Since most popular services run over the TCP protocol, UDP services are often ignored during penetration tests. There are, however, many protocols that use UDP for their communication, with DNS, SNMP, and DHCP being the most common. UDP is a connectionless protocol, which makes scanning UDP service more difficult and slower than traditional port scans.
To invoke UDP scanning, use the flag -sU. UDP scan works by sending an empty UDP header to every targeted port and analyzing the response. Here is an example:
root@kali:~# nmap -sU 192.168.5.102 Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-05 20:53 CET Nmap scan report for 192.168.5.102 Host is up (0.0025s latency). Not shown: 997 open|filtered ports PORT STATE SERVICE 123/udp open ntp 137/udp open netbios-ns 51690/udp open unknown Nmap done: 1 IP address (1 host up) scanned in 4.30 seconds
As you can see from the picture above, there are three open UDP ports on the target host – 123, 137, and 51690.