No results when whole range of port scans and rate is low

[LuD1161]

Hi everyone,

I am having a weird situation here.

I don't get any results when masscan is used to scan all the 65535 ports however, if I scan specific ports I do get the output.

What all have I tried

• I have tried this but in vain.
• I have switched VPSes between AWS and Digital Ocean.
• Tried it on ubuntu 16.04 ( AWS and digital ocean )
• Tried it on arch linux ( AWS and digital ocean )
• Tried it on my local system kali 2018.2
• Built it from the repo
• Also installed it from repositories in kali
• Tried fiddling with --rate and --wait parameter ( I thought maybe the packets receiving was taking long )

But as I am here, you all could guess nothing worked.

Working Output for single port

masscan -iL ips.txt -p80,443,22,25

Starting masscan 1.0.6 (http://bit.ly/14GZzcT) at 2018-07-19 05:05:32 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 13 hosts [4 ports/host]
Discovered open port 443/tcp on 143.x.x.68                                  
Discovered open port 443/tcp on 143.x.x.129                                 
Discovered open port 80/tcp on 143.x.x.125                                  
Discovered open port 443/tcp on 143.x.x.10                                  
Discovered open port 443/tcp on 143.x.x.104                                 
Discovered open port 80/tcp on 52.x.x.130                                    
Discovered open port 443/tcp on 52.x.x.5                                     
Discovered open port 80/tcp on 143.x.x.129                                  
Discovered open port 443/tcp on 143.x.x.106                                 
Discovered open port 80/tcp on 143.x.x.106                                  
Discovered open port 80/tcp on 143.x.x.104                                  
Discovered open port 80/tcp on 52.x.x.20                                     
Discovered open port 443/tcp on 14x.x.29.2                                   
Discovered open port 80/tcp on 52.x.x.5                                      
Discovered open port 80/tcp on 143.x.x.68                                   
Discovered open port 443/tcp on 143.x.x.125                                 
Discovered open port 80/tcp on 52.x.x.35                                     
Discovered open port 80/tcp on 143.x.x.10                                   
Discovered open port 443/tcp on 52.x.x.35                                    
Discovered open port 443/tcp on 52.x.x.20                                    
Discovered open port 80/tcp on 143.x.x.2                                    
Discovered open port 443/tcp on 52.x.x.130                                   
Discovered open port 443/tcp on 143.x.29.69                                  
Discovered open port 80/tcp on 143.x.29.69   

And when scanning the same with all the options gives no output

masscan -e eth0 --adapter-ip 159.x.x.147 --adapter-mac a6:b6:dc:2d:9b:d8 --router-mac 00:00:5e:00:11:3e --rate=1000 -iL .ips.txt -p80,443 -dd -oG masscan-results
pcap: found library: libpcap.so
pcap: pcap_dev_name: failed
pcap: pcap_dev_description: failed
pcap: pcap_dev_next: failed
pcap: pcap_sendqueue_alloc: failed
pcap: pcap_sendqueue_transmit: failed
pcap: pcap_sendqueue_destroy: failed
pcap: pcap_sendqueue_queue: failed
pfring: error: dlopen('libpfring.so'): No such file or directory
initializing adapter
pcap: libpcap version 1.8.1
pcap:'eth0': opening...
pcap:'eth0': successfully opened
adapter initialization done.
THREAD: xmit: starting thread #0

Starting masscan 1.0.6 (http://bit.ly/14GZzcT) at 2018-07-19 05:03:38 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 13 hosts [2 ports/host]
THREAD: status: starting thread
THREAD: recv: starting thread #0 0:00:00 remaining, found=0       
THREAD: recv: starting main loop
maxrate = 1000.00
THREAD: xmit done, waiting for receive thread to realize this
THREAD: xmit: stopping thread #0waiting 0-secs, found=0        
THREAD: recv: stopping thread #0waiting 0-secs, found=0       
THREAD: status: stopping thread waiting -1-secs, found=0    

I tried with adding the --source-ip 192.168.1.200 but that also didn't work ( It was mentioned for banner grabbing here )

