1NPING(1) Nping Reference Guide NPING(1)
2
6 nping - Network packet generation tool / ping utility
7
9 nping [Options] {targets}
10
12 Nping is an open-source tool for network packet generation, response
13 analysis and response time measurement. Nping allows users to generate
14 network packets of a wide range of protocols, letting them tune
15 virtually any field of the protocol headers. While Nping can be used as
16 a simple ping utility to detect active hosts, it can also be used as a
17 raw packet generator for network stack stress tests, ARP poisoning,
18 Denial of Service attacks, route tracing, and other purposes.
19 Additionally, Nping offers a special mode of operation called the "Echo
21 Mode", that lets users see how the generated probes change in transit,
22 revealing the differences between the transmitted packets and the
23 packets received at the other end. See section "Echo Mode" for details.
24 The output from Nping is a list of the packets that are being sent and
26 received. The level of detail depends on the options used.
27 A typical Nping execution is shown in Example 1. The only Nping
29 arguments used in this example are -c, to specify the number of times
30 to target each host, --tcp to specify TCP Probe Mode, -p 80,433 to
31 specify the target ports; and then the two target hostnames.
32 Example 1. A representative Nping execution
34 # nping -c 1 --tcp -p 80,433 scanme.nmap.org google.com
36 Starting Nping ( http://nmap.org/nping )
38 SENT (0.0120s) TCP 96.16.226.135:50091 > 64.13.134.52:80 S ttl=64 id=52072 iplen=40 seq=1077657388 win=1480
39 RCVD (0.1810s) TCP 64.13.134.52:80 > 96.16.226.135:50091 SA ttl=53 id=0 iplen=44 seq=4158134847 win=5840 <mss 1460>
40 SENT (1.0140s) TCP 96.16.226.135:50091 > 74.125.45.100:80 S ttl=64 id=13932 iplen=40 seq=1077657388 win=1480
41 RCVD (1.1370s) TCP 74.125.45.100:80 > 96.16.226.135:50091 SA ttl=52 id=52913 iplen=44 seq=2650443864 win=5720 <mss 1430>
42 SENT (2.0140s) TCP 96.16.226.135:50091 > 64.13.134.52:433 S ttl=64 id=8373 iplen=40 seq=1077657388 win=1480
43 SENT (3.0140s) TCP 96.16.226.135:50091 > 74.125.45.100:433 S ttl=64 id=23624 iplen=40 seq=1077657388 win=1480
44 Statistics for host scanme.nmap.org (64.13.134.52):
46 | Probes Sent: 2 | Rcvd: 1 | Lost: 1 (50.00%)
47 |_ Max rtt: 169.720ms | Min rtt: 169.720ms | Avg rtt: 169.720ms
48 Statistics for host google.com (74.125.45.100):
49 | Probes Sent: 2 | Rcvd: 1 | Lost: 1 (50.00%)
50 |_ Max rtt: 122.686ms | Min rtt: 122.686ms | Avg rtt: 122.686ms
51 Raw packets sent: 4 (160B) | Rcvd: 2 (92B) | Lost: 2 (50.00%)
52 Tx time: 3.00296s | Tx bytes/s: 53.28 | Tx pkts/s: 1.33
53 Rx time: 3.00296s | Rx bytes/s: 30.64 | Rx pkts/s: 0.67
54 Nping done: 2 IP addresses pinged in 4.01 seconds
55
57 This options summary is printed when Nping is run with no arguments. It
58 helps people remember the most common options, but is no substitute for
59 the in-depth documentation in the rest of this manual. Some obscure
60 options aren´t even included here.
61 Nping 0.5.36TEST2 ( http://nmap.org/nping )
63 Usage: nping [Probe mode] [Options] {target specification}
64 TARGET SPECIFICATION:
66 Targets may be specified as hostnames, IP addresses, networks, etc.
67 Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
68 PROBE MODES:
69 --tcp-connect : Unprivileged TCP connect probe mode.
70 --tcp : TCP probe mode.
71 --udp : UDP probe mode.
72 --icmp : ICMP probe mode.
73 --arp : ARP/RARP probe mode.
