{"id":13423405,"url":"https://github.com/robertdavidgraham/masscan","last_synced_at":"2025-05-13T10:54:55.847Z","repository":{"id":9751240,"uuid":"11715753","full_name":"robertdavidgraham/masscan","owner":"robertdavidgraham","description":"TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.","archived":false,"fork":false,"pushed_at":"2024-12-13T12:22:18.000Z","size":3284,"stargazers_count":24425,"open_issues_count":416,"forks_count":3115,"subscribers_count":653,"default_branch":"master","last_synced_at":"2025-05-05T20:31:56.155Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/robertdavidgraham.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2013-07-28T05:35:33.000Z","updated_at":"2025-05-05T19:37:43.000Z","dependencies_parsed_at":"2023-02-18T09:30:41.133Z","dependency_job_id":"8db40e57-3979-482a-a9d7-69f591c58fb7","html_url":"https://github.com/robertdavidgraham/masscan","commit_stats":{"total_commits":582,"total_committers":65,"mean_commits":8.953846153846154,"dds":"0.18900343642611683","last_synced_commit":"9065684c52682d3e12a35559ef72cd0f07838bff"},"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/robertdavidgraham%2Fmasscan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/robertdavidgraham%2Fmasscan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/robertdavidgraham%2Fmasscan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/robertdavidgraham%2Fmasscan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/robertdavidgraham","download_url":"https://codeload.github.com/robertdavidgraham/masscan/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253929320,"owners_count":21985800,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T00:00:33.795Z","updated_at":"2025-05-13T10:54:55.827Z","avatar_url":"https://github.com/robertdavidgraham.png","language":"C","readme":"[![unittests](https://github.com/robertdavidgraham/masscan/actions/workflows/unittests.yml/badge.svg?branch=master)](https://github.com/robertdavidgraham/masscan/actions/workflows/unittests.yml/?branch=master)\n\n# MASSCAN: Mass IP port scanner\n\nThis is an Internet-scale port scanner. It can scan the entire Internet\nin under 5 minutes, transmitting 10 million packets per second,\nfrom a single machine.\n\nIts usage (parameters, output) is similar to `nmap`, the most famous port scanner.\nWhen in doubt, try one of those features -- features that support widespread\nscanning of many machines are supported, while in-depth scanning of single\nmachines aren't.\n\nInternally, it uses asynchronous transmission, similar to port scanners\nlike  `scanrand`, `unicornscan`, and `ZMap`. It's more flexible, allowing\narbitrary port and address ranges.\n\nNOTE: masscan uses its own **ad hoc TCP/IP stack**. Anything other than\nsimple port scans may cause conflict with the local TCP/IP stack. This means you \nneed to use either the `--src-ip` option to run from a different IP address, or\nuse `--src-port` to configure which source ports masscan uses, then also\nconfigure the internal firewall (like `pf` or `iptables`) to firewall those ports\nfrom the rest of the operating system.\n\nThis tool is free, but consider contributing money to its development:\nBitcoin wallet address: 1MASSCANaHUiyTtR3bJ2sLGuMw5kDBaj4T\n\n\n# Building\n\nOn Debian/Ubuntu, it goes something like the following. It doesn't\nreally have any dependencies other than a C compiler (such as `gcc`\nor `clang`).\n\n\tsudo apt-get --assume-yes install git make gcc\n\tgit clone https://github.com/robertdavidgraham/masscan\n\tcd masscan\n\tmake\n\nThis puts the program in the `masscan/bin` subdirectory. \nTo install it (on Linux) run:\n\n    make install\n\nThe source consists of a lot of small files, so building goes a lot faster\nby using the multi-threaded build. This requires more than 2gigs on a \nRaspberry Pi (and breaks), so you might use a smaller number, like `-j4` rather than\nall possible threads.