How to Use Nmap for Network Troubleshooting: A Guide for IT Support Consultants

Before I entered the realm of security I worked in IT, which involved a lot of network support and troubleshooting. Support consultants usually reach for tools like ping, traceroute, or Wireshark when troubleshooting network issues but one tool that’s often overlooked and I found extremely helpful was Nmap. While best known for penetration testing, Nmap is just as powerful for identifying firewall misconfigurations, verifying open ports, and diagnosing connectivity issues.

This article explains how to use Nmap for network diagnostics and why it deserves a spot in your support toolkit.

What Is Nmap and Why Is It Useful for Network Troubleshooting?

Nmap (short for Network Mapper) is a free, open-source tool used to discover devices on a network, identify open ports, and detect the services running on them. It’s commonly used in cybersecurity, but it’s also incredibly effective for day-to-day IT support and network analysis.

Key reasons to use Nmap for troubleshooting:

• Check if servers or devices are reachable

• Discover open, closed, or filtered ports

• Verify firewall rules and access control

• Identify what services are running and where

Unlike ping or traceroute, which only offer basic reachability info, Nmap gives you direct insights into whether specific services are up — or being blocked by a firewall.

Throughout this post we will be using a basic web server as our target. We will make changes to the server as we go, to see the different results that Nmap provides.

Nmap Basic Operation

In its most basic operation, Nmap is pointed at an IP address and will perform various default tasks:

• Reverse DNS lookup to discover hostname of the IP address (can be disabled with -n)

• Ping the IP address to establish whether the host is up (can be disabled with -Pn)

• Scan the 1000 most common TCP ports to see if they are open.

  • The default scan method is a SYN scan, if Nmap does not have the privileges to do this, it will revert to a TCP connect scan)

In the screenshot below a basic Nmap scan has been performed against our web server.

In the image we can see that the host was detected as being up, of the 1000 ports scanned 997 were identified as being closed, and three ports were identified as being open.

Of the three ports that were open, the Nmap response shows a name for the service. This name comes from Nmap's list of services that are associated with ports, rather than any intelligent service detection.

Use Nmap to Check Firewall Rules

One of the most useful Nmap features for support work is checking if firewalls are blocking traffic unexpectedly. Instead of assuming a service is down, Nmap can confirm whether it’s just being blocked.

On our web server we have made some changes and things aren't working quite like they should be. We can use Nmap to check the status of the ports.

Example:

The following command uses the -p flag to specify which ports to scan, instead of the default top 1000, this scan will only check to see if ports 22, 80, and 443 are open.

nmap -p 22,80,443 192.168.238.128

The results of this Nmap scan are:

We can see these results are showing the same ports as before, but since we specified the ports to can, we don't need to wait for Nmap to scan the other 997 ports. (this scan was still slower due to the responses received from the server.)

The results we can see are:

• Port 22 is in the closed state. This indicates that the port is open through the firewall, but no service is listening on port 22 on the server.

• Port 80 is in the filtered state. This indicates that there is a firewall actively blocking our traffic through to the server.

• Port 443 is open. This indicated that our traffic is allowed through to the server, and there is a service responding on this port.

You’ll get results like:

• open – the service is reachable and responding

• closed – the host is reachable, but the port isn’t in use

• filtered – something (usually a firewall) is blocking access

Often we run in to cases where Nmap is not able to identify whether the host is up using it's default detection settings. In these cases we get a response like this:

If we are confident that the host is up, but not being detected by Nmap's default recon configuration, we can force Nmap to believe the host is live using the -Pn flag:

If ICMP is blocked and ping fails, use:

nmap -Pn 192.168.238.128

This skips the ping step and jumps directly to the port scanning. It’s an easy way to verify firewall rules from the user’s perspective.

2. Verify if Services Are Up and Listening

Support teams often get vague reports like “email’s not working” or “the database can’t be reached.” Nmap helps confirm whether the service is actually running or if the issue lies elsewhere. We can also include the -sV flag that queries the service to try and properly identify what is listening on that port, rather than relying on Nmap's list of default services.

Example – check HTTP port 80 is up:

nmap -sV -p 80 192.168.238.128

This checks if HTTP is available and shows the web server version (e.g. Apache, Nginx, etc).

Subnet Scanning

We can also use Nmap to scan a range of hosts within a subnet to locate those that are listening on specific ports. This is helpful to identify IP addresses of hosts if they have changed, or look for service that shouldn't be running on the subnet.

Example – scan a subnet for SSH:

nmap -p 22 192.168.238.0/24

The screenshot below shows that we identified five hosts on this subnet. Of these five, two have port 22 in the filtered state, 2 in the closed state, and 1 is listening.

If we want to restrict our results to only show a particular port state, e.g. open, use the --open flag:

nmap -p 22 192.168.238.0/24

3. Diagnose Common Connectivity Issues with Nmap

Nmap isn’t just for checking individual services — it can be used to diagnose broader network problems too.

✅ Discover live devices on a network:

nmap -sn 192.168.1.0/24

✅ Verify UDP services (e.g. DNS):

nmap -sU -p 53 dns-server.local

✅ Trace the path to a host:

nmap --traceroute 192.168.1.10

Use these commands to determine whether a host is reachable, which ports are open, and where traffic is being blocked.

4. Nmap vs Ping, Traceroute, and Wireshark

If you’re already using ping, traceroute, or Wireshark, you’ll find Nmap fits right alongside them. Here’s how they compare:

Use them together for full visibility: Nmap tells you what’s open, traceroute tells you where it’s blocked, and Wireshark shows what’s happening in detail.

5. Nmap Tips for Support Teams

To get the best results with Nmap, keep these tips in mind:

• ✅ Get permission before scanning internal or client networks

• ✅ Use admin rights or sudo for full scan options (like SYN scans)

• ✅ Limit scans to needed ports to reduce network load

• ✅ Save output with -oN results.txt or use Zenmap (GUI version)

• ✅ Scan slowly on sensitive networks with -T2 or -T3 timing

Used properly, Nmap is safe and incredibly informative.

Nmap isn’t just for penetration testers, it’s a practical, efficient tool for everyday IT support work. Whether you’re diagnosing slow network connections, confirming services are live, or verifying firewall rules, Nmap gives you clear answers.

If you're a support consultant working with complex networks, cloud systems, or on-prem servers, make Nmap a standard part of your troubleshooting process.

This is just a miniscule slice of the functions available within Nmap, there is so much more to be discovered (trust me, I've read the book).

✅ Want More?

• 📥 Download our free cybersecurity guide for small businesses

• 🔍 Book a secure configuration review

• 📧 Talk to us about penetration testing or network audits