74 --tr, --traceroute : Traceroute mode (can only be used with
75 TCP/UDP/ICMP modes).
76 TCP CONNECT MODE:
77 -p, --dest-port <port spec> : Set destination port(s).
78 -g, --source-port <portnumber> : Try to use a custom source port.
79 TCP PROBE MODE:
80 -g, --source-port <portnumber> : Set source port.
81 -p, --dest-port <port spec> : Set destination port(s).
82 --seq <seqnumber> : Set sequence number.
83 --flags <flag list> : Set TCP flags (ACK,PSH,RST,SYN,FIN...)
84 --ack <acknumber> : Set ACK number.
85 --win <size> : Set window size.
86 --badsum : Use a random invalid checksum.
87 UDP PROBE MODE:
88 -g, --source-port <portnumber> : Set source port.
89 -p, --dest-port <port spec> : Set destination port(s).
90 --badsum : Use a random invalid checksum.
91 ICMP PROBE MODE:
92 --icmp-type <type> : ICMP type.
93 --icmp-code <code> : ICMP code.
94 --icmp-id <id> : Set identifier.
95 --icmp-seq <n> : Set sequence number.
96 --icmp-redirect-addr <addr> : Set redirect address.
97 --icmp-param-pointer <pnt> : Set parameter problem pointer.
98 --icmp-advert-lifetime <time> : Set router advertisement lifetime.
99 --icmp-advert-entry <IP,pref> : Add router advertisement entry.
100 --icmp-orig-time <timestamp> : Set originate timestamp.
101 --icmp-recv-time <timestamp> : Set receive timestamp.
102 --icmp-trans-time <timestamp> : Set transmit timestamp.
103 ARP/RARP PROBE MODE:
104 --arp-type <type> : Type: ARP, ARP-reply, RARP, RARP-reply.
105 --arp-sender-mac <mac> : Set sender MAC address.
106 --arp-sender-ip <addr> : Set sender IP address.
107 --arp-target-mac <mac> : Set target MAC address.
108 --arp-target-ip <addr> : Set target IP address.
109 IPv4 OPTIONS:
110 -S, --source-ip : Set source IP address.
111 --dest-ip <addr> : Set destination IP address (used as an
112 alternative to {target specification} ).
113 --tos <tos> : Set type of service field (8bits).
114 --id <id> : Set identification field (16 bits).
115 --df : Set Don´t Fragment flag.
116 --mf : Set More Fragments flag.
117 --ttl <hops> : Set time to live [0-255].
118 --badsum-ip : Use a random invalid checksum.
119 --ip-options <S|R [route]|L [route]|T|U ...> : Set IP options
120 --ip-options <hex string> : Set IP options
121 --mtu <size> : Set MTU. Packets get fragmented if MTU is
122 small enough.
123 IPv6 OPTIONS:
124 -6, --IPv6 : Use IP version 6.
125 --dest-ip : Set destination IP address (used as an
126 alternative to {target specification}).
127 --hop-limit : Set hop limit (same as IPv4 TTL).
128 --traffic-class <class> : : Set traffic class.
129 --flow <label> : Set flow label.
130 ETHERNET OPTIONS:
131 --dest-mac <mac> : Set destination mac address. (Disables
132 ARP resolution)
133 --source-mac <mac> : Set source MAC address.
134 --ether-type <type> : Set EtherType value.
135 PAYLOAD OPTIONS:
136 --data <hex string> : Include a custom payload.
137 --data-string <text> : Include a custom ASCII text.
138 --data-length <len> : Include len random bytes as payload.
139 ECHO CLIENT/SERVER:
140 --echo-client <passphrase> : Run Nping in client mode.
141 --echo-client <passphrase> : Run Nping in server mode.
142 --echo-port <port> : Use custom <port> to listen or connect.
143 --no-crypto : Disable encryption and authentication.
144 --once : Stop the server after one connection.
145 TIMING AND PERFORMANCE:
146 Options which take <time> are in seconds, or append ´ms´ (milliseconds),
147 ´s´ (seconds), ´m´ (minutes), or ´h´ (hours) to the value (e.g. 30m, 0.25h).