\n\n\tmake -j\n\nWhile Linux is the primary target platform, the code runs well on many other\nsystems (Windows, macOS, etc.). Here's some additional build info:\n\n  * Windows w/ Visual Studio: use the VS10 project\n  * Windows w/ MinGW: just type `make`\n  * Windows w/ cygwin: won't work\n  * Mac OS X /w XCode: use the XCode4 project\n  * Mac OS X /w cmdline: just type `make`\n  * FreeBSD: type `gmake`\n  * other: try just compiling all the files together, `cc src/*.c -o bin/masscan`\n\nOn macOS, the x86 binaries seem to work just as fast under ARM emulation.\n\n# Usage\n\nUsage is similar to `nmap`. To scan a network segment for some ports:\n\n\t# masscan -p80,8000-8100 10.0.0.0/8 2603:3001:2d00:da00::/112\n\nThis will:\n* scan the `10.x.x.x` subnet, and `2603:3001:2d00:da00::x` subnets\n* scans port 80 and the range 8000 to 8100, or 102 ports total, on both subnets\n* print output to `\u003cstdout\u003e` that can be redirected to a file\n\nTo see the complete list of options, use the `--echo` feature. This\ndumps the current configuration and exits. This output can be used as input back\ninto the program:\n\n\t# masscan -p80,8000-8100 10.0.0.0/8 2603:3001:2d00:da00::/112 --echo \u003e xxx.conf\n\t# masscan -c xxx.conf --rate 1000\n\n\n## Banner checking\n\nMasscan can do more than just detect whether ports are open. It can also\ncomplete the TCP connection and interaction with the application at that\nport in order to grab simple \"banner\" information.\n\nMasscan supports banner checking on the following protocols:\n  * FTP\n  * HTTP\n  * IMAP4\n  * memcached\n  * POP3\n  * SMTP\n  * SSH\n  * SSL\n  * SMBv1\n  * SMBv2\n  * Telnet\n  * RDP\n  * VNC\n\nThe problem with this is that masscan contains its own TCP/IP stack\nseparate from the system you run it on. When the local system receives\na SYN-ACK from the probed target, it responds with a RST packet that kills\nthe connection before masscan can grab the banner.\n\nThe easiest way to prevent this is to assign masscan a separate IP\naddress. This would look like one of the following examples:\n\n\t# masscan 10.0.0.0/8 -p80 --banners --source-ip 192.168.1.200\n      # masscan 2a00:1450:4007:810::/112 -p80 --banners --source-ip 2603:3001:2d00:da00:91d7:b54:b498:859d\n\nThe address you choose has to be on the local subnet and not otherwise\nbe used by another system. Masscan will warn you that you've made a\nmistake, but you might've messed up the other machine's communications\nfor several minutes, so be careful.\n\nIn some cases, such as WiFi, this isn't possible. In those cases, you can\nfirewall the port that masscan uses. This prevents the local TCP/IP stack\nfrom seeing the packet, but masscan still sees it since it bypasses the\nlocal stack. For Linux, this would look like:\n\n\t# iptables -A INPUT -p tcp --dport 61000 -j DROP\n\t# masscan 10.0.0.0/8 -p80 --banners --source-port 61000\n\nYou probably want to pick ports that don't conflict with ports Linux might otherwise\nchoose for source-ports. You can see the range Linux uses, and reconfigure\nthat range, by looking in the file:\n\n    /proc/sys/net/ipv4/ip_local_port_range\n\nOn the latest version of Kali Linux (2018-August), that range is  32768  to  60999, so\nyou should choose ports either below 32768 or 61000 and above.\n\nSetting an `iptables` rule only lasts until the next reboot. You need to lookup how to\nsave the configuration depending upon your distro, such as using `iptables-save` \nand/or `iptables-persistent`.\n\nOn Mac OS X and BSD, there are similar steps. To find out the ranges to avoid,\nuse a command like the following:\n\n    # sysctl net.inet.ip.portrange.first net.inet.ip.portrange.last\n\nOn FreeBSD and older MacOS, use an `ipfw` command: \n\n\t# sudo ipfw add 1 deny tcp from any to any 40000 in\n\t# masscan 10.0.0.0/8 -p80 --banners --source-port 40000\n\nOn newer MacOS and OpenBSD, use the `pf` packet-filter utility. \nEdit the file `/etc/pf.conf` to add a line like the following:\n\n    block in proto tcp from any to any port 40000:40015\n    \nThen to enable the firewall, run the command:\n    \n    # pfctl -E    \n\nIf the firewall is already running, then either reboot or reload the rules\nwith the following command:\n\n    # pfctl -f /etc/pf.conf\n\nWindows doesn't respond with RST packets, so neither of these techniques\nare necessary. However, masscan is still designed to work best using its\nown IP address, so you should run that way when possible, even when it is\nnot strictly necessary.