

  Display CoAP request messages.

  Copy
• smb2.nt_status != 0

  Catch SMB2 responses returning an error status.

  Copy
• kerberos.msg_type == 30

  Locate Kerberos TGS-REQ messages.

  Copy
• ldap.request.messageid == 5

  Drill into LDAP requests with message ID 5 (example conversation tracking).

  Copy
• tcp.flags.push == 1

  List packets where the TCP PSH flag is asserted.

  Copy
• tcp.flags == 0x012

  Display SYN-ACK handshake packets.

  Copy
• rtsp

  Inspect Real Time Streaming Protocol negotiations.

  Copy
• rtsp.method == "SETUP"

  Filter RTSP SETUP requests when bringing media streams online.

  Copy
• rtcp.packet_type == 203

  Monitor RTCP BYE messages terminating sessions.

  Copy
• dns.ptr

  Investigate PTR (reverse lookup) DNS responses.

  Copy
• ssdp

  Capture UPnP SSDP discovery broadcasts.

  Copy
• icmp.type == 11

  Find ICMP Time Exceeded messages signalling TTL expiry.

  Copy
• icmp.type == 12

  Detect ICMP Parameter Problem notifications.

  Copy
• mpls

  Show MPLS-labeled traffic in provider networks.

  Copy
• mpls.label == 16000

  Focus on packets using MPLS label 16000.

  Copy
• erspan

  List ERSPAN mirrored traffic sessions.

  Copy
• gre

  Display Generic Routing Encapsulation tunnels.

  Copy
• ip.proto == 112

  Identify VRRP packets on redundant gateways.

  Copy
• ether.dst == ff:ff:ff:ff:ff:ff

  Watch broadcast frames hitting every device on the segment.

  Copy
• ether.src == ff:ff:ff:ff:ff:ff

  Spot malformed frames claiming a broadcast source.

  Copy
• vlan

  List VLAN-tagged frames (802.1Q).

  Copy
• vlan.id == 10

  Inspect traffic assigned to VLAN 10.

  Copy
• dns.srv

  Review DNS SRV records for service discovery.

  Copy
• dns.ns

  List DNS NS responses showing authoritative servers.

  Copy
• imap.request.tag == "A142"

  Follow a specific IMAP request tag within a mail session.

  Copy
• smtp.req.parameter == "AUTH"

  Find SMTP AUTH commands negotiating logins.

  Copy
• dhcp.option.type == 61

  Highlight DHCP client identifier options.

  Copy
• dhcpv6.option.clientid

  Show DHCPv6 messages carrying client identifiers.

  Copy
• radius.User-Name

  Inspect RADIUS attributes carrying usernames.

  Copy
• ssl.handshake

  Collect all SSL/TLS handshake packets regardless of type.

  Copy
• ssl.record

  Capture every SSL/TLS record, encrypted or not.

  Copy
• ssl.alert_message

  Inspect TLS alert frames for shutdown or error details.

  Copy
• ssl.handshake.extensions_alpn

  List TLS handshakes offering ALPN protocols.

  Copy
• ssl.app_data

  Filter encrypted application data once handshakes complete.

  Copy
• tcp.analysis.ack_rtt

  Measure ACK round-trip time values calculated by Wireshark.

  Copy
• tcp.analysis.slow_start

  Show TCP segments Wireshark flags as part of slow start.

  Copy
• tcp.seq == 0

  Spot TCP packets that use sequence number zero (initial SYNs or resets).

  Copy
• tcp.len > 1460

  Detect TCP segments exceeding a standard Ethernet MTU payload.

  Copy
• udp.length > 1200

  Find oversized UDP datagrams that may fragment in transit.

  Copy
• udp.port == 1900

  Capture SSDP discovery broadcasts on UDP port 1900.

  Copy
• icmp.type == 5

  Catch ICMP Redirect messages that modify host routing tables.

  Copy
• icmp.type == 3 && icmp.code == 4

  Locate ICMP 'Fragmentation Needed' errors to troubleshoot PMTU.

  Copy
• dns.qry.name matches "(?i)\.cn$"

  Flag DNS lookups that end with the .cn TLD (case-insensitive).

  Copy
• dns.qry.type == 16

  Display DNS TXT record queries and responses.

  Copy
• dns.opt

  List DNS messages that include EDNS0 option records.

  Copy
• bootp.option.hostname

  Inspect DHCP client hostnames provided in option 12.

  Copy
• bootp.option.vendor_class_id

  Review DHCP vendor class identifiers (option 60).

  Copy
• dhcpv6.option.preference

  Check DHCPv6 preference values returned by servers.

  Copy
• icmpv6.nd.ra.flag.managed == 1

  Identify IPv6 router advertisements enabling managed address configuration.

  Copy
• ipv6.nxt == 58

  Filter IPv6 packets whose next header is ICMPv6 (58).

  Copy
• ipv6.flowlabel != 0

  Highlight IPv6 packets that populate the flow label field.

  Copy
• wlan.fc.type_subtype == 0x08 && wlan.ssid

  Display Wi-Fi beacons that advertise an SSID.

  Copy
• wlan.fc.type_subtype == 0x05

  Capture Wi-Fi probe responses sent by access points.

  Copy
• wlan.fc.type_subtype == 0x04

  Monitor Wi-Fi probe requests from roaming clients.