148 --delay <time> : Adjust delay between probes.
149 --rate <rate> : Send num packets per second.
150 MISC:
151 -h, --help : Display help information.
152 -V, --version : Display current version number.
153 -c, --count <n> : Stop after <n> rounds.
154 -e, --interface <name> : Use supplied network interface.
155 -H, --hide-sent : Do not display sent packets.
156 -N, --no-capture : Do not try to capture replies.
157 --privileged : Assume user is fully privileged.
158 --unprivileged : Assume user lacks raw socket privileges.
159 --send-eth : Send packets at the raw ethernet layer.
160 --send-ip : Send packets using raw IP sockets.
161 --bpf-filter <filter spec> : Specify custom BPF filter.
162 OUTPUT:
163 -v : Increment verbosity level by one.
164 -v[level] : Set verbosity level. E.g: -v4
165 -d : Increment debugging level by one.
166 -d[level] : Set debugging level. E.g: -d3
167 -q : Decrease verbosity level by one.
168 -q[N] : Decrease verbosity level N times
169 --quiet : Set verbosity and debug level to minimum.
170 --debug : Set verbosity and debug to the max level.
171 EXAMPLES:
172 nping scanme.nmap.org
173 nping --tcp -p 80 --flags rst --ttl 2 192.168.1.1
174 nping --icmp --icmp-type time --delay 500ms 192.168.254.254
175 nping --echo-server "public" -e wlan0 -vvv
176 nping --echo-client "public" echo.nmap.org --tcp -p1-1024 --flags ack
177 SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES
179
182 Everything on the Nping command line that isn´t an option or an option
183 argument is treated as a target host specification. Nping uses the same
184 syntax for target specifications that Nmap does. The simplest case is a
185 single target given by IP address or hostname.
186 Nping supports CIDR-style. addressing. You can append /numbits to an
188 IPv4 address or hostname and Nping will send probes to every IP address
189 for which the first numbits are the same as for the reference IP or
190 hostname given. For example, 192.168.10.0/24 would send probes to the
191 256 hosts between 192.168.10.0 (binary: 11000000 10101000 00001010
192 00000000) and 192.168.10.255 (binary: 11000000 10101000 00001010
193 11111111), inclusive. 192.168.10.40/24 would ping exactly the same
194 targets. Given that the host scanme.nmap.org. is at the IP address
195 64.13.134.52, the specification scanme.nmap.org/16 would send probes to
196 the 65,536 IP addresses between 64.13.0.0 and 64.13.255.255. The
197 smallest allowed value is /0, which targets the whole Internet. The
198 largest value is /32, which targets just the named host or IP address
199 because all address bits are fixed.
200 CIDR notation is short but not always flexible enough. For example, you
202 might want to send probes to 192.168.0.0/16 but skip any IPs ending
203 with .0 or .255 because they may be used as subnet network and
204 broadcast addresses. Nping supports this through octet range
205 addressing. Rather than specify a normal IP address, you can specify a
206 comma-separated list of numbers or ranges for each octet. For example,
207 192.168.0-255.1-254 will skip all addresses in the range that end in .0
208 or .255, and 192.168.3-5,7.1 will target the four addresses
209 192.168.3.1, 192.168.4.1, 192.168.5.1, and 192.168.7.1. Either side of
210 a range may be omitted; the default values are 0 on the left and 255 on
211 the right. Using - by itself is the same as 0-255, but remember to use
212 0- in the first octet so the target specification doesn´t look like a
213 command-line option. Ranges need not be limited to the final octets:
214 the specifier 0-.-.13.37 will send probes to all IP addresses on the
215 Internet ending in .13.37. This sort of broad sampling can be useful
216 for Internet surveys and research.
217 IPv6 addresses can only be specified by their fully qualified IPv6
219 address or hostname. CIDR and octet ranges aren´t supported for IPv6
220 because they are rarely useful.
221 Nping accepts multiple host specifications on the command line, and
223 they don´t need to be the same type. The command nping scanme.nmap.org
224 192.168.0.0/8 10.0.0,1,3-7.- does what you would expect.
