Documentation Index
Fetch the complete documentation index at: https://mintlify.com/0xricksanchez/AFL_Runner/llms.txt
Use this file to discover all available pages before exploring further.
aflr run is the primary command for starting a full AFL++ fuzzing campaign. It generates the complete set of afl-fuzz invocations following multi-core best practices — assigning one primary fuzzer and distributing secondary roles across the remaining runners — then launches them inside a managed tmux or screen session. Use aflr run any time you want to go from binary to active campaign in a single command, whether you need an interactive TUI dashboard, a detached background session, or a quick dry-run preview of the commands that would be executed.
Synopsis
Options
Target Binaries
Path to the AFL++-instrumented target binary to fuzz. This is the main binary used by the primary and most secondary fuzzer instances. Either this flag or
--config must be provided.Path to a
*SAN-instrumented build of the target (e.g. compiled with AddressSanitizer). When provided, aflr designates one secondary fuzzer instance to run against this binary for memory-error detection.Path to a
CMPLOG-instrumented binary. aflr will assign one secondary fuzzer instance in CMPLOG mode (-c) to this binary to improve comparison coverage.Path to a
Laf-intel/CMPCOV-instrumented binary. aflr assigns one secondary fuzzer instance with LAF_INTEL environment settings to this binary.Fuzzing Configuration
Number of parallel
afl-fuzz processes to spin up. Defaults to 1 if not specified and not set in a config file. For multi-core campaigns set this to the number of CPU cores you want to dedicate.Path to the seed corpus directory. Defaults to
/tmp/afl_input when neither the flag nor a config file entry is provided.Path to the AFL++ output directory where crashes, hangs, and queue entries are written. Defaults to
/tmp/afl_output.Path to a token dictionary file (AFL++
-x flag). Supplying a domain-specific dictionary significantly improves coverage for text-based or protocol-based targets.Override the
afl-fuzz binary used to launch fuzzers. Useful when multiple AFL++ versions are installed or when afl-fuzz is not on PATH.Selects the fuzzing strategy mode that controls how AFL++ flags are distributed across runners. Accepted values:
default— minimal flag set, closest to a bareafl-fuzzinvocationmultiple-cores— (default) full multi-core strategy with power schedules, CMPLOG rotation, and sanitizer secondariesci-fuzzing— lightweight mode suited for short CI pipeline runs
Integer seed for aflr’s internal PRNG, which controls how power schedules and secondary roles are assigned. Providing a fixed seed makes command generation deterministic and reproducible across runs.
When set, forwards the value passed to
--seed to AFL++ via the AFL_RANDOM_SEED environment variable as well. Requires --seed to be specified.Enables AFL++ Nyx mode for snapshot-based fuzzing of full-system targets. Requires a Nyx-enabled AFL++ build.
Path to a TOML configuration file. All fields in the config file are merged with CLI flags; explicit CLI flags take precedence over config file values.
Session Control
The multiplexer backend used to manage the fuzzing session. Accepted values:
tmux (default) or screen.A custom name for the tmux or screen session. If omitted, aflr generates a name automatically using the format
{target_binary_name}_{hash}, where the hash is derived from the target binary name, the input directory name, and the target arguments.Launch the ratatui TUI monitor immediately after starting the campaign. The TUI displays live stats across all fuzzer instances. Incompatible with
--detached.Start the session and return to the calling shell without attaching to it. Incompatible with
--tui.Print the generated
afl-fuzz commands to stdout without creating a session or running any fuzzer. Useful for auditing the command set before committing to a campaign.Instructs AFL++ to treat the output directory as residing on a RAMDisk by setting the appropriate AFL++ environment flags, reducing I/O overhead on the storage subsystem.
Target Arguments
-- separator. Use @@ as a placeholder where AFL++ should substitute the mutated input file path.
Auto-generated Session Names
When--session-name is not provided, aflr derives a session name deterministically:
aflr kill or aflr tui.
Examples
When
--dry-run is active, both --tui and --detached are silently forced to false. No session is created and no process is spawned.