The same goes for scanning all 65535 ports with the above options or without it :

masscan -e eth0 --adapter-ip 159.x.x.147 --adapter-mac a6:b6:dc:2d:9b:d8 --router-mac 00:00:5e:00:11:3e --rate=1000 -iL ips.txt -p1-65535 --source-ip 192.168.1.200 -dd -oG masscan-results
pcap: found library: libpcap.so
pcap: pcap_dev_name: failed
pcap: pcap_dev_description: failed
pcap: pcap_dev_next: failed
pcap: pcap_sendqueue_alloc: failed
pcap: pcap_sendqueue_transmit: failed
pcap: pcap_sendqueue_destroy: failed
pcap: pcap_sendqueue_queue: failed
pfring: error: dlopen('libpfring.so'): No such file or directory
initializing adapter
pcap: libpcap version 1.8.1
pcap:'eth0': opening...
pcap:'eth0': successfully opened
adapter initialization done.

Starting masscan 1.0.6 (http://bit.ly/14GZzcT) at 2018-07-19 05:23:40 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 13 hosts [2 ports/host]
THREAD: status: starting thread
THREAD: recv: starting thread #0 0:00:00 remaining, found=0       
THREAD: recv: starting main loop
maxrate = 1000.00
THREAD: xmit done, waiting for receive thread to realize this
THREAD: xmit: stopping thread #0waiting 0-secs, found=0        
THREAD: recv: stopping thread #0waiting 0-secs, found=0       
THREAD: status: stopping thread waiting -1-secs, found=0      

However as I was putting up this issue, I tried this and this shows some promising results ( perhaps ) :

 masscan -iL ips.txt -p10-65500 --rate=100000

Starting masscan 1.0.6 (http://bit.ly/14GZzcT) at 2018-07-19 05:14:23 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 13 hosts [65491 ports/host]
Discovered open port 443/tcp on 143.x.x.2                                   
Discovered open port 443/tcp on 143.x.x.129                                 
Discovered open port 2000/tcp on 143.x.x.129                                
Discovered open port 443/tcp on 52.x.x.130                                   
Discovered open port 80/tcp on 143.x.x.106   
Discovered open port 8020/tcp on 143.x.x.129                                                               
Discovered open port 8008/tcp on 143.x.x.129                                
Discovered open port 443/tcp on 52.x.x.5                                     
Discovered open port 443/tcp on 52.x.x.35                                    
Discovered open port 443/tcp on 143.x.x.69                                  
Discovered open port 8010/tcp on 143.x.x.129                                
Discovered open port 80/tcp on 52.x.x.130                                    
Discovered open port 443/tcp on 52.x.x.20                                    
Discovered open port 443/tcp on 143.x.x.106                                 
Discovered open port 5060/tcp on 143.x.x.129                                
Discovered open port 80/tcp on 143.x.x.68                                   
Discovered open port 80/tcp on 143.x.x.2                                    
Discovered open port 80/tcp on 52.x.x.5                                      
Discovered open port 8020/tcp on 143.x.x.129                                
Discovered open port 80/tcp on 143.x.x.129                                  
Discovered open port 80/tcp on 52.x.x.20                                     
Discovered open port 80/tcp on 52.x.x.35                                     
Discovered open port 80/tcp on 143.x.x.69                                   
Discovered open port 443/tcp on 143.x.x.68                                  

And just to check whether masscan was actually giving the correct results, I checked with nmap for 3 weird ports ( which I doubted were open ) and it were open 😄 , thus verifying the masscan :

nmap -v -n -p8008,8010,8020 143.x.x.129

Starting Nmap 7.40 ( https://nmap.org ) at 2018-07-19 10:49 IST
Initiating Ping Scan at 10:49
Scanning 143.x.x.129 [4 ports]
Completed Ping Scan at 10:49, 0.22s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 10:49
Scanning 143.x.x.129 [3 ports]
Discovered open port 8008/tcp on 143.x.x.129
Discovered open port 8020/tcp on 143.x.x.129
Discovered open port 8010/tcp on 143.x.x.129
Completed SYN Stealth Scan at 10:49, 0.22s elapsed (3 total ports)
Nmap scan report for 143.x.x.129
Host is up (0.13s latency).
PORT     STATE SERVICE
8008/tcp open  http
8010/tcp open  xmpp
8020/tcp open  intu-ec-svcdisc

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds
           Raw packets sent: 7 (284B) | Rcvd: 4 (160B)

I don't know the reason of "why this is happening ?"

