Massscan for local network

[hb0nes]

It seems masscan defaults to using a gateway, even if hosts are directly reachable. I can only scan a host directly by passing its mac to massscan:

./masscan 10.44.30.152 -p 443 --router-mac  00:50:56:b6:b4:88

Is it possible to do

./masscan 10.44.30.0/24 -p1-65535

if the host I'm running it from has an IP in the 10.44.30.0/24 subnet, without using a router?

Seems like basic functionality but apparently I'm missing something.

edit: I want to mention the default gateway in this subnet is not routing masscan's packets, so it's currently impossible to use it to scan a subnet quickly if it has a strict routing policy, if there's no direct connectivity options.

[mzpqnxow]

This is expected behavior

It may seem like a basic feature, but it's not

You can leave this open in case someone wants to implement this but it would require invasive changes

At the very least it would require two passes, one to make ARP requests for every IP (saving a mapping) and then one to send the port probes. With each port probe, there would need to be additional logic added to lookup and then update the L2 header. Currently the L2 header for TCP, UDP and ICMP is fixed