  Copy
• wlan.fc.type_subtype == 0x0b

  Inspect Wi-Fi authentication frames during association.

  Copy
• btatt

  Show Bluetooth ATT protocol traffic for BLE gadgets.

  Copy
• btle

  Filter Bluetooth Low Energy packets in captures.

  Copy
• usb

  Review USB protocol captures collected from USB PCAPs.

  Copy
• smb2.command == 8

  Track SMB2 GET_INFO requests and responses.

  Copy
• smb2.share.name contains "SYSVOL"

  Watch SMB access to the Active Directory SYSVOL share.

  Copy
• smb.signing_required == 1

  Find SMB sessions that require message signing.

  Copy
• kerberos.msg_type == 12

  List Kerberos TGS-REP messages issued by the KDC.

  Copy
• ldap.request.attribute == "memberOf"

  Inspect LDAP requests pulling memberOf attributes.

  Copy
• pgsql.query

  Review SQL statements executed over PostgreSQL connections.

  Copy
• mysql.query

  Display MySQL queries exchanged via the text protocol.

  Copy
• mqtt.msgtype == 8

  Show MQTT SUBSCRIBE requests from clients.

  Copy
• mqtt.msgtype == 9

  Show MQTT SUBACK acknowledgements returning from brokers.

  Copy
• mqtt.msgtype == 12

  Inspect MQTT PINGREQ keepalive probes.

  Copy
• mqtt.msgtype == 13

  Inspect MQTT PINGRESP replies from brokers.

  Copy
• modbus.func_code == 3

  Filter Modbus read holding registers operations.

  Copy
• coap.code == 5

  Identify CoAP responses returning success content (2.05).

  Copy
• rtsp.method == "PLAY"

  Show RTSP commands that start media playback.

  Copy
• rtsp.method == "TEARDOWN"

  Highlight RTSP teardown requests ending sessions.

  Copy
• rtcp.packet_type == 200

  List RTCP sender reports providing QoS feedback.

  Copy
• sip.Request-Line contains "INVITE"

  Collect SIP INVITE requests that initiate calls.

  Copy
• sip.Status-Code >= 400

  Watch SIP responses that report errors (4xx and above).

  Copy
• tls.handshake.extensions.supported_versions

  Review TLS ClientHello supported versions extension.

  Copy
• tls.handshake.extensions.status_request

  Spot TLS handshakes that request OCSP stapling.

  Copy
• ip.geoip.country == "US"

  Show packets geolocated to the United States (GeoIP database required).

  Copy
• tls.handshake.extensions.session_ticket

  Detect ClientHello messages offering session ticket resumption.

  Copy
• tcp.options.wscale

  Confirm TCP peers that negotiated window scaling.

  Copy
• tcp.options.timestamp

  Find TCP conversations that include timestamps.

  Copy
• tcp.analysis.keep_alive

  List TCP keepalive probes maintaining idle sessions.

  Copy
• tcp.analysis.keep_alive_ack

  List TCP keepalive acknowledgements.

  Copy
• tcp.analysis.reused_ports

  Detect new TCP connections that reuse existing 4-tuples.

  Copy
• tcp.analysis.rto

  Reveal retransmissions triggered by TCP retransmission timeout.

  Copy
• ip.dsfield.ecn == 1

  Locate packets marking ECN Congestion Experienced.

  Copy
• ip.dsfield.ecn == 2

  Locate packets marked ECN Capable Transport (ECT(0)).

  Copy
• ip.dsfield.ecn == 3

  Locate packets marked ECN Capable Transport (ECT(1)).

  Copy
• wlan.fc.retry == 1

  Monitor Wi-Fi frames flagged as retransmissions.

  Copy
• wlan.fc.pwrmgt == 1

  Show Wi-Fi frames indicating power management mode.

  Copy
• mpls.label == 16

  Identify MPLS packets carrying the implicit NULL label 16.

  Copy
• mpls.bos == 1

  Show MPLS packets at the bottom of the label stack.

  Copy
• vxlan.vni == 5000

  Concentrate on VXLAN overlay network identifier 5000.

  Copy
• icmp.type == 11

  See ICMP Time Exceeded messages (traceroute hops).

  Copy
• icmp.type == 12

  Display ICMP Parameter Problem notifications.

  Copy
• lldp.tlv.type == 4

  Extract LLDP port description TLVs from neighbors.

  Copy
• btle.advertising_header.pdu_type == 0x0f

  Filter BLE scan response PDUs.

  Copy
• http.response.code == 302

  Capture HTTP redirects returning 302 Found.

  Copy
• http.response.code == 401

  Spot HTTP authentication challenges (401 Unauthorized).

  Copy
• http.response.code == 403

  Find HTTP requests denied with 403 Forbidden.

  Copy
• http.response.code == 404

  Highlight missing resources returning 404 Not Found.

  Copy
• http.response.code == 500

  Expose HTTP 500 internal server errors.

  Copy
• http.request.method == "PUT"

  Watch REST endpoints receiving PUT requests.

  Copy
• http.request.method == "DELETE"

  Monitor DELETE operations modifying remote data.

  Copy
• http.request.method == "PATCH"

  Track partial updates made with PATCH requests.

  Copy
• http.request.uri contains ".zip"

  Detect ZIP archive downloads over HTTP.