But would surely want to know.

This issue started with a problem I was facing ( couldn't get any output ) and now I am left with a question "Why am I getting the results ?" 🤣

P.S. Perhaps this guy here is also facing the same issue #318 and here too issue #303

[mzpqnxow]

Sounds like a closed issue to me ;) Why? Probably a PEBKAC issue or perhaps pilot error...

…

On Thu, Jul 19, 2018 at 01:32 Aseem Shrey ***@***.***> wrote: Hi everyone, I am having a weird situation here. I don't get any results when masscan is used to scan all the 65535 ports however, if I scan specific ports I do get the output. What all have I tried - I have tried this <#220 (comment)> but in vain. - I have switched VPSes between AWS and Digital Ocean. - Tried it on *ubuntu 16.04* ( *AWS and digital ocean* ) - Tried it on *arch linux* ( *AWS and digital ocean* ) - Tried it on my local system *kali 2018.2* - Built it from the repo - Also installed it from repositories in kali - Tried fiddling with --rate and --wait parameter ( I thought maybe the packets receiving was taking long ) But as I am here, you all could guess nothing worked. Working Output for single port masscan -iL ips.txt -p80,443,22,25 Starting masscan 1.0.6 (http://bit.ly/14GZzcT) at 2018-07-19 05:05:32 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 13 hosts [4 ports/host] Discovered open port 443/tcp on 143.x.x.68 Discovered open port 443/tcp on 143.x.x.129 Discovered open port 80/tcp on 143.x.x.125 Discovered open port 443/tcp on 143.x.x.10 Discovered open port 443/tcp on 143.x.x.104 Discovered open port 80/tcp on 52.x.x.130 Discovered open port 443/tcp on 52.x.x.5 Discovered open port 80/tcp on 143.x.x.129 Discovered open port 443/tcp on 143.x.x.106 Discovered open port 80/tcp on 143.x.x.106 Discovered open port 80/tcp on 143.x.x.104 Discovered open port 80/tcp on 52.x.x.20 Discovered open port 443/tcp on 14x.x.29.2 Discovered open port 80/tcp on 52.x.x.5 Discovered open port 80/tcp on 143.x.x.68 Discovered open port 443/tcp on 143.x.x.125 Discovered open port 80/tcp on 52.x.x.35 Discovered open port 80/tcp on 143.x.x.10 Discovered open port 443/tcp on 52.x.x.35 Discovered open port 443/tcp on 52.x.x.20 Discovered open port 80/tcp on 143.x.x.2 Discovered open port 443/tcp on 52.x.x.130 Discovered open port 443/tcp on 143.x.29.69 Discovered open port 80/tcp on 143.x.29.69 And when scanning the same with all the options gives no output masscan -e eth0 --adapter-ip 159.x.x.147 --adapter-mac a6:b6:dc:2d:9b:d8 --router-mac 00:00:5e:00:11:3e --rate=1000 -iL .ips.txt -p80,443 -dd -oG masscan-results pcap: found library: libpcap.so pcap: pcap_dev_name: failed pcap: pcap_dev_description: failed pcap: pcap_dev_next: failed pcap: pcap_sendqueue_alloc: failed pcap: pcap_sendqueue_transmit: failed pcap: pcap_sendqueue_destroy: failed pcap: pcap_sendqueue_queue: failed pfring: error: dlopen('libpfring.so'): No such file or directory initializing adapter pcap: libpcap version 1.8.1 pcap:'eth0': opening... pcap:'eth0': successfully opened adapter initialization done. THREAD: xmit: starting thread #0 Starting masscan 1.0.6 (http://bit.ly/14GZzcT) at 2018-07-19 05:03:38 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 13 hosts [2 ports/host] THREAD: status: starting thread THREAD: recv: starting thread #0 0:00:00 remaining, found=0 THREAD: recv: starting main loop maxrate = 1000.00 THREAD: xmit done, waiting for receive thread to realize this THREAD: xmit: stopping thread #0waiting 0-secs, found=0 THREAD: recv: stopping thread #0waiting 0-secs, found=0 THREAD: status: stopping thread waiting -1-secs, found=0 I tried with adding the --source-ip 192.168.1.200 but that also didn't work ( It was mentioned for banner grabbing here <https://github.com/robertdavidgraham/masscan/blob/master/README.md#banner-checking> ) The same goes for scanning all *65535* ports with the