is a network/security tool that locates and describes all listening tcp ports on a
(remote) host or on many hosts in a bandwidth utilisation maximising, and
process resource minimising manner.
approximates a parallel finite state machine internally. In non-linear multi-host
mode it attempts to apportion bandwidth and sockets among the hosts very efficiently.
This can reap appreciable gains in speed for multiple distinct hosts/routes.
On a machine with a reasonable number of sockets,
is fast enough to port scan entire Internet sub domains. It is even possible to survey
an entire small country in a reasonable time from a fast machine on the network backbone,
provided the machine in question uses dynamic socket allocation or has had its static
socket allocation increased very appreciably (check your kernel options). In this
very limited application
is said to be faster than
(a high quality commercial security scanner by firstname.lastname@example.org and friends) or
Verbose statistical output.
Minimise output. Only print hostname, port tuples. Implies
Useful for automated output parsing.
Delete duplicate entries for port descriptions. i.e use only the first definition.
Disable usage of
2.3 machines this causes a core dump, for reasons unknown. This behaviour is fixed with
2.4. Under Linux, HP and perhaps other unix implementations, false tcp connection positives
may occur when this option is activated.
Statistical information describing the average of all hosts surveyed is sent to
stderr on completion.
Quiet mode. Don't print non-fatal errors or the (c) message.
Display only the first description in the port services entry file (Cf.
Direct output (but not any messages which can be affected by
Beginning (starting) port number.
Ending port number.
Port number if you intend to scan a single port.
Local port to bind outgoing connection requests to.
(you will normally need super-user privileges to bind ports smaller than 1024)
Interface address to send outgoing connection requests from for multi-homed machines.
Time after which a connection attempt to a completely unresponsive host/port is
Use this number of sockets in parallel (defaults to 64).
attempts to figure out if
is greater than the quantity of available sockets at any point in time -- and
if so, only use the amount found. On some UNIX implementations such as Solaris,
this appears not to work correctly and you may find yourself with unusual errors
NO ROUTE TO HOST
when you hit the socket ceiling. Remember that
probably isn't the only process on the system desiring a socket or two. Having
pilfer all the spare sockets away from
and other daemons and clients isn't such a crash hot idea, unless you want
to stop all new incoming and outgoing connections.
Change the default port services description file to
Note that if
is not specified port services are loaded from one of
Obtain hostnames to strobe from
rather than from the command line. Note that only the first white-space
separated word in each line of
is used, so one can feed in files such as
If filename is
, stdin will be used.
Probe hosts linearly (sequentially) rather than in parallel. The actual
ports on each host are still checked in a parallel manner (with a parallelism
(defaults to 64)).
Fast mode, probe only the tcp ports detailed in the port services file (see
Abort and skip to the next host after ports upto to
have been probed and still no connections have occurred. Due to the parallel
nature of the probing, reply packets for n+m may return before those relating
to n. What this means is that ports >
may be probed. If
see's a connection on any one of these higher ports before its negated all
possibility of a service listening on ports <=
then despite the fact that all ports up to and including
may turn out to be connectionless,
will `abort the abort'. This is considered optimal, if unusual behaviour.
Mail a bug report, or tcp/udp port description to the current source maintainer.
strobe -n 120 -a 80 -i /etc/hosts -s -f -V -S services -o out
all entries in
(identical ip addresses are skipped automagically)
using 120 sockets in parallel, but only check the individual tcp ports mentioned
If we have probed up to port 80 on a host
and have still not yet evidenced a connection, then skip that host. Display speed/time
statistics for each host and for the totality of hosts to stderr. Place the regular
all hosts in your hosts YP/NIS-table for WWW-servers. Use a timeout of two seconds.
Set the source address to the 126.96.36.199 interface. Make all connection requests
appear to come from port 53 (DNS).
performs no other security functions (yet) and does not verify route blocking against
UDP or TCP handshake sequence guessing one-way IP spoofing attacks.
Copyright (c) Julian Assange 1995-1999, All rights reserved.
This software has only three copyright restrictions. Firstly, this
copyright notice must remain intact and unmodified. Secondly, the
Author, Julian Assange, must be appropriately and prominantly
credited in any documentation associated with any derived work.
Thirdly unless otherwise negotiated with the author, you may not
sell this program commercially, reasonable distribution costs
Use and or distribution of this software implies acceptance of the above.