  Copy
• http.request.uri contains ".exe"

  Find executable downloads requested through HTTP.

  Copy
• http.request.uri contains ".tar.gz"

  Spot compressed tarball transfers.

  Copy
• http.file_data contains "BEGIN RSA PRIVATE KEY"

  Raise an alert if private keys traverse HTTP payloads.

  Copy
• http.user_agent contains "PowerShell"

  Flag automation leveraging PowerShell web cmdlets.

  Copy
• http.user_agent contains "Mozilla/4.0"

  Identify legacy or scripted HTTP clients.

  Copy
• http.host contains "cdn"

  Focus on requests routed to CDN hostnames.

  Copy
• http.referer contains "login"

  See traffic originating from login forms.

  Copy
• http.cookie contains "session"

  Search cookies carrying a session identifier.

  Copy
• http.authorization contains "Bearer"

  Monitor HTTP bearer token usage.

  Copy
• http.authorization contains "Basic"

  Review HTTP Basic authentication requests.

  Copy
• http.accept_language contains "fr"

  Spot clients requesting French-localized content.

  Copy
• http.response.time > 1

  Identify HTTP transactions taking longer than one second.

  Copy
• http2.flags.end_stream == 1

  List HTTP/2 frames that terminate streams.

  Copy
• http2.header.path contains "/api"

  Filter HTTP/2 requests hitting API endpoints.

  Copy
• http2.header.method == "POST"

  Show HTTP/2 POST submissions.

  Copy
• quic.cnid

  Display QUIC connection IDs in use.

  Copy
• quic.tag.name == "SNI "

  Inspect QUIC handshake tags carrying SNI.

  Copy
• tls.handshake.certificate

  Collect TLS handshake packets that transmit certificates.

  Copy
• tls.handshake.extensions_server_name contains ".corp"

  Spot TLS sessions targeting *.corp hostnames.

  Copy
• tls.handshake.extensions_alpn_str == "h2"

  Highlight TLS negotiations preferring HTTP/2.

  Copy
• tls.handshake.extensions_alpn_str == "http/1.1"

  Highlight TLS negotiations that fall back to HTTP/1.1.

  Copy
• tls.alert_message.desc == 0

  Observe TLS close_notify alerts.

  Copy
• tls.handshake.extensions.supported_groups_named_group == x25519

  Verify TLS clients offering the X25519 curve.

  Copy
• tls.handshake.certificates_len > 6000

  Find TLS handshakes delivering very large certificate chains.

  Copy
• dns.flags.rcode > 0

  List DNS responses returning error codes.

  Copy
• dns.qry.name.len > 60

  Flag unusually long DNS query names.

  Copy
• dns.qry.name contains "_tcp"

  Review DNS SRV lookups (_tcp services).

  Copy
• dns.qry.name matches "(?i)\.(exe|dll)\$"

  Catch DNS beacons querying suspicious executable names.

  Copy
• dns.flags.tc == 1

  Show truncated DNS answers requiring TCP retry.

  Copy
• dns.resp.ttl == 0

  Identify DNS records expiring immediately (TTL zero).

  Copy
• dns.qry.type == 1

  Filter DNS A-record queries.

  Copy
• tcp.port == 1433

  Focus on Microsoft SQL Server traffic.

  Copy
• tcp.port == 1521

  Inspect Oracle database sessions.

  Copy
• tcp.port == 5986

  Monitor WinRM HTTPS management connections.

  Copy
• udp.port == 514

  Capture Syslog datagrams.

  Copy
• syslog

  Display Syslog messages decoded by Wireshark.

  Copy
• snmp

  Show SNMP management traffic.

  Copy
• snmp.version == 3

  Isolate secure SNMPv3 conversations.

  Copy
• snmp.community == "public"

  Detect SNMP requests using the default 'public' community string.

  Copy
• tftp

  Capture Trivial FTP read/write exchanges.

  Copy
• dnp3

  Monitor Distributed Network Protocol 3.0 traffic (ICS).

  Copy
• opcua

  Inspect OPC UA industrial automation sessions.

  Copy
• bacnet

  Highlight BACnet building automation packets.

  Copy
• s7commplus

  Review Siemens S7 PLC control messages.

  Copy
• iec60870_5_104

  Trace IEC 60870-5-104 SCADA communications.

  Copy
• ip.proto == 89

  Filter OSPF packets by protocol number.

  Copy
• ip.proto == 50

  Locate IPsec ESP encrypted payloads.

  Copy
• ip.proto == 51

  Locate IPsec AH authentication headers.

  Copy
• frame.protocols contains "http"

  Filter frames whose dissector stack includes HTTP.

  Copy
• frame.protocols contains "tls"

  List frames containing TLS within the protocol stack.

  Copy
• frame.protocols contains "dns"

  Highlight frames that include DNS.

  Copy
• frame.len > 9000

  Spot jumbo Ethernet frames over 9000 bytes.

  Copy
• frame.len < 64

  Detect runt frames smaller than the Ethernet minimum.

  Copy
• frame.number >= 1000 && frame.number <= 1100

  Focus analysis on frames 1000 through 1100.

  Copy
• frame.time_delta_displayed > 1

  Reveal packets that arrive after more than one second gap.

  Copy
• tcp.time_delta_displayed > 1

  Spot TCP frames separated by more than one second.

  Copy
• tcp.analysis.small_segment

  Find TCP segments that are unusually small.