above options or without it : masscan -e eth0 --adapter-ip 159.x.x.147 --adapter-mac a6:b6:dc:2d:9b:d8 --router-mac 00:00:5e:00:11:3e --rate=1000 -iL ips.txt -p1-65535 --source-ip 192.168.1.200 -dd -oG masscan-results pcap: found library: libpcap.so pcap: pcap_dev_name: failed pcap: pcap_dev_description: failed pcap: pcap_dev_next: failed pcap: pcap_sendqueue_alloc: failed pcap: pcap_sendqueue_transmit: failed pcap: pcap_sendqueue_destroy: failed pcap: pcap_sendqueue_queue: failed pfring: error: dlopen('libpfring.so'): No such file or directory initializing adapter pcap: libpcap version 1.8.1 pcap:'eth0': opening... pcap:'eth0': successfully opened adapter initialization done. Starting masscan 1.0.6 (http://bit.ly/14GZzcT) at 2018-07-19 05:23:40 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 13 hosts [2 ports/host] THREAD: status: starting thread THREAD: recv: starting thread #0 0:00:00 remaining, found=0 THREAD: recv: starting main loop maxrate = 1000.00 THREAD: xmit done, waiting for receive thread to realize this THREAD: xmit: stopping thread #0waiting 0-secs, found=0 THREAD: recv: stopping thread #0waiting 0-secs, found=0 THREAD: status: stopping thread waiting -1-secs, found=0 However as I was putting up this issue, I tried this and this shows some promising results ( perhaps ) : masscan -iL ips.txt -p10-65500 --rate=100000 Starting masscan 1.0.6 (http://bit.ly/14GZzcT) at 2018-07-19 05:14:23 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 13 hosts [65491 ports/host] Discovered open port 443/tcp on 143.x.x.2 Discovered open port 443/tcp on 143.x.x.129 Discovered open port 2000/tcp on 143.x.x.129 Discovered open port 443/tcp on 52.x.x.130 Discovered open port 80/tcp on 143.x.x.106 Discovered open port 8020/tcp on 143.x.x.129 Discovered open port 8008/tcp on 143.x.x.129 Discovered open port 443/tcp on 52.x.x.5 Discovered open port 443/tcp on 52.x.x.35 Discovered open port 443/tcp on 143.x.x.69 Discovered open port 8010/tcp on 143.x.x.129 Discovered open port 80/tcp on 52.x.x.130 Discovered open port 443/tcp on 52.x.x.20 Discovered open port 443/tcp on 143.x.x.106 Discovered open port 5060/tcp on 143.x.x.129 Discovered open port 80/tcp on 143.x.x.68 Discovered open port 80/tcp on 143.x.x.2 Discovered open port 80/tcp on 52.x.x.5 Discovered open port 8020/tcp on 143.x.x.129 Discovered open port 80/tcp on 143.x.x.129 Discovered open port 80/tcp on 52.x.x.20 Discovered open port 80/tcp on 52.x.x.35 Discovered open port 80/tcp on 143.x.x.69 Discovered open port 443/tcp on 143.x.x.68 And just to check whether masscan was actually giving the correct results, I checked with nmap for 3 weird ports ( which I doubted were open ) and it were open 😄 , thus verifying the masscan : nmap -v -n -p8008,8010,8020 143.x.x.129 Starting Nmap 7.40 ( https://nmap.org ) at 2018-07-19 10:49 IST Initiating Ping Scan at 10:49 Scanning 143.x.x.129 [4 ports] Completed Ping Scan at 10:49, 0.22s elapsed (1 total hosts) Initiating SYN Stealth Scan at 10:49 Scanning 143.x.x.129 [3 ports] Discovered open port 8008/tcp on 143.x.x.129 Discovered open port 8020/tcp on 143.x.x.129 Discovered open port 8010/tcp on 143.x.x.129 Completed SYN Stealth Scan at 10:49, 0.22s elapsed (3 total ports) Nmap scan report for 143.x.x.129 Host is up (0.13s latency). PORT STATE SERVICE 8008/tcp open http 8010/tcp open xmpp 8020/tcp open intu-ec-svcdisc Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds Raw packets sent: 7 (284B) | Rcvd: 4 (160B) I don't know the reason of "why this is happening ?" But would surely want to know. This issue *started with a problem* I was facing ( *couldn't get any output* ) and now I am left with a question *"Why am I getting the results ?"* 🤣 — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#365>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AHpRZM2yF0O0rhpiyVjK1t2pHg3PCyRKks5uIBn3gaJpZM4VVxkQ> .

