Nmap has built-in parallelism that should be able to handle scanning a Class-A network in a single command. In fact, because of Nmap's network status monitoring and feedback mechanisms, it is usually better to run just one instance of Nmap at a time. The bottleneck for Nmap is not the processor, so running multiple instances with parallelis not going to help. Instead, Nmap will send many probes at once and wait for responses. As new responses come in, new probes can be sent out. If Nmap gets a response for every probe, it increases the number of outstanding probes (parallelism) it sends. When it detects a packet drop, it decreases this number (as well as some other timing-related variables).

Nmap 具有内置的并行性，应该能够在单个命令中处理扫描 A 类网络。事实上，由于 Nmap 的网络状态监控和反馈机制，通常一次只运行一个 Nmap 实例会更好。Nmap 的瓶颈不是处理器，因此运行多个实例parallel无济于事。相反，Nmap 将一次发送许多探测并等待响应。随着新响应的到来，可以发出新的探测。如果 Nmap 对每个探测都得到响应，它会增加它发送的未完成探测（并行）的数量。当它检测到数据包丢失时，它会减少这个数字（以及其他一些与时间相关的变量）。

This adaptive timing behavior is discussed at length in the official Nmap Network Scanningbook, and is based on public algorithms used in TCP.

这种自适应定时行为在官方Nmap 网络扫描书中详细讨论过，并且基于 TCP 中使用的公共算法。

You may be able to speed up your scan by adjusting some timing optionsand eliminating scan phases that do not matter to you. On the simple end, you can try -T4to increase several timing-related settings at once, without exceeding the capability of a high-speed link. You can also try adding -nto skip the reverse-DNS name lookup phase, since you may not be interested in those results.

您可以通过调整一些计时选项并消除对您来说无关紧要的扫描阶段来加快扫描速度。简单来说，您可以尝试-T4一次增加几个与时序相关的设置，而不会超出高速链路的能力。您还可以尝试添加-n跳过反向 DNS 名称查找阶段，因为您可能对这些结果不感兴趣。

You have already used the -Pnflag to skip the host discovery phase; if you are only scanning one port, this may be a good idea, but it may also result in confusing output and slower scan times, since Nmap must assume that every host is up and do a real port scan. Remember the adaptive timing algorithms? They have slightly different behavior when doing host discovery that may result in faster scan times. If you don't like the default host discovery probes, you can tune them yourself. If I am scanning for port 22, I can use that as a host discovery probe with -PS22, which means my output will only show hosts with that port open or closed (not firewalled and not down). If you stick with -Pn, you should probably also use the --openoption to only show hosts with your chosen ports open, otherwise you will have a lotof output to slog through.

您已经使用该-Pn标志跳过主机发现阶段；如果您只扫描一个端口，这可能是个好主意，但也可能导致输出混乱和扫描时间变慢，因为 Nmap 必须假设每个主机都已启动并进行真正的端口扫描。还记得自适应定时算法吗？在进行主机发现时，它们的行为略有不同，这可能会导致更快的扫描时间。如果您不喜欢默认的主机发现探测器，您可以自己调整它们。如果我正在扫描端口 22，我可以将其用作主机发现探测器-PS22，这意味着我的输出将仅显示该端口打开或关闭（未设置防火墙且未关闭）的主机。如果您坚持使用-Pn，您可能还应该使用--open选项仅显示您选择的端口打开的主机，否则您将有大量输出需要通过。

Can't you send the commands to the background with & in order to process the others simultaneously? Something like below;

您不能使用 & 将命令发送到后台以便同时处理其他命令吗？像下面这样的东西；

#!/bin/bash
ports="20 21 22 25 80 443"
for p in $ports
do
nmap -Pn -p$p 10.0.1.0/24 &
done