\n\nThe same thing is needed for other checks, such as the `--heartbleed` check,\nwhich is just a form of banner checking.\n\n\n## How to scan the entire Internet\n\nWhile useful for smaller, internal networks, the program is really designed\nwith the entire Internet in mind. It might look something like this:\n\n\t# masscan 0.0.0.0/0 -p0-65535\n\nScanning the entire Internet is bad. For one thing, parts of the Internet react\nbadly to being scanned. For another thing, some sites track scans and add you\nto a ban list, which will get you firewalled from useful parts of the Internet.\nTherefore, you want to exclude a lot of ranges. To blacklist or exclude ranges,\nyou want to use the following syntax:\n\n\t# masscan 0.0.0.0/0 -p0-65535 --excludefile exclude.txt\n\nThis just prints the results to the command-line. You probably want them\nsaved to a file instead. Therefore, you want something like:\n\n\t# masscan 0.0.0.0/0 -p0-65535 -oX scan.xml\n\nThis saves the results in an XML file, allowing you to easily dump the\nresults in a database or something.\n\nBut, this only goes at the default rate of 100 packets/second, which will\ntake forever to scan the Internet. You need to speed it up as so:\n\n\t# masscan 0.0.0.0/0 -p0-65535 --max-rate 100000\n\nThis increases the rate to 100,000 packets/second, which will scan the\nentire Internet (minus excludes) in about 10 hours per port (or 655,360 hours\nif scanning all ports).\n\nThe thing to notice about this command-line is that these are all `nmap`\ncompatible options. In addition, \"invisible\" options compatible with `nmap`\nare also set for you: `-sS -Pn -n --randomize-hosts --send-eth`. Likewise,\nthe format of the XML file is inspired by `nmap`. There are, of course, a\nlot of differences, because the *asynchronous* nature of the program\nleads to a fundamentally different approach to the problem.\n\nThe above command-line is a bit cumbersome. Instead of putting everything\non the command-line, it can be stored in a file instead. The above settings\nwould look like this:\n\n\t# My Scan\n\trate =  100000.00\n\toutput-format = xml\n\toutput-status = all\n\toutput-filename = scan.xml\n\tports = 0-65535\n\trange = 0.0.0.0-255.255.255.255\n\texcludefile = exclude.txt\n\nTo use this configuration file, use the `-c`:\n\n\t# masscan -c myscan.conf\n\nThis also makes things easier when you repeat a scan.\n\nBy default, masscan first loads the configuration file \n`/etc/masscan/masscan.conf`. Any later configuration parameters override what's\nin this default configuration file. That's where I put my \"excludefile\" \nparameter so that I don't ever forget it. It just works automatically.\n\n\n## Getting output\n\nBy default, masscan produces fairly large text files, but it's easy \nto convert them into any other format. There are five supported output formats:\n\n1. xml:  Just use the parameter `-oX \u003cfilename\u003e`. \n\tOr, use the parameters `--output-format xml` and `--output-filename \u003cfilename\u003e`.\n\n2. binary: This is the masscan builtin format. It produces much smaller files so that\nwhen I scan the Internet my disk doesn't fill up. They need to be parsed,\nthough. The command-line option `--readscan` will read binary scan files.\nUsing `--readscan` with the `-oX` option will produce an XML version of the \nresults file.\n\n3. grepable: This is an implementation of the Nmap -oG\noutput that can be easily parsed by command-line tools. Just use the\nparameter `-oG \u003cfilename\u003e`. Or, use the parameters `--output-format grepable` and\n`--output-filename \u003cfilename\u003e`.\n\n4. json: This saves the results in JSON format. Just use the\nparameter `-oJ \u003cfilename\u003e`. Or, use the parameters `--output-format json` and\n`--output-filename \u003cfilename\u003e`.