[robertdavidgraham]

I can't see what's wrong. You might check Wireshark. I suspect the cause is that the MAC address of the either the local adapter or of the router is in error, which will cause packets to be transmitted but go nowhere, or for packets not to be received.

[notwhy]

hello .
i also meet this weird question.
when i scan single port get many results, but few results for many ports
when i start scan single port
about 100+ results
`
masscan -p80,8080,443 60.247.11.1/24 --excludefile excludefile.txt --rate 10000 --retries 2 excludefile.txt: excluding 2 ranges from file

Starting masscan 1.0.6 (http://bit.ly/14GZzcT) at 2018-10-22 11:13:29 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 254 hosts [3 ports/host]
Discovered open port 80/tcp on 60.247.11.185
Discovered open port 8080/tcp on 60.247.11.164
Discovered open port 80/tcp on 60.247.11.221
Discovered open port 80/tcp on 60.247.11.226
Discovered open port 8080/tcp on 60.247.11.133
Discovered open port 80/tcp on 60.247.11.240
Discovered open port 80/tcp on 60.247.11.143
Discovered open port 80/tcp on 60.247.11.161
Discovered open port 80/tcp on 60.247.11.213
Discovered open port 80/tcp on 60.247.11.137
Discovered open port 8080/tcp on 60.247.11.199
Discovered open port 80/tcp on 60.247.11.186
Discovered open port 443/tcp on 60.247.11.197
Discovered open port 80/tcp on 60.247.11.156
Discovered open port 80/tcp on 60.247.11.132
Discovered open port 443/tcp on 60.247.11.166
Discovered open port 80/tcp on 60.247.11.139
Discovered open port 443/tcp on 60.247.11.195
Discovered open port 80/tcp on 60.247.11.229
Discovered open port 8080/tcp on 60.247.11.229
Discovered open port 80/tcp on 60.247.11.223
Discovered open port 80/tcp on 60.247.11.199
Discovered open port 80/tcp on 60.247.11.170
Discovered open port 80/tcp on 60.247.11.147
Discovered open port 80/tcp on 60.247.11.178
Discovered open port 80/tcp on 60.247.11.232
Discovered open port 443/tcp on 60.247.11.213
Discovered open port 80/tcp on 60.247.11.209
Discovered open port 80/tcp on 60.247.11.171
Discovered open port 80/tcp on 60.247.11.180
Discovered open port 80/tcp on 60.247.11.189
Discovered open port 80/tcp on 60.247.11.151
Discovered open port 80/tcp on 60.247.11.187
Discovered open port 80/tcp on 60.247.11.172
Discovered open port 8080/tcp on 60.247.11.158
Discovered open port 80/tcp on 60.247.11.145
Discovered open port 8080/tcp on 60.247.11.135
Discovered open port 443/tcp on 60.247.11.2
Discovered open port 80/tcp on 60.247.11.243
Discovered open port 80/tcp on 60.247.11.238
Discovered open port 443/tcp on 60.247.11.233
Discovered open port 80/tcp on 60.247.11.154
Discovered open port 80/tcp on 60.247.11.158
Discovered open port 80/tcp on 60.247.11.245
Discovered open port 80/tcp on 60.247.11.252
Discovered open port 80/tcp on 60.247.11.164
Discovered open port 80/tcp on 60.247.11.198
Discovered open port 80/tcp on 60.247.11.192
Discovered open port 80/tcp on 60.247.11.214
Discovered open port 80/tcp on 60.247.11.184
Discovered open port 80/tcp on 60.247.11.70
Discovered open port 80/tcp on 60.247.11.211
Discovered open port 80/tcp on 60.247.11.246
Discovered open port 8080/tcp on 60.247.11.203
Discovered open port 80/tcp on 60.247.11.169
Discovered open port 80/tcp on 60.247.11.230
Discovered open port 80/tcp on 60.247.11.190
Discovered open port 8080/tcp on 60.247.11.144