225
227 Nping is designed to be very flexible and fit a wide variety of needs.
228 As with most command-line tools, its behavior can be adjusted using
229 command-line options. These general principles apply to option
230 arguments, unless stated otherwise.
231 Options that take integer numbers can accept values specified in
233 decimal, octal or hexadecimal base. When a number starts with 0x, it
234 will be treated as hexadecimal; when it simply starts with 0, it will
235 be treated as octal. Otherwise, Nping will assume the number has been
236 specified in base 10. Virtually all numbers that can be supplied from
237 the command line are unsigned so, as a general rule, the minimum value
238 is zero. Users may also specify the word random or rand to make Nping
239 generate a random value within the expected range.
240 IP addresses may be given as IPv4 addresses (e.g. 192.168.1.1), IPv6
242 addresses (e.g. 2001:db8:85a3::8e4c:760:7146), or hostnames, which
243 will be resolved using the default DNS server configured in the host
244 system.
245 Options that take MAC addresses accept the usual colon-separated 6 hex
247 byte format (e.g. 00:50:56:d4:01:98). Hyphens may also be used instead
248 of colons (e.g. 00-50-56-c0-00-08). The special word random or rand
249 sets a random address and the word broadcast or bcast sets
250 ff:ff:ff:ff:ff:ff.
251
253 Unlike other ping and packet generation tools, Nping supports multiple
254 target host and port specifications. While this provides great
255 flexibility, it is not obvious how Nping handles situations where there
256 is more than one host and/or more than one port to send probes to. This
257 section explains how Nping behaves in these cases.
258 When multiple target hosts are specified, Nping rotates among them in
260 round-robin fashion. This gives slow hosts more time to send their
261 responses before another probe is sent to them. Ports are also
262 scheduled using round robin. So, unless only one port is specified,
263 Nping never sends two probes to the same target host and port
264 consecutively.
265 The loop around targets is the “inner loop” and the loop around ports
267 is the “outer loop”. All targets will be sent a probe for a given port
268 before moving on to the next port. Between probes, Nping waits a
269 configurable amount of time called the “inter-probe delay”, which is
270 controlled by the --delay option. These examples show how it works.
271 # nping --tcp -c 2 1.1.1.1 -p 100-102
273 Starting Nping ( http://nmap.org/nping )
275 SENT (0.0210s) TCP 192.168.1.77 > 1.1.1.1:100
276 SENT (1.0230s) TCP 192.168.1.77 > 1.1.1.1:101
277 SENT (2.0250s) TCP 192.168.1.77 > 1.1.1.1:102
278 SENT (3.0280s) TCP 192.168.1.77 > 1.1.1.1:100
279 SENT (4.0300s) TCP 192.168.1.77 > 1.1.1.1:101
280 SENT (5.0320s) TCP 192.168.1.77 > 1.1.1.1:102
281 # nping --tcp -c 2 1.1.1.1 2.2.2.2 3.3.3.3 -p 8080
283 Starting Nping ( http://nmap.org/nping )
285 SENT (0.0230s) TCP 192.168.0.21 > 1.1.1.1:8080
286 SENT (1.0240s) TCP 192.168.0.21 > 2.2.2.2:8080
287 SENT (2.0260s) TCP 192.168.0.21 > 3.3.3.3:8080
288 SENT (3.0270s) TCP 192.168.0.21 > 1.1.1.1:8080
289 SENT (4.0290s) TCP 192.168.0.21 > 2.2.2.2:8080
290 SENT (5.0310s) TCP 192.168.0.21 > 3.3.3.3:8080
291 # nping --tcp -c 1 --delay 500ms 1.1.1.1 2.2.2.2 3.3.3.3 -p 137-139
293 Starting Nping ( http://nmap.org/nping )
295 SENT (0.0230s) TCP 192.168.0.21 > 1.1.1.1:137
296 SENT (0.5250s) TCP 192.168.0.21 > 2.2.2.2:137
297 SENT (1.0250s) TCP 192.168.0.21 > 3.3.3.3:137
298 SENT (1.5280s) TCP 192.168.0.21 > 1.1.1.1:138
299 SENT (2.0280s) TCP 192.168.0.21 > 2.2.2.2:138
300 SENT (2.5310s) TCP 192.168.0.21 > 3.3.3.3:138
301 SENT (3.0300s) TCP 192.168.0.21 > 1.1.1.1:139
302 SENT (3.5330s) TCP 192.168.0.21 > 2.2.2.2:139
303 SENT (4.0330s) TCP 192.168.0.21 > 3.3.3.3:139
304
306 Nping supports a wide variety of protocols. Although in some cases
307 Nping can automatically determine the mode from the options used, it is
308 generally a good idea to specify it explicitly.
