The benefits of running nmap as root

When run as root nmap is able to perform several features not available to non-root users. The most obvious is being able to create custom packets useful for operating system detection. Another useful feature is the ability to listen for packets from hosts being scanned. Firewalls blocking TCP ports will commonly send back an ICMP notification that the port is closed instead of simply sending a RST as is usual for a closed port. Most TCP implementations don’t take this into account and continue waiting for a connection to be established, timing out instead. If nmap is able to listen for these ICMP packets then it will not waste time on those ports that it has been told are closed by the firewall, and it will tell you that the port if filtered.

Update: I wrote this a while ago. The ‘most TCP implementations’ thing might not be quite as true now.