  Copy
• tcp.analysis.window_update

  List packets that only advertise a revised TCP window size.

  Copy
• tcp.analysis.bytes_in_flight == 0

  Check for packets where bytes-in-flight drops to zero.

  Copy
• tcp.analysis.window_full && tcp.len > 0

  Catch payload packets sent while the window is full.

  Copy
• tcp.analysis.duplicate_ack_num >= 3

  Highlight duplicate ACK bursts that precede fast retransmissions.

  Copy
• mqtt.msgtype == 1

  Show MQTT CONNECT packets from clients.

  Copy
• mqtt.msgtype == 2

  Show MQTT CONNACK replies from brokers.

  Copy
• mqtt.msgtype == 11

  Capture MQTT DISCONNECT packets.

  Copy
• mqtt.msgtype == 14

  Capture MQTT AUTH packets (MQTT v5).

  Copy
• kerberos.CNameString contains "$"

  Find Kerberos requests made by service accounts ending with $.

  Copy
• ldap.response.resultCode != success

  Spot LDAP responses that completed with errors.

  Copy
• smb2.credit_charge > 1

  Identify SMB2 requests consuming multiple credits.

  Copy
• radius.code == 4

  Expose RADIUS Accounting-Request messages.

  Copy
• http.header.user-agent

  Ensure HTTP packets include the User-Agent header.

  Copy
• tls.record.length > 5000

  Target TLS records carrying large payloads.

  Copy
• tls.handshake.extensions.supported_versions == 0x0304

  Verify TLS clients explicitly negotiating TLS 1.3.

  Copy
• dns.qry.name contains ".localdomain"

  Detect lookups against .localdomain names.

  Copy
• dns.qry.name contains ".lan"

  Capture DNS queries for .lan zones.

  Copy
• ip.addr == 10.0.0.0/24

  Limit captures to the 10.0.0.0/24 subnet.

  Copy
• ip.addr == 172.16.5.10

  Filter to packets involving host 172.16.5.10.

  Copy
• ipv6.addr == 2001:db8::1

  Filter traffic involving IPv6 address 2001:db8::1.

  Copy
• eth.dst == ff:ff:ff:ff:ff:ff

  Highlight Ethernet broadcasts hitting all hosts.

  Copy
• eth.src == ff:ff:ff:ff:ff:ff

  Locate frames with broadcast source addresses (malformed).

  Copy
• ip.ttl == 1

  Detect packets arriving with TTL equal to 1.

  Copy
• ip.ttl == 255

  Spot packets sent with TTL 255 (often routing protocols).

  Copy
• geneve

  Inspect GENEVE overlay encapsulation packets.

  Copy
• gtpv2.message_type == 16

  Monitor GTPv2 Delete Session Requests in LTE cores.

  Copy
• gtpv1.message_type == 255

  Catch GTPv1 Echo Responses.

  Copy
• sctp.payload == DATA

  Filter SCTP DATA chunks.

  Copy
• sctp.payload == SACK

  Filter SCTP SACK acknowledgement chunks.

  Copy
• coap.mid == 0x1234

  Trace a specific CoAP message ID.

  Copy
• rtp.ssrc != 0

  List RTP streams that specify an SSRC value.

  Copy
• rtp.marker == 0

  Review RTP packets without marker bit to inspect intra-frame data.

  Copy
• dns.qry.name contains "ipv6.google.com"

  Track requests to ipv6.google.com.

  Copy
• dns.qry.name contains "windowsupdate"

  Follow DNS lookups for Windows Update endpoints.

  Copy
• http.user_agent contains "curl/7"

  Spot curl clients by major version 7 user agents.

  Copy
• http.request.uri contains "/wp-login.php"

  Monitor attempts against WordPress login pages.

  Copy
• http.user_agent contains "python-requests"

  Detect scripts using python-requests HTTP client.

  Copy
• tcp.port == 24800

  Capture VNC/Remote Frame Buffer traffic on TCP 24800.

  Copy
• udp.port == 33434

  Show UDP traceroute probe packets.

  Copy
• icmp.type == 8 && ip.ttl == 1

  Traceroute-style ICMP echo request for first hop.

  Copy
• ip.dsfield.dscp == 46 && tcp.port == 5060

  See voice-signalling SIP marked as EF.

  Copy
• tcp.flags.cwr == 1

  Detect TCP packets with the Congestion Window Reduced flag set.

  Copy
• tcp.flags.ecn == 1

  List TCP packets where the ECN flag is asserted.

  Copy
• tcp.analysis.bytes_in_flight > 1000000

  Find large TCP bursts with more than 1 MB outstanding.

  Copy
• tcp.analysis.bytes_in_flight < 500 && tcp.len > 0

  Spot underutilized TCP segments with minimal outstanding data.

  Copy
• tcp.analysis.lost_segment

  Surface segments Wireshark marks as lost in the TCP flow.

  Copy
• tcp.flags.push == 1 && tcp.len > 0

  Highlight TCP packets that push payload immediately to the application.

  Copy
• tcp.options.mss > 1400

  Check TCP handshakes advertising large MSS values.

  Copy
• tcp.options.mss < 800

  Flag TCP connections negotiating unusually small MSS.

  Copy
• tcp.options.wscale > 8

  Identify TCP peers that request high window scaling factors.