\n\n5. list: This is a simple list with one host and port pair \nper line. Just use the parameter `-oL \u003cfilename\u003e`. Or, use the parameters \n`--output-format list` and `--output-filename \u003cfilename\u003e`. The format is:\n\n\t```\n\t\u003cport state\u003e \u003cprotocol\u003e \u003cport number\u003e \u003cIP address\u003e \u003cPOSIX timestamp\u003e  \n\topen tcp 80 XXX.XXX.XXX.XXX 1390380064\n\t```\t\n\n\n## Comparison with Nmap\n\nWhere reasonable, every effort has been taken to make the program familiar\nto `nmap` users, even though it's fundamentally different. Masscan is tuned\nfor wide range scanning of a lot of machines, whereas nmap is designed for\nintensive scanning of a single machine or a small range.\n\nTwo important differences are:\n\n* no default ports to scan, you must specify `-p \u003cports\u003e`\n* target hosts are IP addresses or simple ranges, not DNS names, nor \n  the funky subnet ranges `nmap` can use (like `10.0.0-255.0-255`).\n\nYou can think of `masscan` as having the following settings permanently\nenabled:\n* `-sS`: this does SYN scan only (currently, will change in the future)\n* `-Pn`: doesn't ping hosts first, which is fundamental to the async operation\n* `-n`: no DNS resolution happens\n* `--randomize-hosts`: scan completely randomized, always, you can't change this\n* `--send-eth`: sends using raw `libpcap`\n\nIf you want a list of additional `nmap` compatible settings, use the following\ncommand:\n\n\t# masscan --nmap\n\n\n## Transmit rate (IMPORTANT!!)\n\nThis program spews out packets very fast. On Windows, or from VMs,\nit can do 300,000 packets/second. On Linux (no virtualization) it'll\ndo 1.6 million packets-per-second. That's fast enough to melt most networks.\n\nNote that it'll only melt your own network. It randomizes the target\nIP addresses so that it shouldn't overwhelm any distant network.\n\nBy default, the rate is set to 100 packets/second. To increase the rate to\na million use something like `--rate 1000000`.\n\nWhen scanning the IPv4 Internet, you'll be scanning lots of subnets,\nso even though there's a high rate of packets going out, each\ntarget subnet will receive a small rate of incoming packets.\n\nHowever, with IPv6 scanning, you'll tend to focus on a single\ntarget subnet with billions of addresses. Thus, your default\nbehavior will overwhelm the target network. Networks often\ncrash under the load that masscan can generate.\n\n\n# Design\n\nThis section describes the major design issues of the program.\n\n\n## Code Layout\n\nThe file `main.c` contains the `main()` function, as you'd expect. It also\ncontains the `transmit_thread()` and `receive_thread()` functions. These\nfunctions have been deliberately flattened and heavily commented so that you\ncan read the design of the program simply by stepping line-by-line through\neach of these.\n\n\n## Asynchronous\n\nThis is an *asynchronous* design. In other words, it is to `nmap` what\nthe `nginx` web-server is to `Apache`. It has separate transmit and receive\nthreads that are largely independent from each other. It's the same sort of\ndesign found in `scanrand`, `unicornscan`, and `ZMap`.\n\nBecause it's asynchronous, it runs as fast as the underlying packet transmit\nallows.\n\n\n## Randomization\n\nA key difference between Masscan and other scanners is the way it randomizes\ntargets.\n\nThe fundamental principle is to have a single index variable that starts at\nzero and is incremented by one for every probe. In C code, this is expressed\nas:\n\n    for (i = 0; i \u003c range; i++) {\n        scan(i);\n    }\n\nWe have to translate the index into an IP address. Let's say that you want to\nscan all \"private\" IP addresses. That would be the table of ranges like:\n    \n    192.168.0.0/16\n    10.0.0.0/8\n    172.16.0.0/12\n\nIn this example, the first 64k indexes are appended to 192.168.x.x to form\nthe target address. Then, the next 16-million are appended to 10.x.x.x.\nThe remaining indexes in the range are applied to 172.16.x.x.