309 --tcp-connect (TCP Connect mode) .
311 TCP connect mode is the default mode when a user does not have raw
312 packet privileges. Instead of writing raw packets as most other
313 modes do, Nping asks the underlying operating system to establish a
314 connection with the target machine and port by issuing the connect
315 system call. This is the same high-level system call that web
316 browsers, P2P clients, and most other network-enabled applications
317 use to establish a connection. It is part of a programming
318 interface known as the Berkeley Sockets API. Rather than read raw
319 packet responses off the wire, Nping uses this API to obtain status
320 information on each connection attempt. For this reason, you will
321 not be able to see the contents of the packets that are sent or
322 received but only status information about the TCP connection
323 establishment taking place.
324 --tcp (TCP mode) .
326 TCP is the mode that lets users create and send any kind of TCP
327 packet. TCP packets are sent embedded in IP packets that can also
328 be tuned. This mode can be used for many different purposes. For
329 example you could try to discover open ports by sending TCP SYN
330 messages without completing the three-way handshake. This technique
331 is often referred to as half-open scanning, because you don´t open
332 a full TCP connection. You send a SYN packet, as if you are going
333 to open a real connection and then wait for a response. A SYN/ACK
334 indicates the port is open, while a RST indicates it´s closed. If
335 no response is received one could assume that some intermediate
336 network device is filtering the responses. Another use could be to
337 see how a remote TCP/IP stack behaves when it receives a
338 non-RFC-compliant packet, like one with both SYN and RST flags set.
339 One could also do some evil by creating custom RST packets using an
340 spoofed IP address with the intent of closing an active TCP
341 connection.
342 --udp (UDP mode) .
344 UDP mode can have two different behaviours. Under normal
345 circumstances, it lets users create custom IP/UDP packets. However,
346 if Nping is run by a user without raw packet privileges and no
347 changes to the default protocol headers are requested, then Nping
348 enters the unprivileged UDP mode which basically sends UDP packets
349 to the specified target hosts and ports using the sendto system
350 call. Note that in this unprivileged mode it is not possible to see
351 low-level header information of the packets on the wire but only
352 status information about the amount of bytes that are being
353 transmitted and received. UDP mode can be used to interact with any
354 UDP-based server. Examples are DNS servers, streaming servers,
355 online gaming servers, and port knocking/single-packet.
356 authorization daemons.
357 --icmp (ICMP mode) .
359 ICMP mode is the default mode when the user runs Nping with raw
360 packet privileges. Any kind of ICMP message can be created. The
361 default ICMP type is Echo, i.e., ping. ICMP mode can be used for
362 many different purposes, from a simple request for a timestamp or a
363 netmask to the transmission of fake destination unreachable
364 messages, custom redirects, and router advertisements.
365 --arp (ARP/RARP mode) .
367 ARP lets you create and send a few different ARP-related packets.
368 These include ARP, RARP, DRARP, and InARP requests and replies.
369 This mode can ban be used to perform low-level host discovery, and
370 conduct ARP-cache poisoning attacks.
371 --traceroute (Traceroute mode) .
373 Traceroute is not a mode by itself but a complement to TCP, UDP,
374 and ICMP modes. When this option is specified Nping will set the IP
375 TTL value of the first probe to 1. When the next router receives
376 the packet it will drop it due to the expiration of the TTL and it
377 will generate an ICMP destination unreachable message. The next
378 probe will have a TTL of 2 so now the first router will forward the
379 packet while the second router will be the one that drops the
380 packet and generates the ICMP message. The third probe will have a
381 TTL value of 3 and so on. By examining the source addresses of all
382 those ICMP Destination Unreachable messages it is possible to
383 determine the path that the probes take until they reach their
384 final destination.
