Articles

Nmap Resume: Continue an Interrupted Scan (2026)

April 18, 2026 5 min read

Nmap can pick up where it left off.

Let’s say you’re scanning a large network with Nmap, and something goes wrong – your laptop dies, the network connection drops, or you simply decide to stop the scan to conserve resources. You don’t want to start all over again, re-scanning hosts that have already been scanned. Nmap has a feature to resume an interrupted scan.

Here’s how it works. When Nmap runs, it can write its progress to a file. If the scan is interrupted, Nmap will have this progress information saved. When you restart Nmap with the same scan parameters and tell it to use the saved progress file, it will resume scanning from the last point it recorded.

The Mechanics: State Files

Nmap uses "state files" to keep track of its progress. These files are typically named something like nmap-save-file.nmap or nmap-state.

If you started a scan like this:

nmap -sS -p 1-65535 192.168.1.0/24 -oN scan_results.txt -T4

And you wanted to save its state so you could resume it, you’d add the --save-state option:

nmap -sS -p 1-65535 192.168.1.0/24 -oN scan_results.txt -T4 --save-state nmap_state_file.dat

This command will create a file named nmap_state_file.dat which contains information about which hosts have been scanned and their current status.

Now, imagine that scan was interrupted. To resume it, you use the --resume option, pointing it to the state file you saved:

nmap -sS -p 1-65535 192.168.1.0/24 -oN scan_results.txt -T4 --resume nmap_state_file.dat

Nmap will read nmap_state_file.dat, figure out which hosts are still pending, and continue scanning them. It will append any new results to scan_results.txt as if it had never stopped.

What if I didn’t save the state initially?

If you didn’t use --save-state when you started the scan, you can’t magically create a state file after the fact to resume it. The --resume functionality relies on Nmap having actively saved its progress during the initial run.

However, you can use Nmap’s output files to achieve a similar, albeit less efficient, outcome. Nmap can write its output in various formats, including a "normal" format (-oN) and an "all" format (-oA), which creates .nmap, .gnmap, and .xml files.

If you have a normal output file (scan_results.txt) from an interrupted scan, you can use that file to tell Nmap which hosts not to scan again. You do this with the -iL (input from list) option combined with the --exclude-from option.

First, let’s extract the IP addresses of the hosts that were already scanned from your scan_results.txt. A simple grep can do this:

grep "Nmap scan report for" scan_results.txt | awk '{print $NF}' > scanned_hosts.txt

This scanned_hosts.txt file will now contain a list of all hosts for which Nmap reported a scan.

Then, you would run your scan again, but this time, you’d tell Nmap to exclude the hosts that are already in scanned_hosts.txt:

nmap -sS -p 1-65535 192.168.1.0/24 -oN scan_results.txt -T4 --exclude-from scanned_hosts.txt

This command will scan the entire 192.168.1.0/24 network again, but it will skip over any IP addresses that are listed in scanned_hosts.txt. This is not a true resume because Nmap still has to process the exclusion list and do the initial checks for each excluded host, but it avoids re-transmitting probes to hosts that were already fully scanned.

Important Note: The --exclude-from method is less efficient than --resume because Nmap still has to parse the entire target list and perform initial checks for hosts that are excluded. --resume directly uses the saved state to pick up exactly where it left off, without re-evaluating already-processed targets.

Best Practices for Resumable Scans

  1. Always use --save-state for long scans: If you anticipate a scan might be interrupted or needs to be paused, always include --save-state <state_file_name> in your initial command. This is the most robust way to ensure you can resume.
  2. Use -oN or -oA in conjunction with --save-state: While --save-state handles the progress, output files handle the results. Saving your results (-oN, -oA) ensures that even if the state file gets corrupted, you still have the data collected so far.
  3. Keep your original scan parameters: When resuming, ensure you use the exact same command-line arguments (scan types, ports, timing, etc.) as the original scan, with the addition of --resume. Mismatched parameters can lead to unexpected behavior or errors.
  4. Understand the state file: The state file (.dat or similar) is binary. Do not attempt to edit it manually. It’s meant for Nmap’s internal use.

Consider a scenario where you are scanning a very large IP range, say 0.0.0.0/8, and your scan has been running for days. Network maintenance might require you to temporarily stop the scan. Using --save-state and --resume allows you to pause and restart without losing days of progress. The state file essentially acts as a bookmark, allowing Nmap to know precisely which IP addresses and ports it has already queried and recorded results for.

If you resume a scan and Nmap reports "Resuming from state file: No hosts left to scan," it means the state file indicates all targets have been processed. If you still believe there are targets that haven’t been scanned, double-check your original target specification and the contents of your output file.

The next challenge after successfully resuming scans is often analyzing the combined output from multiple scan sessions, especially if you’ve had to restart a scan multiple times.

Want structured learning?

Take the full Nmap course →