\n\nIn this example, we only have three ranges. When scanning the entire Internet,\nwe have in practice more than 100 ranges. That's because you have to blacklist\nor exclude a lot of sub-ranges. This chops up the desired range into hundreds\nof smaller ranges.\n\nThis leads to one of the slowest parts of the code. We transmit 10 million\npackets per second and have to convert an index variable to an IP address\nfor each and every probe. We solve this by doing a \"binary search\" in a small\namount of memory. At this packet rate, cache efficiencies start to dominate\nover algorithm efficiencies. There are a lot of more efficient techniques in\ntheory, but they all require so much memory as to be slower in practice.\n\nWe call the function that translates from an index into an IP address\nthe `pick()` function. In use, it looks like:\n\n    for (i = 0; i \u003c range; i++) {\n        ip = pick(addresses, i);\n        scan(ip);\n    }\n\nMasscan supports not only IP address ranges, but also port ranges. This means\nwe need to pick from the index variable both an IP address and a port. This\nis fairly straightforward:\n\n    range = ip_count * port_count;\n    for (i = 0; i \u003c range; i++) {\n        ip   = pick(addresses, i / port_count);\n        port = pick(ports,     i % port_count);\n        scan(ip, port);\n    }\n\nThis leads to another expensive part of the code. The division/modulus\ninstructions are around 90 clock cycles, or 30 nanoseconds, on x86 CPUs. When\ntransmitting at a rate of 10 million packets/second, we have only\n100 nanoseconds per packet. I see no way to optimize this any better. Luckily,\nthough, two such operations can be executed simultaneously, so doing two \nof these, as shown above, is no more expensive than doing one.\n\nThere are actually some easy optimizations for the above performance problems,\nbut they all rely upon `i++`, the fact that the index variable increases one\nby one through the scan. Actually, we need to randomize this variable. We\nneed to randomize the order of IP addresses that we scan or we'll blast the\nheck out of target networks that aren't built for this level of speed. We \nneed to spread our traffic evenly over the target.\n\nThe way we randomize is simply by encrypting the index variable. By definition,\nencryption is random and creates a 1-to-1 mapping between the original index\nvariable and the output. This means that while we linearly go through the\nrange, the output IP addresses are completely random. In code, this looks like:\n\n    range = ip_count * port_count;\n    for (i = 0; i \u003c range; i++) {\n        x = encrypt(i);\n        ip   = pick(addresses, x / port_count);\n        port = pick(ports,     x % port_count);\n        scan(ip, port);\n    }\n\nThis also has a major cost. Since the range is an unpredictable size instead\nof a nice even power of 2, we can't use cheap binary techniques like\nAND (\u0026) and XOR (^). Instead, we have to use expensive operations like \nMODULUS (%). In my current benchmarks, it's taking 40 nanoseconds to\nencrypt the variable.\n\nThis architecture allows for lots of cool features. For example, it supports\n\"shards\". You can set up 5 machines each doing a fifth of the scan or\n`range / shard_count`. Shards can be multiple machines, or simply multiple\nnetwork adapters on the same machine, or even (if you want) multiple IP\nsource addresses on the same network adapter.\n\nOr, you can use a 'seed' or 'key' to the encryption function, so that you get\na different order each time you scan, like `x = encrypt(seed, i)`.\n\nWe can also pause the scan by exiting out of the program, and simply\nremembering the current value of `i`, and restart it later. I do that a lot\nduring development. I see something going wrong with my Internet scan, so\nI hit \u003cctrl-c\u003e to stop the scan, then restart it after I've fixed the bug.