  Copy
• tcp.analysis.retransmission && tcp.time_delta_displayed > 2

  Catch retransmissions separated by more than two seconds.

  Copy
• tcp.analysis.out_of_order && tcp.time_delta_displayed < 0.01

  Find rapid out-of-order arrivals within 10 ms.

  Copy
• tcp.analysis.window_update && tcp.len == 0

  List pure TCP window update packets.

  Copy
• tcp.analysis.bytes_in_flight == 0 && tcp.len == 0

  See ACK-only packets with no outstanding data.

  Copy
• udp.port == 69

  Capture TFTP transfers on UDP 69.

  Copy
• udp.port == 161

  Review SNMP queries hitting UDP 161.

  Copy
• udp.port == 162

  Monitor SNMP traps sent to UDP 162.

  Copy
• udp.port == 1812

  Inspect RADIUS authentication over UDP 1812.

  Copy
• udp.port == 1813

  Inspect RADIUS accounting over UDP 1813.

  Copy
• udp.port == 5060 && ip.proto == 17

  Target SIP over UDP (port 5060).

  Copy
• udp.port == 4789

  Filter VXLAN UDP encapsulated traffic.

  Copy
• udp.port == 6081

  Inspect GENEVE UDP encapsulation packets.

  Copy
• icmp.type == 13

  Display ICMP timestamp request messages.

  Copy
• icmp.type == 14

  Display ICMP timestamp reply messages.

  Copy
• icmp.type == 17

  Catch ICMP address mask requests.

  Copy
• icmp.type == 18

  Catch ICMP address mask replies.

  Copy
• icmpv6.type == 1

  Find ICMPv6 destination unreachable errors.

  Copy
• icmpv6.type == 2

  Find ICMPv6 packet too big errors.

  Copy
• icmpv6.type == 3

  Inspect ICMPv6 time exceeded messages.

  Copy
• icmpv6.type == 4

  Inspect ICMPv6 parameter problem messages.

  Copy
• icmpv6.nd.ns.target_address == fe80::1

  Track IPv6 neighbor solicitations for fe80::1.

  Copy
• icmpv6.nd.ra.router_lifetime == 0

  See IPv6 router advertisements that withdraw default routes.

  Copy
• dns.qry.name contains "_sip._tls"

  Spot DNS SRV lookups for SIP over TLS services.

  Copy
• dns.qry.name contains "_kerberos._tcp"

  Find Kerberos service discovery requests.

  Copy
• dns.soa

  Display DNS Start of Authority (SOA) responses.

  Copy
• dns.cname

  List DNS CNAME alias records in responses.

  Copy
• dns.naptr

  Capture DNS NAPTR records used by SIP and ENUM.

  Copy
• dns.time > 0.250

  Highlight DNS transactions taking longer than 250 ms so latency stands out immediately.

  Copy
• dns.flags.rcode != 0

  Show DNS replies returning an error code such as NXDOMAIN or SERVFAIL.

  Copy
• http.request.uri contains "api"

  Filter HTTP requests hitting API-style paths for backend troubleshooting.

  Copy
• frame contains "Authorization"

  Search packet contents for Authorization headers or tokens carried in clear text.

  Copy
• websocket

  Display WebSocket upgrades and frames for browser-driven realtime applications.

  Copy
• smb2.nt_status != 0x00000000

  Show SMB responses with non-zero NT status codes to isolate file share failures.

  Copy
• ntlmssp

  Collect NTLMSSP authentication exchanges across SMB, HTTP, or other protocols.

  Copy
• kerberos.CNameString == "administrator"

  Focus on Kerberos traffic for the administrator principal during authentication analysis.

  Copy
• tcp.analysis.rto

  Surface retransmission timeout events that usually indicate meaningful packet loss or delay.

  Copy
• tls.alert_message.desc

  List TLS alert descriptions so you can see handshake failures and teardown reasons fast.

  Copy

Common reconnaissance profiles for Nmap. Each command lists its purpose so you can select the right scan for the situation. Copy buttons speed up pasting into your terminal or automation scripts.

• nmap -sn 10.0.0.0/24

  Ping sweep to discover live hosts on a local subnet without performing port scans.

  Copy
• nmap -sV -T4 target.com

  Service/version detection against common ports with aggressive timing balanced for internet targets.

  Copy
• nmap -Pn -A --reason 192.168.56.12

  Disable host discovery, enable OS plus script scans, and show reasoning for each finding.

  Copy
• nmap -p- --min-rate 2000 target.com

  Full TCP port sweep with a minimum rate of 2k packets per second for faster coverage.

  Copy
• nmap --script vuln target.com

  Run the built-in vulnerability NSE scripts to flag common misconfigurations quickly.

  Copy
• nmap -sU -sT -p 53,67,161 target.com

  Dual UDP/TCP scan of DNS, DHCP, and SNMP to evaluate infrastructure exposure.

  Copy
• nmap -sC -sV -oA scans/target target.com

  Run default scripts with version detection and save output in all formats under scans/.

  Copy
• nmap -sS -sC -sV -oN recon.txt target.com

  Stealth SYN scan with default scripts and version detection, saving output to recon.txt.

  Copy
• nmap -sU --top-ports 50 target.com

  Query the top 50 UDP ports to quickly identify the most common datagram services.

