TCP SYN Probe Module - zmap/zmap GitHub Wiki
When performing a TCP SYN scan, ZMap requires a single target port (multiple ports/ranges can be supplied as well) and supports specifying a range of source ports from which the scan will originate.
-p, --target-ports=portTCP port(s) number to scan (e.g.443or22,80,1000-2000)-s, --source-port=port|rangeSource port(s) for scan packets (e.g. 40000-50000)
Warning! ZMap relies on the Linux kernel to respond to SYN/ACK packets with RST packets in order to close connections opened by the scanner. This occurs because ZMap sends packets at the Ethernet layer in order to reduce overhead otherwise incurred in the kernel from tracking open TCP connections and performing route lookups. As such, if you have a firewall rule that tracks established connections such as a netfilter rule similar to -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT, this will block SYN/ACK packets from reaching the kernel.
This will not prevent ZMap from recording responses, but it will prevent RST packets from being sent back, ultimately using up a connection on the scanned host until your connection times out. We strongly recommend that you select a set of unused ports on your scanning host which can be allowed access in your firewall and specifying this port range when executing ZMap, with the -s flag (e.g. -s '50000-60000').