\n\nAnother feature is retransmits/retries. Packets sometimes get dropped on the\nInternet, so you can send two packets back-to-back. However, something that\ndrops one packet may drop the immediately following packet. Therefore, you\nwant to send the copy about 1 second apart. This is simple. We already have\na 'rate' variable, which is the number of packets-per-second rate we are\ntransmitting at, so the retransmit function is simply to use `i + rate`\nas the index. One of these days I'm going to do a study of the Internet,\nand differentiate \"back-to-back\", \"1 second\", \"10 second\", and \"1 minute\"\nretransmits this way in order to see if there is any difference in what\ngets dropped.\n\n\n## C10 Scalability\n\nThe asynchronous technique is known as a solution to the \"c10k problem\".\nMasscan is designed for the next level of scalability, the \"C10M problem\".\n\nThe C10M solution is to bypass the kernel. There are three primary kernel\nbypasses in Masscan:\n* custom network driver\n* user-mode TCP stack\n* user-mode synchronization\n\nMasscan can use the PF_RING DNA driver. This driver DMAs packets directly\nfrom user-mode memory to the network driver with zero kernel involvement.\nThat allows software, even with a slow CPU, to transmit packets at the maximum\nrate the hardware allows. If you put 8 10-gbps network cards in a computer,\nthis means it could transmit at 100-million packets/second.\n\nMasscan has its own built-in TCP stack for grabbing banners from TCP\nconnections. This means it can easily support 10 million concurrent TCP\nconnections, assuming of course that the computer has enough memory.\n\nMasscan has no \"mutex\". Modern mutexes (aka. futexes) are mostly user-mode,\nbut they have two problems. The first problem is that they cause cache-lines\nto bounce quickly back-and-forth between CPUs. The second is that when there\nis contention, they'll do a system call into the kernel, which kills\nperformance. A mutex on the fast path of a program severely limits scalability.\nInstead, Masscan uses \"rings\" to synchronize things, such as when the\nuser-mode TCP stack in the receive thread needs to transmit a packet without\ninterfering with the transmit thread.\n\n\n## Portability\n\nThe code runs well on Linux, Windows, and Mac OS X. All the important bits are\nin standard C (C90). Therefore, it compiles on Visual Studio with Microsoft's\ncompiler, the Clang/LLVM compiler on Mac OS X, and GCC on Linux.\n\nWindows and Macs aren't tuned for packet transmit, and get only about 300,000\npackets-per-second, whereas Linux can do 1,500,000 packets/second. That's\nprobably faster than you want anyway.\n\n\n## Safe code\n\nA bounty is offered for vulnerabilities, see the VULNINFO.md file for more\ninformation.\n\nThis project uses safe functions like `safe_strcpy()` instead of unsafe functions\nlike `strcpy()`.\n\nThis project has automated unit regression tests (`make regress`).\n\n\n## Compatibility\n\nA lot of effort has gone into making the input/output look like `nmap`, which\neveryone who does port scans is (or should be) familiar with.\n\n\n## IPv6 and IPv4 coexistence\n\nMasscan supports IPv6, but there is no special mode, both are supported\nat the same time. (There is no `-6` option -- it's always available).\n\nIn any example you see of masscan usage,\nsimply put an IPv6 address where you see an IPv4 address. You can include\nIPv4 and IPv6 addresses simultaneously in the same scan. Output includes\nthe appropriate address at the same location, with no special marking.\n\nJust remember that IPv6 address space is really big. You probably don't want to scan\nfor big ranges, except maybe the first 64k addresses of a subnet that were assigned\nvia DHCPv6.\n\nInstead, you'll probably want to scan large lists of addresses stored\nin a file (`--include-file filename.txt`) that you got from other sources.\nLike everywhere else, this file can contain lists of both IPv4 and IPv6 addresses.\nThe test file I use contains 8 million addresses. Files of that size need a couple\nextra seconds to be read on startup (masscan sorts the addresses and removes\nduplicates before scanning).\n\nRemember that masscan contains its own network stack. Thus, the local machine\nyou run masscan from does not need to be IPv6 enabled -- though the local\nnetwork needs to be able to route IPv6 packets.