385
387 -p port_spec, --dest-port port_spec (Target ports) .
388 This option specifies which ports you want to try to connect to. It
389 can be a single port, a comma-separated list of ports (e.g.
390 80,443,8080), a range (e.g. 1-1023), and any combination of those
391 (e.g. 21-25,80,443,1024-2048). The beginning and/or end values of
392 a range may be omitted, causing Nping to use 1 and 65535,
393 respectively. So you can specify -p- to target ports from 1 through
394 65535. Using port zero is allowed if you specify it explicitly.
395 -g portnumber, --source-port portnumber (Spoof source port) .
397 This option asks Nping to use the specified port as source port for
398 the TCP connections. Note that this might not work on all systems
399 or may require root privileges. Specified value must be an integer
400 in the range [0–65535].
401
403 -p port_spec, --dest-port port_spec (Target ports)
404 This option specifies which destination ports you want to send
405 probes to. It can be a single port, a comma-separated list of ports
406 (e.g. 80,443,8080), a range (e.g. 1-1023), and any combination of
407 those (e.g. 21-25,80,443,1024-2048). The beginning and/or end
408 values of a range may be omitted, causing Nping to use 1 and 65535,
409 respectively. So you can specify -p- to target ports from 1 through
410 65535. Using port zero is allowed if you specify it explicitly.
411 -g portnumber, --source-port portnumber (Spoof source port)
413 This option asks Nping to use the specified port as source port for
414 the TCP connections. Note that this might not work on all systems
415 or may require root privileges. Specified value must be an integer
416 in the range [0–65535].
417 --seq seqnumber (Sequence Number) .
419 Specifies the TCP sequence number. In SYN packets this is the
420 initial sequence number (ISN). In a normal transmission this
421 corresponds to the sequence number of the first byte of data in the
422 segment. seqnumber must be a number in the range [0–4294967295].
423 --flags flags (TCP Flags) .
425 This option specifies which flags should be set in the TCP packet.
426 flags may be specified in three different ways:
427 1. As a comma-separated list of flags, e.g. --flags syn,ack,rst
429 2. As a list of one-character flag initials, e.g. --flags SAR
431 tells Nping to set flags SYN, ACK, and RST.
432 3. As an 8-bit hexadecimal number, where the supplied number is
434 the exact value that will be placed in the flags field of the
435 TCP header. The number should start with the prefix 0x and
436 should be in the range [0x00–0xFF], e.g. --flags 0x20 sets the
437 URG flag as 0x20 corresponds to binary 00100000 and the URG
438 flag is represented by the third bit.
439 There are 8 possible flags to set: CWR, ECN, URG, ACK, PSH,
440 RST, SYN, and FIN. The special value ALL means to set all
441 flags. NONE means to set no flags. It is important that if you
442 don´t want any flag to be set, you request it explicitly
443 because in some cases the SYN flag may be set by default. Here
444 is a brief description of the meaning of each flag:
445 CWR (Congestion Window Reduced) .
447 Set by an ECN-Capable sender when it reduces its congestion
448 window (due to a retransmit timeout, a fast retransmit or
449 in response to an ECN notification.
450 ECN (Explicit Congestion Notification) .
452 During the three-way handshake it indicates that sender is
453 capable of performing explicit congestion notification.
454 Normally it means that a packet with the IP Congestion
455 Experienced flag set was received during normal
456 transmission. See RFC 3168. for more information.
457 URG (Urgent) .
459 Segment is urgent and the urgent pointer field carries
460 valid information.
461 ACK (Acknowledgement) .
463 The segment carries an acknowledgement and the value of the
464 acknowledgement number field is valid and contains the next
465 sequence number that is expected from the receiver.
466 PSH (Push) .
468 The data in this segment should be immediately pushed to
469 the application layer on arrival.
470 RST (Reset) .
472 There was some problem and the sender wants to abort the
473 connection.
474 SYN (Synchronize) .
476 The segment is a request to synchronize sequence numbers
477 and establish a connection. The sequence number field
478 contains the sender´s initial sequence number.
