How does a UDP scan (-sU) operate and why are UDP results often incomplete compared to TCP scans?

UDP scans work by sending UDP packets to target ports and waiting for a reply. Because UDP is connectionless, there’s no handshake like TCP, so there isn’t a standard “opened” response to confirm a port is listening. Nmap determines state from whatever it can observe: a UDP response from a running service can indicate open, an ICMP port-unreachable message usually means the port is closed, and no response often means the port is filtered or simply silent. Many UDP services don’t reply to unsolicited probes, and many networks drop or rate-limit UDP traffic and ICMP messages. As a result, a large portion of UDP probes yield no definitive answer, causing ports to appear as open|filtered or unknown. This makes UDP scan results frequently incomplete compared with TCP scans, where the handshake provides clearer and more consistent signals about port state.