\n\n\n## PF_RING\n\nTo get beyond 2 million packets/second, you need an Intel 10-gbps Ethernet\nadapter and a special driver known as [\"PF_RING ZC\" from ntop](http://www.ntop.org/products/packet-capture/pf_ring/pf_ring-zc-zero-copy/). Masscan doesn't need to be rebuilt in order to use PF_RING. To use PF_RING,\nyou need to build the following components:\n\n  * `libpfring.so` (installed in /usr/lib/libpfring.so)\n  * `pf_ring.ko` (their kernel driver)\n  * `ixgbe.ko` (their version of the Intel 10-gbps Ethernet driver)\n\nYou don't need to build their version of `libpcap.so`.\n\nWhen Masscan detects that an adapter is named something like `zc:enp1s0` instead\nof something like `enp1s0`, it'll automatically switch to PF_RING ZC mode.\n\nA more detail discussion can be found in **PoC||GTFO 0x15**.\n\n\n## Regression testing\n\nThe project contains a built-in unit test:\n\n    $ make test\n    bin/masscan --selftest\n    selftest: success!\n\nThis tests a lot of tricky bits of the code. You should do this after building.\n\n\n## Performance testing\n\nTo test performance, run something like the following to a throw-away address,\nto avoid overloading your local router:\n\n    $ bin/masscan 0.0.0.0/4 -p80 --rate 100000000 --router-mac 66-55-44-33-22-11\n\nThe bogus `--router-mac` keeps packets on the local network segments so that\nthey won't go out to the Internet.\n\nYou can also test in \"offline\" mode, which is how fast the program runs\nwithout the transmit overhead:\n\n    $ bin/masscan 0.0.0.0/4 -p80 --rate 100000000 --offline\n    \nThis second benchmark shows roughly how fast the program would run if it were\nusing PF_RING, which has near zero overhead.\n\nBy the way, the randomization algorithm makes heavy use of \"integer arithmetic\",\na chronically slow operation on CPUs. Modern CPUs have doubled the speed\nat which they perform this calculation, making `masscan` much faster.\n\n\n# Authors\n\nThis tool created by Robert Graham:\nemail: robert_david_graham@yahoo.com\ntwitter: @ErrataRob\n\n# License\n\nCopyright (c) 2013 Robert David Graham\n\nThis program is free software: you can redistribute it and/or modify\nit under the terms of the GNU Affero General Public License as published by\nthe Free Software Foundation, version 3 of the License.\n\nThis program is distributed in the hope that it will be useful,\nbut WITHOUT ANY WARRANTY; without even the implied warranty of\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\nGNU Affero General Public License for more details.\n\nYou should have received a copy of the GNU Affero General Public License\nalong with this program.  If not, see \u003chttps://www.gnu.org/licenses/\u003e.\n","funding_links":[],"categories":["Tools","C","Asset Discovery","Uncategorized","\u003ca id=\"8f92ead9997a4b68d06a9acf9b01ef63\"\u003e\u003c/a\u003e扫描器\u0026\u0026安全扫描\u0026\u0026App扫描\u0026\u0026漏洞扫描","Networking","Recon","[↑](#contents)Network / Port Scanning","Asset Scanning","Weapons","Network Tools","Related Lists","others","扫描器、资产收集、子域名","\u003ca id=\"132036452bfacf61471e3ea0b7bf7a55\"\u003e\u003c/a\u003e工具","2. [↑](#-content) Pentesting","Application Recommendation","Security Tools","Red Team","Network","工具篇","Tools by Category","Awesome Penetration Testing (\"https://github.com/Muhammd/Awesome-Pentest\")","Linux Tools"],"sub_categories":["Network Tools","Network/Port Scanning","Uncategorized","Binary files examination and editing","\u003ca id=\"de63a029bda6a7e429af272f291bb769\"\u003e\u003c/a\u003e未分类-Scanner","Port Scanning","Tools","Network Reconnaissance Tools","网络服务_其他","[↑](#-content) 2.10 Reconnaissance","🔒 Cybersecurity","Scanning \u0026 Enumeration","Reconaissance","安全相关","🌐 Website Monitoring \u0026 Analysis"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frobertdavidgraham%2Fmasscan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frobertdavidgraham%2Fmasscan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frobertdavidgraham%2Fmasscan/lists"}