← Back to posts
comparison guide self-hosted · · 10 min read

Nmap vs Masscan vs RustScan: Best Self-Hosted Network Scanning Tools 2026

Compare Nmap, Masscan, and RustScan — the top open-source network scanning tools for 2026. Includes Docker deployment, configuration examples, and when to use each scanner.

OS
Editorial Team

Network scanning is the foundation of any self-hosted security posture. Whether you are auditing your home lab, monitoring cloud infrastructure, or running a red-team engagement, you need reliable tools to discover hosts, identify open ports, and detect running services.

In this guide, we compare three of the most popular open-source network scanners — Nmap, Masscan, and RustScan — each with distinct strengths. We cover installation methods including Docker Compose, real-world usage examples, and help you choose the right tool for your scenario.

Why Self-Hosted Network Scanning Matters

Running your own network scanner gives you full control over scan schedules, target ranges, and output data. Unlike cloud-based vulnerability scanners, self-hosted tools:

  • Keep data on-premise — scan results never leave your network
  • No rate limits or subscription tiers — scan at whatever scale your hardware allows
  • Automate with cron and CI/CD — integrate scans into your deployment pipeline
  • Combine with other security tools — feed results into vulnerability managers, SIEMs, or honeypot systems

For a comprehensive security stack, pair your network scanner with a vulnerability management platform and an IDS/IPS system to close the loop between discovery and detection.

Tool Overview

Nmap — The Industry Standard

Nmap (Network Mapper) has been the go-to network discovery and security auditing tool since 1997. Written in C, Lua, and C++, it supports a massive feature set: host discovery, port scanning, version detection, OS fingerprinting, NSE (Nmap Scripting Engine) scripts, and output in multiple formats.

MetricValue
GitHub Stars12,744
LanguageC / Lua
Last UpdatedApril 2026
Scan SpeedModerate (thorough)
Best ForDetailed reconnaissance, service enumeration

Masscan — The Speed Demon

Masscan is an asynchronous TCP port scanner designed to scan the entire Internet in under 6 minutes. It uses a custom TCP/IP stack and transmits packets at rates up to 10 million packets per second. If you need raw speed over depth, Masscan delivers.

MetricValue
GitHub Stars25,543
LanguageC
Last UpdatedApril 2026
Scan SpeedExtremely fast (10M pps)
Best ForLarge-scale port surveys, quick host discovery

RustScan — The Modern Port Scanner

RustScan reimagines port scanning in Rust. It uses adaptive timeouts, async I/O, and can automatically pipe results into Nmap for deeper inspection. It’s fast like Masscan but with a modern, user-friendly workflow that bridges the gap between speed and detail.

MetricValue
GitHub Stars19,646
LanguageRust
Last UpdatedApril 2026
Scan SpeedFast (adaptive)
Best ForQuick scans with automatic Nmap handoff

Feature Comparison

FeatureNmapMasscanRustScan
TCP SYN Scan
UDP Scan
OS Detection
Service Version DetectionVia Nmap handoff
Script Engine (NSE)
Async/Parallel Scanning
Scan Entire Internet
Output FormatsXML, JSON, Nmap, GrepableXML, Grepable, JSONJSON, CSV, Normal
BandthrottlingYes (implicit)Yes (--rate)Yes (--batch-size)
IPv6 Support
Docker Image AvailableOfficialCommunityOfficial
Active DevelopmentPeriodic

Installation Guide

Nmap

Package installation (Debian/Ubuntu):

1
sudo apt update && sudo apt install -y nmap

Docker deployment:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
version: "3.8"
services:
  nmap:
    image: instrumentisto/nmap:latest
    network_mode: host
    cap_add:
      - NET_ADMIN
      - NET_RAW
    volumes:
      - ./output:/output
    command: >
      -sS -sV -O -oA /output/scan-results
      --top-ports 1000
      192.168.1.0/24

The network_mode: host setting is essential for Nmap to send raw packets. The NET_ADMIN and NET_RAW capabilities allow SYN scanning and OS detection from within the container.

