masscan - acut3/hacking GitHub Wiki

Aggregate results by IP

The json output generated by masscan is one big array that contains separate entries for each port of a same IP. jq can be used to aggregate all ports of a same IP into a single object. The result is a single json object mapping IP addresses to an array of ports.

jq 'reduce .[] as $e ({}; . + { ($e.ip): (.[$e.ip] + $e.ports) })' masscan.ndjson

It essentially turns:

{
  "ip": "1.1.1.1",
  "ports": [
    { "port": "11" }
  ]
}
{
  "ip": "2.2.2.2",
  "ports": [
    { "port": "21" }
  ]
}
{
  "ip": "1.1.1.1",
  "ports": [
    { "port": "12" }
  ]
}

into:

{
  "1.1.1.1": [
    { "port": "11" },
    { "port": "12" }
  ],
  "2.2.2.2": [
    { "port": "21" }
  ]
}