Discovered open port 80/tcp on 60.247.11.181
Discovered open port 80/tcp on 60.247.11.135
Discovered open port 443/tcp on 60.247.11.157
Discovered open port 80/tcp on 60.247.11.173
Discovered open port 8080/tcp on 60.247.11.139
Discovered open port 80/tcp on 60.247.11.155
Discovered open port 80/tcp on 60.247.11.138
Discovered open port 80/tcp on 60.247.11.162
Discovered open port 80/tcp on 60.247.11.188
Discovered open port 80/tcp on 60.247.11.196
Discovered open port 80/tcp on 60.247.11.153
Discovered open port 80/tcp on 60.247.11.251
Discovered open port 80/tcp on 60.247.11.167
Discovered open port 8080/tcp on 60.247.11.211
Discovered open port 443/tcp on 60.247.11.179
Discovered open port 80/tcp on 60.247.11.175
Discovered open port 80/tcp on 60.247.11.195
Discovered open port 80/tcp on 60.247.11.157
Discovered open port 443/tcp on 60.247.11.214
Discovered open port 8080/tcp on 60.247.11.143
Discovered open port 80/tcp on 60.247.11.197
Discovered open port 443/tcp on 60.247.11.139
Discovered open port 443/tcp on 60.247.11.238
Discovered open port 80/tcp on 60.247.11.191
Discovered open port 80/tcp on 60.247.11.133
Discovered open port 443/tcp on 60.247.11.153
Discovered open port 80/tcp on 60.247.11.234
Discovered open port 80/tcp on 60.247.11.224
Discovered open port 443/tcp on 60.247.11.198
Discovered open port 80/tcp on 60.247.11.203
Discovered open port 80/tcp on 60.247.11.144
Discovered open port 443/tcp on 60.247.11.168
Discovered open port 80/tcp on 60.247.11.219
Discovered open port 8080/tcp on 60.247.11.197
Discovered open port 80/tcp on 60.247.11.160
Discovered open port 80/tcp on 60.247.11.248
Discovered open port 8080/tcp on 60.247.11.248
Discovered open port 80/tcp on 60.247.11.215
Discovered open port 8080/tcp on 60.247.11.200
Discovered open port 80/tcp on 60.247.11.200
Discovered open port 443/tcp on 60.247.11.199
Discovered open port 80/tcp on 60.247.11.152
Discovered open port 80/tcp on 60.247.11.233
Discovered open port 80/tcp on 60.247.11.225
Discovered open port 80/tcp on 60.247.11.212
Discovered open port 80/tcp on 60.247.11.149
Discovered open port 80/tcp on 60.247.11.174
Discovered open port 80/tcp on 60.247.11.244
Discovered open port 80/tcp on 60.247.11.247
Discovered open port 80/tcp on 60.247.11.140
Discovered open port 8080/tcp on 60.247.11.181
Discovered open port 80/tcp on 60.247.11.182
Discovered open port 80/tcp on 60.247.11.237
Discovered open port 80/tcp on 60.247.11.177
Discovered open port 80/tcp on 60.247.11.220
Discovered open port 8080/tcp on 60.247.11.140
Discovered open port 80/tcp on 60.247.11.249
Discovered open port 8080/tcp on 60.247.11.161
**Scan Multiple port** about 20+ results
masscan -p80,81,82,83,84,85,88,89,90,443,591,593,832,981,1010,1311,2082,2087,2095,2096,2480,3000,3128,3311,3312,3333,4243,4567,4711,4712,4848,4993,5000,5002,5080,5104,5108,5110,5112,5168,5170,5200,5220,5270,5300,5373,5600,5700,5800,6543,6600,6611,7000,7001,7002,7003,7396,7474,7778,8000,8001,8008,8010,8014,8042,8069,8080,8081,8082,8083,8088,8089,8090,8091,8118,8123,8172,8222,8243,8280,8281,8333,8443,8500,8834,8880,8888,8901,8903,8983,9000,9043,9060,9080,9081,9090,9091,9200,9300,9443,9800,9981,10000,12443,16080,18080,18091,18092,20720,24224,28017,28903 60.247.11.1/24 --excludefile excludefile.txt --rate 1000 --retries 2
excludefile.txt: excluding 2 ranges from file

