loading
loading
Network
An Internet-scale port scanner that sends 10 million packets per second from a single machine.
overview
masscan sends probes and reads replies on separate threads, so it never waits on a single host before moving to the next. Give it a port set and a block of addresses and it sweeps the whole range asynchronously, reaching up to 10 million packets per second from one machine and covering the entire IPv4 space in minutes. It reports which ports answered and nothing slower than that.
Speed is the whole design, and the trade is depth. masscan confirms a port is open and, with --banners on, pulls a short banner from the service behind it, but it skips nmap-style version fingerprinting. You bound a run with --rate to stay inside your bandwidth and a target's tolerance, set the port range with -p, exclude addresses you must not touch with --excludefile, and pin --source-ip when the scanning host carries several. Its option syntax borrows from nmap, so -iL and -p feel familiar.
In a Trickest workflow the node reads a target list or an IP range and writes a file and a folder of open host:port pairs. Run it first to find live ports across a wide scope, then hand those pairs to a prober such as httpx and a scanner such as nuclei, so the slower stages only touch ports that already answered.
use cases
Point masscan at an address range or a list of targets and enumerate open ports across the whole scope in one pass, building the service map the rest of the workflow depends on.
Set packets per second to match your bandwidth and the target's tolerance, so a large sweep finishes quickly without saturating the link or tripping defenses.
Turn on banner grabbing to pull a short identifying banner from each open port, adding cheap service context without a second tool pass.
Feed an exclude file so masscan skips ranges you are not authorized to scan, keeping a fast Internet-scale sweep inside the rules of engagement.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| targets | FILE | -iL | File of targets (IPs or CIDR ranges) to scan, the usual pipeline input. |
| ip-range | STRING | --range | Range of IP addresses or CIDR blocks to scan. |
| ports | STRING | -p | Port or port range to scan, e.g. -p80,443 or -p0-65535. |
| rate | STRING | --rate | Transmit rate in packets per second (default 100). |
| banners | BOOLEAN | --banners | Grab a short service banner from each open port. |
| exclude-file | FILE | --excludefile | File of IP addresses or ranges to exclude from the scan. |
| single-source-ip-address | STRING | --source-ip | Send probes from a specific source IP address. |
| keep-packets-locally | STRING | --router-mac | Set the gateway MAC address for outgoing packets, which can keep a scan on the local segment. |
Showing key inputs. masscan exposes 9 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| rate | STRING | --rate | Transmit rate in packets per second (default 100). |
| ports | STRING | -p | Port or port range to scan, e.g. -p80,443 or -p0-65535; prefix U: for UDP ports. |
| banners | BOOLEAN | --banners | Grab a short service banner from each open port during the scan. |
| offline | BOOLEAN | --offline | Run without sending packets, to benchmark or test a configuration. |
| targets | FILE | -iL | Read the list of targets (IPs or CIDR ranges) to scan from a file. |
| ip-range | STRING | --range | Range of IP addresses or CIDR blocks to scan. |
| exclude-file | FILE | --excludefile | File of IP addresses or ranges to exclude from the scan. |
| keep-packets-locally | STRING | --router-mac | Destination (gateway) MAC address for outgoing packets; can keep a scan on the local segment. |
| single-source-ip-address | STRING | --source-ip | Send probes from a specific source IP address. |
example
# fast sweep of a CIDR for open web ports, out-of-scope IPs excluded, JSON outputmasscan 198.51.100.0/24 -p80,443,8000-8100 --rate 10000 --excludefile exclude.txt --banners -oJ scan.jsonStarting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2026-07-14 12:04:17 GMTInitiating SYN Stealth ScanScanning 256 hosts [4 ports/host]Discovered open port 443/tcp on 198.51.100.23Discovered open port 80/tcp on 198.51.100.23Discovered open port 22/tcp on 198.51.100.64Discovered open port 8080/tcp on 203.0.113.12Discovered open port 443/tcp on 203.0.113.88Banner on port 443/tcp on 198.51.100.23: [ssl] TLS/1.3 cipher:0x1301guidance
Reach for masscan when you need to scan a very wide IP range as fast as possible and only care which ports are open. It is a port scanner, not a service prober, so pass its open host:port pairs to httpx for classification and to nuclei for testing. For a more pipeline-friendly scanner with CDN handling and clean structured output, use naabu instead.
Pipeline-friendly Go port scanner with CDN handling and JSON output. Easier to wire downstream; masscan wins on raw range-sweeping speed.
Deep service and version detection, far slower. Run nmap after masscan narrows the open-port set.
Identifies the service behind an open port. Complements masscan, which only reports that the port answers.
faq
related
Quickly map an organization's network ranges using ASN information.
Maximize your resolver count by combining the target's DNS servers with public resolvers.
Expand CIDR ranges into a list of IP addresses easily.
Expand CIDR ranges into a list of IP addresses easily, from a file.
Maintain a list of IPv4 DNS servers verified against baseline servers for accurate responses.
Patched dnsvalidator that keeps only IPv4 resolvers verified against baseline servers.
A target list feeds masscan, which sweeps the range for open ports and hands them to httpx for probing before the live services land as a queryable output.
Facts on this page come from the live Trickest tool library.