479 FIN (Finish) .
481 The sender wants to close the connection.
482 --win size (Window Size) .
484 Specifies the TCP window size, this is, the number of octets
485 the sender of the segment is willing to accept from the
486 receiver at one time. This is usually the size of the reception
487 buffer that the OS allocates for a given connection. size must
488 be a number in the range [0–65535].
489 --badsum (Invalid Checksum) .
491 Asks Nping to use an invalid TCP checksum for the packets sent
492 to target hosts. Since virtually all host IP stacks properly
493 drop these packets, any responses received are likely coming
494 from a firewall or an IDS that didn´t bother to verify the
495 checksum. For more details on this technique, see
496 http://nmap.org/p60-12.html.
497
499 -p port_spec, --dest-port port_spec (Target ports) .
500 This option specifies which ports you want UDP datagrams to be sent
501 to. It can be a single port, a comma-separated list of ports (e.g.
502 80,443,8080), a range (e.g. 1-1023), and any combination of those
503 (e.g. 21-25,80,443,1024-2048). The beginning and/or end values of
504 a range may be omitted, causing Nping to use 1 and 65535,
505 respectively. So you can specify -p- to target ports from 1 through
506 65535. Using port zero is allowed if you specify it explicitly.
507 -g portnumber, --source-port portnumber (Spoof source port) .
509 This option asks Nping to use the specified port as source port for
510 the transmitted datagrams. Note that this might not work on all
511 systems or may require root privileges. Specified value must be an
512 integer in the range [0–65535].
513 --badsum (Invalid Checksum)
515 Asks Nping to use an invalid UDP checksum for the packets sent to
516 target hosts. Since virtually all host IP stacks properly drop
517 these packets, any responses received are likely coming from a
518 firewall or an IDS that didn´t bother to verify the checksum. For
519 more details on this technique, see http://nmap.org/p60-12.html.
520
522 --icmp-type type (ICMP type) .
523 This option specifies which type of ICMP messages should be
524 generated. type can be supplied in two different ways. You can use
525 the official type numbers assigned by IANA[1] (e.g. --icmp-type 8
526 for ICMP Echo Request), or you can use any of the mnemonics listed
527 in the section called “ICMP Types”.
528 --icmp-code code (ICMP code) .
530 This option specifies which ICMP code should be included in the
531 generated ICMP messages. code can be supplied in two different
532 ways. You can use the official code numbers assigned by IANA[1]
533 (e.g. --icmp-code 1 for Fragment Reassembly Time Exceeded), or you
534 can use any of the mnemonics listed in the section called “ICMP
535 Codes”.
536 --icmp-id id (ICMP identifier) .
538 This option specifies the value of the identifier used in some of
539 the ICMP messages. In general it is used to match request and reply
540 messages. id must be a number in the range [0–65535].
541 --icmp-seq seq (ICMP sequence) .
543 This option specifies the value of the sequence number field used
544 in some ICMP messages. In general it is used to match request and
545 reply messages. id must be a number in the range [0–65535].
546 --icmp-redirect-addr addr (ICMP Redirect address) .
548 This option sets the address field in ICMP Redirect messages. In
549 other words, it sets the IP address of the router that should be
550 used when sending IP datagrams to the original destination. addr
551 can be either an IPv4 address or a hostname.
552 --icmp-param-pointer pointer (ICMP Parameter Problem pointer) .
554 This option specifies the pointer that indicates the location of
555 the problem in ICMP Parameter Problem messages. pointer should be
556 a number in the range [0–255]. Normally this option is only used
557 when ICMP code is set to 0 ("Pointer indicates the error").
558 --icmp-advert-lifetime ttl (ICMP Router Advertisement Lifetime) .
560 This option specifies the router advertisement lifetime, this is,
561 the number of seconds the information carried in an ICMP Router
562 Advertisement can be considered valid for. ttl must be a positive
563 integer in the range [0–65535].
564 --icmp-advert-entry addr,pref (ICMP Router Advertisement Entry) .