  Copy
• nmap --script http-enum -p 80,443 target.com

  Run the http-enum NSE script on ports 80 and 443 to inventory exposed web paths.

  Copy
• nmap -O --osscan-guess target.com

  Enable OS detection with osscan-guess to improve matches for ambiguous fingerprints.

  Copy
• nmap -sA -p 1-1024 target.com

  Send ACK probes across ports 1-1024 to map firewall rules and spot filtered services.

  Copy
• nmap -sN -Pn target.com

  Run a NULL scan without host discovery to test stealth firewall handling.

  Copy
• nmap -sV --script ssl-enum-ciphers -p 443 target.com

  Audit TLS services on 443 with ssl-enum-ciphers to report supported protocols and ciphers.

  Copy
• nmap -sS -T2 --max-retries 1 target.com

  Run a throttled SYN scan with minimal retries to stay under intrusion-detection thresholds.

  Copy
• nmap -sT --max-rate 100 target.com

  Use a TCP connect scan with a conservative rate when raw sockets are unavailable.

  Copy
• nmap -sU -p 123,137,161,500 target.com

  Check common infrastructure UDP services including NTP, NetBIOS, SNMP, and IKE.

  Copy
• nmap -sO target.com

  Enumerate supported IP protocols with an IP protocol scan.

  Copy
• nmap -sI zombie.example.com target.com

  Perform an idle scan using a zombie host to hide your source address.

  Copy
• nmap -sW target.com

  Send TCP window probes to differentiate open and closed ports on certain stacks.

  Copy
• nmap -A --traceroute target.com

  Run OS, version, script, and traceroute scans in one aggressive profile.

  Copy
• nmap -sV --script banner target.com

  Grab service banners with the banner NSE script alongside version detection.

  Copy
• nmap -sV --script smb-enum-shares -p 445 target.com

  Enumerate SMB shares on 445 with the smb-enum-shares NSE script.

  Copy
• nmap -sV --script ftp-anon -p 21 target.com

  Test FTP services for anonymous login support using ftp-anon.

  Copy
• nmap -Pn --top-ports 100 target.com

  Scan the 100 most common ports without host discovery for rapid assessments.

  Copy
• nmap -sV --script dns-brute target.com

  Enumerate subdomains with the dns-brute NSE script.

  Copy
• nmap -sV --script http-title target.com

  List HTTP titles across discovered web services with http-title.

  Copy
• nmap -sS -sV --script vuln target.com

  Run a version scan with the vuln script batch to flag common CVEs.

  Copy
• nmap -Pn -p 1-1000 --max-retries 1 --min-rate 200 target.com

  Fast stealth scan across the first 1000 TCP ports without host discovery.

  Copy
• nmap -sU --top-ports 25 --max-retries 2 target.com

  Probe the top 25 UDP services with minimal retries.

  Copy
• nmap -sV --script banner,smb-os-discovery 10.0.0.0/24

  Collect service banners and SMB OS details across a /24.

  Copy
• nmap -sS --script firewall-bypass --data-length 200 target.com

  Attempt to dodge stateless filters by padding SYN probes.

  Copy
• nmap -sT --max-parallelism 10 --host-timeout 30m 192.168.100.0/24

  TCP connect scan on a /24 with controlled parallelism and host timeout.

  Copy
• nmap -sA -p 20-1024 edge.firewall.local

  Use ACK scans to map firewall rules across low TCP ports.

  Copy
• nmap -sN -p 80,443,8080 dmz.proxy.local

  Send NULL scans against proxy ports to test filtering behavior.

  Copy
• nmap -sS -p 80 --script http-methods --script-args http-methods.url-path=/app target.com

  Enumerate enabled HTTP verbs against /app.

  Copy
• nmap -sS --script http-title,http-server-header -iR 30

  Grab page titles and server headers from 30 random hosts.

  Copy
• nmap -sS --script smb-enum-shares,smb-enum-users 10.10.10.0/27

  Audit SMB shares and user accounts across a small subnet.

  Copy
• nmap -sS --script smb-enum-processes --script-args smbusername=admin,smbpassword=Password1! winfiles.local

  List Windows processes over SMB using supplied credentials.

  Copy
• nmap -sU --script snmp-info,snmp-brute 10.20.0.0/24

  Probe SNMP devices for info leaks and weak communities.

  Copy
• nmap -sV --script ssl-enum-ciphers --script-args ssl-enum-ciphers.check_reuse=1 secure.example.com

  Audit TLS cipher suites and check for key reuse.

  Copy
• nmap -sV --script ssh-auth-methods 192.168.1.0/26

  Enumerate SSH authentication methods across a /26.

  Copy
• nmap -sV --script ftp-anon,ftp-bounce ftp.gateway.local

  Test FTP servers for anonymous access and bounce attacks.

  Copy
• nmap -sS --traceroute -T4 corp.gateway.local

  Run a rapid TCP SYN scan with an in-line traceroute.

  Copy
• nmap -sV -p 161 --script snmp-processes,snmp-sysdescr routers.example.com

  Gather SNMP process and system description information.

  Copy
• nmap -sS -p 1883,8883 --script mqtt-subscribe --script-args topic=sensors/# iot-broker.local

  Check MQTT brokers for open topics and TLS endpoints.

  Copy
• nmap -sS --data-length 140 --badsum target.com

  Send padded SYN packets with bad checksums to test inspection evasion.