Starting masscan 1.0.6 (http://bit.ly/14GZzcT) at 2018-10-22 11:16:15 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 254 hosts [112 ports/host]
Discovered open port 8080/tcp on 60.247.11.199
Discovered open port 8080/tcp on 60.247.11.229
Discovered open port 7001/tcp on 60.247.11.243
Discovered open port 8888/tcp on 60.247.11.95
Discovered open port 83/tcp on 60.247.11.157
Discovered open port 80/tcp on 60.247.11.212
Discovered open port 80/tcp on 60.247.11.143
Discovered open port 80/tcp on 60.247.11.164
Discovered open port 8090/tcp on 60.247.11.242
Discovered open port 7001/tcp on 60.247.11.186
Discovered open port 8080/tcp on 60.247.11.181
Discovered open port 80/tcp on 60.247.11.172
Discovered open port 80/tcp on 60.247.11.157
Discovered open port 80/tcp on 60.247.11.137
Discovered open port 8080/tcp on 60.247.11.200
Discovered open port 80/tcp on 60.247.11.244
Discovered open port 7001/tcp on 60.247.11.246
Discovered open port 80/tcp on 60.247.11.243
Discovered open port 80/tcp on 60.247.11.195
Discovered open port 8080/tcp on 60.247.11.211
Discovered open port 80/tcp on 60.247.11.198
Discovered open port 7001/tcp on 60.247.11.132
Discovered open port 80/tcp on 60.247.11.180
Discovered open port 80/tcp on 60.247.11.178
Discovered open port 80/tcp on 60.247.11.226
Discovered open port 8080/tcp on 60.247.11.144
Discovered open port 80/tcp on 60.247.11.185
Discovered open port 80/tcp on 60.247.11.70
Discovered open port 84/tcp on 60.247.11.157
Discovered open port 80/tcp on 60.247.11.164
Discovered open port 80/tcp on 60.247.11.197
Discovered open port 80/tcp on 60.247.11.174
`
when scan 65535 ports
i get even few less then ten results than the top scan (-p80,81,82,83,84,85,88,89,90,443,591,593,83)

masscan -p1-65535 60.247.11.1/24 --excludefile excludefile.txt --rate 10000 --retries 2 
excludefile.txt: excluding 2 ranges from file

Starting masscan 1.0.6 (http://bit.ly/14GZzcT) at 2018-10-22 11:30:31 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 254 hosts [65535 ports/host]
Discovered open port 443/tcp on 60.247.11.233                             

i want to know why this happen .
I have checked the the MAC address local adapter and router they all seems correct

[ravenium]

Bumping this up with some results in AWS. It might be an issue with AWS (and other providers) 1:1 NAT usage. For example (10k pps rate):

-Scan single IP (modified to respond on all ports via iptables). Get back most ports.
-Scan "internal" subnet in AWS (aka within the VPC, RFC1918's). Results come back as expected.
-Scan a /24 we control outside of AWS: Sometimes nothing comes back at all, or 1-2 ports. Expected port count should be about 50-60 open TCP ports over about 30 hosts in the /24.