Common Nmap commands:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
# Quick host discovery
nmap -sn 192.168.1.0/24

# Full TCP scan with service detection
nmap -sS -sV -sC -O -oA full-scan 10.0.0.0/16

# Aggressive scan with all scripts and OS detection
nmap -A -T4 --top-ports 1000 target.example.com

# Vulnerability scan using NSE scripts
nmap --script vuln -p 80,443 target.example.com

Masscan

Build from source (recommended for latest version):

1
2
3
4
5
sudo apt-get install --assume-yes git gcc make libpcap-dev
git clone https://github.com/robertdavidgraham/masscan.git
cd masscan
make -j$(nproc)
sudo make install

Docker deployment:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
version: "3.8"
services:
  masscan:
    image: ghcr.io/myoung34/masscan:latest
    network_mode: host
    cap_add:
      - NET_ADMIN
      - NET_RAW
    volumes:
      - ./output:/output
    command: >
      10.0.0.0/8 -p1-65535
      --rate 100000
      --output-format xml
      --output-filename /output/masscan-results.xml

Key Masscan parameters:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
# Scan top 100 ports at 100K packets/sec
masscan 10.0.0.0/8 -p1-100 --rate 100000

# Scan specific ports on a single host
masscan 192.168.1.1 -p80,443,8080,3306,5432 --rate 10000

# Exclude specific hosts from scan
masscan 10.0.0.0/8 -p1-65535 --rate 50000 --excludefile exclude.txt

# Save results in JSON format
masscan 192.168.0.0/16 -p80,443 --rate 200000 -oJ results.json

Important: Masscan requires exclusive use of the source port range during scanning. Do not run it on a system serving production traffic on the scanned ports, or use --source-port to specify a non-conflicting range.

RustScan

Install via package manager:

1
2
3
4
5
6
7
8
# Debian/Ubuntu
sudo apt install rustscan

# Arch Linux
sudo pacman -S rustscan

# macOS
brew install rustscan

Docker deployment:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
version: "3.8"
services:
  rustscan:
    image: rustscan/rustscan:latest
    network_mode: host
    volumes:
      - ./output:/output
    command: >
      -a 192.168.1.0/24
      -p 1-65535
      -b 4500
      --scripts "default"
      -g

RustScan command examples:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
# Quick scan of a single host
rustscan -a target.example.com -- -A

# Scan multiple hosts with custom batch size
rustscan -a 192.168.1.1,192.168.1.2,192.168.1.3 -b 3000 -- -sV

# Scan a subnet and pipe to Nmap automatically
rustscan -a 10.0.0.0/24 -p 1-1000 -- -sC -sV -oA rustscan-deep

# Use a custom Nmap script with RustScan results
rustscan -a 192.168.1.0/24 -p 80,443 -- -sV --script http-enum

RustScan’s killer feature is the automatic Nmap handoff: it quickly finds open ports with its async scanner, then passes only the open ports to Nmap for detailed service detection. This gives you Masscan-like speed with Nmap-level detail.

Performance Benchmarks

The following benchmarks represent typical performance on a standard cloud VM (4 vCPU, 8 GB RAM) scanning a /24 subnet (256 hosts):

ScannerScan TypeTimePorts ScannedAccuracy
NmapSYN scan, top 1000 ports~45 sec1,000/hostVery High
NmapFull scan + service detect~8 min65,535/hostVery High
MasscanSYN scan, all ports @ 100K pps~15 sec65,535/hostHigh (no service info)
MasscanSYN scan, all ports @ 1M pps~2 sec65,535/hostModerate (packet loss possible)
RustScanAsync scan + Nmap handoff~20 sec65,535/hostVery High
RustScanQuick scan only (no Nmap)~5 sec65,535/hostHigh (port status only)

Rule of thumb:

  • Use Masscan when you need to scan large ranges (entire /16 or /8) and only care about open ports
  • Use Nmap when you need service banners, OS detection, or script-based vulnerability checks
  • Use RustScan for the best balance — fast discovery with optional deep inspection

Automated Scanning Pipeline

Here is a practical setup that combines all three tools into an automated scanning pipeline:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#!/bin/bash
# automated-scan.sh — three-phase network audit

TARGET="192.168.1.0/24"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
RESULTS_DIR="/opt/scan-results/$TIMESTAMP"

mkdir -p "$RESULTS_DIR"

# Phase 1: Masscan for fast port discovery
echo "[Phase 1] Masscan port discovery..."
masscan "$TARGET" -p1-65535 --rate 200000 -oJ "$RESULTS_DIR/ports.json"

# Extract open ports from Masscan output
OPEN_PORTS=$(python3 -c "
import json
ports = set()
with open('$RESULTS_DIR/ports.json') as f:
    for line in f:
        if line.strip():
            entry = json.loads(line.strip().rstrip(','))
            if 'ports' in entry:
                for p in entry['ports']:
                    ports.add(str(p['port']))
print(','.join(sorted(ports, key=int)))
" 2>/dev/null || echo "80,443")

echo "  Found open ports: $OPEN_PORTS"

