Skip to content
SecForge
Hero illustration for: Nmap vs Masscan: accuracy versus raw throughput.
RECON COMPARE

Nmap vs Masscan: accuracy versus raw throughput.

Both scan ports. One finishes a /16 in a minute and the other tells you what is actually running. Pick the right one for the job — or, more often, pipe them together.

8 min read SecForge Research

Port scanners are the first tool you reach for and probably the one you understand least well. There are two open-source heavyweights — Nmap (the encyclopaedia, born 1997) and Masscan (the firehose, born 2013). They are not competitors. They are different answers to "which ports are open", and treating them as interchangeable will cost you either time or accuracy.

Quick verdict

Use casePick
Internet-scale sweep, "which IPs reply on 443?"Masscan
"What service is on this open port, and which version?"Nmap
Authenticated, regulated, slow and politeNmap
Hostile network with rate limiters everywhereNmap (with -T2)
Build a target list, then enrich itMasscan → Nmap pipe

How they differ under the hood

Nmap maintains TCP state per host. Each port is a tiny state machine; service detection sends well-known probes, parses banners, runs NSE scripts. The throughput ceiling is around 100,000 packets per second on commodity hardware, in practice much less because polite timing templates back off.

Masscan does not maintain state at all. It sends SYNs as fast as the NIC can transmit and listens for SYN-ACKs in a separate thread. On a tuned network, two million packets per second is realistic. Output is deliberately minimal — IP, port, status.

Speed: a /24 in the lab

Same target, same network, both scanning the standard 1000 ports.

$ time nmap -p- 10.0.0.0/24
Nmap done: 256 IP addresses in 138.4s

$ time masscan -p1-65535 10.0.0.0/24 --rate 100000
scanned 256 IP addresses in 6.5s

A 20× speedup is typical. The headline number undersells it — Nmap was scanning 1000 ports, Masscan was scanning all 65535. Restricted to the same range, the gap is closer to 100×.

Accuracy: where Masscan lies

Masscan's stateless design means it can miss responses if its own listener is busy, and it cannot tell the difference between a port that is filtered by a firewall and one that simply did not reply. Nmap, by maintaining per-host timing and retransmitting, gets closer to ground truth.

In the same lab, Masscan at full rate missed three open ports out of 27. Nmap missed zero. Drop Masscan's rate to 10,000 pps and it caught all 27. The rule: the faster you push Masscan, the more you trade accuracy for speed. Calibrate against a known-good Nmap run before trusting the number.

Service detection: where Nmap is unbeatable

Masscan only tells you that port 8080 is open. Nmap will tell you it is an Apache 2.4.52 with mod_jk loaded, that there is a Tomcat behind it, and that the TLS cert expired last Tuesday.

$ nmap -sV -sC -p 8080 10.0.0.42
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
| http-server-header: Apache/2.4.52 (Ubuntu)
| http-title: Apache2 Ubuntu Default Page

The -sC flag runs the default NSE script set, which catches dozens of common misconfigurations in one shot. There is no equivalent in Masscan, and there will not be — it is out of scope by design.

The pattern everyone settles on

In production recon, you almost never use one or the other. You pipe them:

# 1) Sweep the /16 fast with Masscan
masscan -p1-65535 10.0.0.0/16 --rate 100000 -oG sweep.gnmap

# 2) Extract live host:port pairs
awk '/Ports:/ {print $2","$5}' sweep.gnmap | cut -d/ -f1 > live.csv

# 3) Enrich with Nmap service detection
nmap -sV -sC --script vuln -iL <(cut -d, -f1 live.csv) -p $(cut -d, -f2 live.csv | sort -u | paste -sd,)

Masscan tells you where to look. Nmap tells you what is there. The combined run finishes in roughly Masscan-time + a small constant.

Operational notes nobody puts in the docs

  • Masscan's default rate is 100 pps. The first time you run it, raise it.
  • Masscan ignores your kernel routing table. Pass --router-mac or --exclude-file generously or you will scan your own gateway.
  • Nmap's -T0 through -T5 change everything: parallelism, retries, scan delay, timeouts. -T3 is the default. -T2 for sensitive networks; -T4 for labs.
  • On Windows networks, -Pn is almost always correct — ICMP is filtered by default.

The verdict that survives a year

Nmap is the right tool when you want to know. Masscan is the right tool when you want to find. The 5% case where one replaces the other is real but small. The 95% case is the pipe above.