  Copy
• nmap -sS -p 0-65535 --reason --min-rate 500 --max-retries 2 bigserver.local

  Aggressive full TCP port scan showing reasons for states.

  Copy
• nmap -sS -p 22 --script ssh-hostkey --script-args ssh_hostkey=full 10.1.5.0/24

  Collect SSH host keys for trust auditing across a subnet.

  Copy
• nmap -sS -p 161 --script snmp-brute --script-args snmp-brute.communities='public,private,secret' net-mgmt.local

  Brute-force SNMP communities with a custom list.

  Copy
• nmap -sS --script http-headers,http-security-headers target.com

  Review HTTP response headers and security directives.

  Copy
• nmap -sS --script http-robots.txt --script-args http.useragent='Mozilla/5.0' target.com

  Check for hidden directories via robots.txt with a custom agent.

  Copy
• nmap -sS --script dns-brute --script-args dns-brute.domain=example.com resolver.example.com

  Enumerate subdomains with the dns-brute NSE script.

  Copy
• nmap -sS -p 5900-5905 --script vnc-info,vnc-title 10.40.0.0/25

  Enumerate VNC services and grab window titles across a /25.

  Copy
• nmap -sS -p 3306 --script mysql-info mysql.db.local

  Query MySQL server information via NSE.

  Copy
• nmap -sS --script ms-sql-info,ms-sql-brute 10.50.10.0/27

  Identify and brute-force Microsoft SQL servers.

  Copy
• nmap -sS --script smb-vuln-ms17-010 172.16.10.0/24

  Test hosts for the EternalBlue SMB vulnerability.

  Copy
• nmap -sS --script smb-vuln-ms10-054,smb-vuln-ms10-061 172.16.20.0/24

  Check SMB hosts for historic MS10 vulnerabilities.

  Copy
• nmap -sS --script http-enum --script-args http-enum.category=sensitive target.com

  Scan for sensitive web resources using NSE.

  Copy
• nmap -sS -p 80,443 --script http-mobileversion-check target.com

  Discover mobile variants of the website via User-Agent switching.

  Copy
• nmap -sS --script http-waf-detect target.com

  Probe for the presence of common web application firewalls.

  Copy
• nmap -sS --script http-waf-detect --script-args http-waf-detect.aggro=1 target.com

  Use aggressive checks to fingerprint WAF vendors.

  Copy
• nmap -sS --script smb-security-mode 10.60.0.0/25

  Report SMB signing and security mode across Windows hosts.

  Copy
• nmap -sS --script smb-enum-domains 10.60.0.0/25

  Enumerate Windows domains via SMB.

  Copy
• nmap -sS --script smb-enum-groups 10.60.0.0/25

  Pull Windows domain groups from SMB servers.

  Copy
• nmap -sS --script smb-enum-sessions 10.60.0.0/25

  List active SMB sessions on remote hosts.

  Copy
• nmap -sS --script smb-enum-services 10.60.0.0/25

  Enumerate Windows services via SMB.

  Copy
• nmap -sS --script smb-brute --script-args userdb=users.txt,passdb=passes.txt 10.60.0.0/25

  Run an SMB login brute-force with supplied dictionaries.

  Copy
• nmap -sS --script smtp-enum-users --script-args smtp-enum-users.methods=VRFY target.com

  Enumerate SMTP users using VRFY commands.

  Copy
• nmap -sS --script smtp-open-relay target.com

  Test mail servers for open relay vulnerabilities.

  Copy
• nmap -sS --script ajp-auth,ajp-brute -p 8009 webcluster.local

  Audit Apache JServ Protocol connectors for weak credentials.

  Copy
• nmap -sT -p 2049 --script nfs-ls,nfs-showmount storage.nfs.local

  List NFS exports and directory contents.

  Copy
• nmap -sS --script oracle-sid-brute --script-args oracle-sid-brute.sidfile=sids.txt 10.70.0.0/24

  Enumerate Oracle SID names using a supplied wordlist.

  Copy
• nmap -sS --script oracle-tns-version 10.70.0.10

  Identify Oracle TNS listener versions and features.

  Copy
• nmap -sS -p 2181 --script zookeeper-info 10.80.0.0/26

  Gather Apache ZooKeeper cluster metadata.

  Copy
• nmap -sS -p 2375 --script docker-version 10.80.0.0/26

  Check Docker daemons for remote API exposure.

  Copy
• nmap -sS --script redis-info 10.80.0.0/26

  Inspect unauthenticated Redis instances for summary info.

  Copy
• nmap -sS --script mongodb-info 10.80.0.0/26

  Probe MongoDB servers for version and build identifiers.

  Copy
• nmap -sS --script elasticsearch-http-info 10.80.0.0/26

  Collect exposed Elasticsearch cluster information.

  Copy
• nmap -sS --script rabbitmq-info 10.80.0.0/26

  Query RabbitMQ management ports for queue metadata.

  Copy
• nmap -sS --script ncp-enum-users 192.168.90.0/27

  Enumerate Novell NetWare users via NCP.

  Copy
• nmap -sS --script ike-version 198.51.100.0/28

  Detect IKE VPN endpoints and their supported versions.

  Copy
• nmap -sS --script dns-zone-transfer --script-args dns-zone-transfer.domain=corp.local dns.corp.local

  Attempt DNS zone transfers for corp.local.