[iio7]

I have the same issue. Just for a simple test on a home LAN.

# masscan -vv 192.168.1.1-192.168.1.255 -p80,443,22,25 --rate 10000000 > results.txt

Gives a result. But this:

# masscan -vv 192.168.1.1-192.168.1.255 -p0-65535 --rate 10000000 > results.txt

Gives an empty file.

[mzpqnxow]

I have the same issue. Just for a simple test on a home LAN.

I'm not surprised consumer/home network gear is having a problem with 10mm pps

Neither AWS nor a home-office are very good for scanning at that rate- or scanning at all. AWS in particular is going to be problematic; as @ravenium mentioned, there will be issues due to NAT exhaustion (and possible IPS systems, I'm not sure what Amazon SDN may do when it sees a SYN flood egress the WAN)

If you want to test in AWS, your best bet would be from one VM to another in the same VNET, though even then, it's really not a great environment. You really ought to use a colocated server with just a router- no firewall, no NAT (no state tracking)

EDIT: Note also that (last time I checked) the transmit rate-limiting algorithm takes a bit of time to kick in with masscan, so you'll tend to start with a large burst at the start, even if you have it capped at a very low rate)

[ravenium]

I mentioned this on another thread but I was able to migitate this a bit about a year ago or so. In aws by fixing the source port and having an open inbound any rule to that port. It worked surprisingly well for up to 500k pps on a t3a.small.

There's no substitute for bare metal for peak performance but it's something.

[RaJiska]

Follow up on this issue for AWS where incoherent results have been observed. @ravenium you definitely were onto something there.

The whole issue is caused by security group which acts as firewall and keep track of outgoing connections. Security groups keep track of connections for 600 seconds (I assumes it releases it thereafter), which results in a high amount of tracked connections when using masscan, or any other high speed port scanner for that matter.
At some point you will notice results to be incorrect, which happens most likely because you exceeded AWS' allowance (in that case: security group' max active connections) resulting in your instance being throttled.

Connection tracking is an integral feature of AWS' Security Groups, which allows it to act as a stateful firewall, you may find if such limit has been exceeded by running the following command:

ethtool -S <interface> | grep conntrack_allowance_exceeded

---

Solution: for this type of workload you will need to ensure connections are not tracked on Security Groups, which you can achieve by matching outbound rule with inbound rule over all sources/destinations (0.0.0.0/0 or ::/0).

For Example:
Security Group A:

Flow	Port	Address
Inbound	22	0.0.0.0/0
Inbound	9090	50.50.50.50/32
Outbound	0-65535	0.0.0.0/0

• Outbound allows to anywhere (ipv4)
• Inbound allows from anywhere to port 22: therefore matching outbound rule for port 22
• Inbound allows from 50.50.50.50/32 to port 9090: therefore not matching outbound rule
• Connections sent to port 22 are not tracked, but connections to any other ports are tracked

Security Group B:

Flow	Port	Address
Inbound	0-65535	0.0.0.0/0
Outbound	0-65535	0.0.0.0/0

• Outbound allows to anywhere (ipv4)
• Inbound allows from anywhere to any port therefore matching outbound rule for any port
• Connections are not tracked at all

---

Performances: When it comes to packets per seconds, I have been able to reach about 530kpps over a t3.medium in UDP, with about 40% loss, making it ultimately unreliable. Limiting to 400kpps seems to have brought the packet loss to less than 1%, so you may wish to limit your max packets per second.

Some blog posts (further in references) that claim to have achieved more than 2000kpps with an AWS instance, with the limit being highly dependent on the instance being used, and mentioning a packet per second baseline, as well as best-effort packet routing.

As for AWS, they soberly, without documenting numbers (or at least I could not find), indicate that the packet per second limit varies depending of the following factors:

• Traffic mix, Transmission Control Protocol (TCP) versus User Datagram Protocol (UDP)
• Number of flows
• Packet size
• New connections versus existing connections
• Applied security group rules

---

References:
Security Group connection tracking
Monitor network performance for your EC2 instance
Factors that impact instances' PPS
Packets-per-second limits in EC2