# Phase 2: RustScan for verification + Nmap handoff
echo "[Phase 2] RustScan verification..."
rustscan -a "$TARGET" -p "$OPEN_PORTS" -- -sV -sC -oA "$RESULTS_DIR/rustscan-detail"

# Phase 3: Nmap for deep analysis on confirmed hosts
echo "[Phase 3] Nmap deep scan..."
nmap -sS -sV -sC -O --script vuln -oA "$RESULTS_DIR/nmap-deep" -iL <(
  rustscan -a "$TARGET" -p "$OPEN_PORTS" -- -oG - 2>/dev/null | grep "open" | awk '{print $2}'
)

echo "Scan complete. Results in $RESULTS_DIR/"

This pipeline runs Masscan for broad discovery, validates findings with RustScan, then uses Nmap for detailed service enumeration and vulnerability scripts on confirmed hosts.

Self-Hosted Monitoring Integration

For continuous monitoring, schedule scans with cron and ship results to your monitoring stack:

1
2
# /etc/cron.d/network-scan — daily scan at 2:00 AM
0 2 * * * root /opt/automated-scan.sh >> /var/log/network-scan.log 2>&1

You can also integrate scan results with Wazuh SIEM for centralized alerting. When Nmap detects a new open port or unexpected service, generate alerts through Wazuh’s active response system.

Choosing the Right Tool

ScenarioRecommended ToolWhy
Daily security auditRustScanFast enough for daily runs, deep enough for actionable results
Internet-wide asset discoveryMasscanOnly tool that can scan /8 ranges in minutes
Penetration testingNmapNSE scripts, OS detection, and service fingerprinting are unmatched
CI/CD pipeline integrationRustScanQuick results, clean JSON output, easy to parse
Compliance scanningNmapMost comprehensive output formats for audit documentation
Red team reconMasscan + NmapMasscan for initial sweep, Nmap for targeted deep scan

For a complete security toolkit, network scanning is just the first layer. After identifying open ports and services, use a DAST scanner to test web applications, and deploy a honeypot to detect and analyze actual attack traffic.

FAQ

Which scanner is fastest for scanning a large IP range?

Masscan is the fastest option, capable of scanning all 65,535 ports across millions of hosts in minutes. At 10 million packets per second, it can cover a /16 network (65,536 hosts) on the top 100 ports in roughly 30 seconds. RustScan is a close second for smaller ranges, while Nmap is significantly slower but provides much more detailed results.

Can I run these scanners from Docker containers?

Yes, all three tools have Docker images available. Nmap and RustScan have official images on Docker Hub. For Masscan, community images are available on GitHub Container Registry. All scanners require network_mode: host and NET_ADMIN/NET_RAW capabilities in Docker to send raw packets for SYN scanning.

Scanning networks you own or have explicit permission to test is legal in most jurisdictions. However, scanning networks you do not own without authorization may violate computer fraud laws. Always obtain written permission before scanning any network, and restrict Masscan’s high-speed scanning to your own infrastructure to avoid triggering ISP rate limits or neighbor complaints.

Does RustScan replace Nmap entirely?

No. RustScan is designed to complement Nmap, not replace it. RustScan excels at quickly finding open ports but lacks Nmap’s service detection, OS fingerprinting, and scripting engine. RustScan’s built-in Nmap handoff feature (-- -A or -- -sV) automatically passes open ports to Nmap for deep inspection, giving you the best of both tools.

Which scanner should I use for compliance and audit reporting?

Nmap is the best choice for compliance documentation. It produces output in XML, JSON, grepable, and Nmap formats — all of which can be parsed by compliance tools. The Nmap Scripting Engine (NSE) includes scripts that check for specific vulnerabilities referenced in PCI-DSS, HIPAA, and SOC 2 frameworks. Neither Masscan nor RustScan offers equivalent reporting capabilities.

How do I protect my own services from being scanned?

While you cannot completely prevent scanning, you can reduce your attack surface by: using a firewall (like pfSense or OPNsense) to block unnecessary ports, deploying a WAF (such as BunkerWeb or ModSecurity) for web applications, implementing rate limiting, and using port knocking or single packet authorization (SPA) for sensitive services.

Can I schedule automated scans without overloading my network?

Yes. Use nice and ionice to lower scanner process priority, set Masscan’s --rate to a conservative value (10,000–50,000 pps for production networks), and schedule scans during off-peak hours via cron. For RustScan, use --batch-size 500 to limit concurrent connections. Monitor your network’s baseline latency during scans to ensure production services remain unaffected.

Advertise here
Advertise here