  Copy
• nmap -sS --script dns-cache-snoop --script-args dns-cache-snoop.mode=timed targetns.local

  Enumerate cached DNS entries via timing side-channel.

  Copy
• nmap -sS --script http-slowloris-check target.com

  Test web servers for Slowloris DoS susceptibility.

  Copy
• nmap -sS --script http-stored-xss --script-args http-stored-xss.url=/comments target.com

  Probe comment forms for stored XSS vulnerabilities.

  Copy
• nmap -sS --script http-headers,http-security-headers -p 80,443 target.com

  Review HTTP response headers for missing security controls.

  Copy
• nmap -sV --script http-vuln-cve2017-5638 --script-args http-vuln-cve2017-5638.uri=/struts2-showcase.action target.com

  Probe Apache Struts endpoints for CVE-2017-5638 remote code execution.

  Copy
• nmap -sV --script ssh2-enum-algos -p 22 target.com

  Enumerate SSH algorithms to highlight weak key exchange and cipher suites.

  Copy
• nmap -sV --script smb-vuln-cve-2020-0796 -p 445 target.com

  Test SMB services for the SMBGhost CVE-2020-0796 vulnerability.

  Copy
• nmap -sV --script mysql-info -p 3306 db.internal

  Fingerprint MySQL services and report exposed metadata and capabilities.

  Copy
• nmap -sV --script ldap-rootdse -p 389 dc.internal

  Query LDAP root DSE entries to enumerate naming contexts and features.

  Copy
• nmap -sV --script vulners --script-args mincvss=7.0 target.com

  Enumerate CVEs rated 7.0+ using the vulners vulnerability feed.

  Copy
• nmap -6 -sT -p 22,80,443 2001:db8:100::/56

  Discover IPv6 SSH and web services across a /56 network segment.

  Copy
• nmap -sS --script rdp-enum-encryption -p 3389 target.com

  Audit Remote Desktop encryption strength and supported security layers.

  Copy
• nmap -sU --script broadcast-dhcp-discover

  Discover rogue DHCP servers by broadcasting DHCP discover probes.

  Copy
• nmap -sS -p 25 --script smtp-vuln-cve2011-1720 mail.example.com

  Check Postfix servers for the CVE-2011-1720 STARTTLS downgrade flaw.

  Copy
• nmap -sU -p 161 --script snmp-ios-config,snmp-interfaces core-switch.local

  Pull IOS configuration details and interface stats from SNMP-enabled switches.

  Copy
• nmap -sV --script http-shellshock --script-args uri=/cgi-bin/status target.com

  Test CGI handlers for Shellshock command execution exposure.

  Copy
• nmap -sV --script ssl-heartbleed -p 443 target.com

  Detect Heartbleed (CVE-2014-0160) vulnerabilities on TLS services.

  Copy
• nmap -sV --script smb-vuln-cve-2017-7494 -p 445 target.com

  Check Samba servers for the remote code execution flaw CVE-2017-7494.

  Copy
• nmap -sV --script http-winrm-info -p 5985 target.com

  Enumerate Windows Remote Management capabilities and authentication modes.

  Copy
• nmap -sV --script bacnet-info -p 47808 10.40.0.0/24

  Profile BACnet building automation devices across the control network.

  Copy
• nmap -sV --script modbus-discover -p 502 10.50.0.0/24

  Enumerate Modbus controllers and capabilities in industrial segments.

  Copy
• nmap -sV --script ssl-cert -p 443 secure.example.com

  Pull the presented X.509 certificate so you can inspect names, issuer, and validity dates quickly.

  Copy
• nmap -sV --script http-methods --script-args http-methods.url-path=/ -p 80,443 target.com

  Enumerate allowed HTTP methods to spot dangerous verbs such as PUT, DELETE, or TRACE.

  Copy
• nmap -sV --script smb-os-discovery -p 445 target.com

  Identify SMB hosts, operating system details, and NetBIOS naming information on port 445.

  Copy
• nmap -sV --script http-auth-finder -p 80,443 target.com

  Search web targets for authentication prompts and protected application paths.

  Copy
• nmap -sU -p 69 --script tftp-enum target.com

  Enumerate TFTP services on UDP 69 to see whether trivial file transfer is exposed.

  Copy
• nmap -sS --open -p 22,80,443,3389 target.com

  Show only open ports across the selected set so the output stays focused on reachable services.

  Copy
• nmap -sS -sV --version-all --reason target.com

  Force deeper version probing and include reasons for the findings during service detection.

  Copy
• nmap -sn -PE -PA80,443 10.0.0.0/24

  Combine ICMP and ACK host discovery probes to find systems that ignore simple echo requests.

  Copy
• nmap -sU -p 53,123,161,500,4500 target.com

  Check the most common critical UDP infrastructure ports in one targeted sweep.

  Copy
• nmap -6 -sS -p 80,443,8443 2001:db8:100::/64

  Probe common HTTPS and alternate web ports across an IPv6 range.

  Copy
• nmap --script ssl-date -p 443 target.com

  Compare the remote TLS service clock with your scanner to catch certificate time drift.

  Copy
• nmap -sS --scan-delay 1s --max-rate 50 target.com

  Throttle packet rate deliberately for quieter scans against fragile or rate-limited targets.

  Copy