566 This option adds a Router Advertisement entry to an ICMP Router
567 Advertisement message. The parameter must be two values separated
568 by a comma. addr is the router´s IP and can be specified either as
569 an IP address in dot-decimal notation or as a hostname. pref is
570 the preference level for the specified IP. It must be a number in
571 the range [0–4294967295]. An example is --icmp-advert-entry
572 192.168.128.1,3.
573 --icmp-orig-time timestamp (ICMP Originate Timestamp) .
575 This option sets the Originate Timestamp in ICMP Timestamp
576 messages. The Originate Timestamp is expressed as the number of
577 milliseconds since midnight UTC and it corresponds to the time the
578 sender last touched the Timestamp message before its transmission.
579 timestamp can be specified as a regular time (e.g. 10s, 3h,
580 1000ms), or the special string now. You can add or subtract values
581 from now, for example --icmp-orig-time now-2s, --icmp-orig-time
582 now+1h, --icmp-orig-time now+200ms.
583 --icmp-recv-time timestamp (ICMP Receive Timestamp) .
585 This option sets the Receive Timestamp in ICMP Timestamp messages.
586 The Receive Timestamp is expressed as the number of milliseconds
587 since midnight UTC and it corresponds to the time the echoer first
588 touched the Timestamp message on receipt. timestamp is as with
589 --icmp-orig-time.
590 --icmp-trans-time timestamp (ICMP Transmit Timestamp) .
592 This option sets the Transmit Timestamp in ICMP Timestamp messages.
593 The Transmit Timestamp is expressed as the number of milliseconds
594 since midnight UTC and it corresponds to the time the echoer last
595 touched the Timestamp message before its transmission. timestamp
596 is as with --icmp-orig-time.
597 ICMP Types
599 These identifiers may be used as mnemonics for the ICMP type numbers
600 given to the --icmp-type. option. In general there are three forms of
601 each identifier: the full name (e.g. destination-unreachable), the
602 short name (e.g. dest-unr), or the initials (e.g. du). In ICMP types
603 that request something, the word "request" is omitted.
604 echo-reply, echo-rep, er
606 Echo Reply (type 0). This message is sent in response to an Echo
607 Request message.
608 destination-unreachable, dest-unr, du
610 Destination Unreachable (type 3). This message indicates that a
611 datagram could not be delivered to its destination.
612 source-quench, sour-que, sq
614 Source Quench (type 4). This message is used by a congested IP
615 device to tell other device that is sending packets too fast and
616 that it should slow down.
617 redirect, redi, r
619 Redirect (type 5). This message is normally used by routers to
620 inform a host that there is a better route to use for sending
621 datagrams. See also the --icmp-redirect-addr option.
622 echo-request, echo, e
624 Echo Request (type 8). This message is used to test the
625 connectivity of another device on a network.
626 router-advertisement, rout-adv, ra
628 Router Advertisement (type 9). This message is used by routers to
629 let hosts know of their existence and capabilities. See also the
630 --icmp-advert-lifetime option.
631 router-solicitation, rout-sol, rs
633 Router Solicitation (type 10). This message is used by hosts to
634 request Router Advertisement messages from any listening routers.
635 time-exceeded, time-exc, te
637 Time Exceeded (type 11). This message is generated by some
638 intermediate device (normally a router) to indicate that a datagram
639 has been discarded before reaching its destination because the IP
640 TTL expired.
641 parameter-problem, member-pro, pp
643 Parameter Problem (type 12). This message is used when a device
644 finds a problem with a parameter in an IP header and it cannot
645 continue processing it. See also the --icmp-param-pointer option.
646 timestamp, time, tm
648 Timestamp Request (type 13). This message is used to request a
649 device to send a timestamp value for propagation time calculation
650 and clock synchronization. See also the --icmp-orig-time,
651 --icmp-recv-time, and --icmp-trans-time.
652 timestamp-reply, time-rep, tr
654 Timestamp Reply (type 14). This message is sent in response to a
655 Timestamp Request message.
656 information, info, i
658 Information Request (type 15). This message is now obsolete but it
659 was originally used to request configuration information from
660 another device.
661 information-reply, info-rep, ir
663 Information Reply (type 16). This message is now obsolete but it
664 was originally sent in response to an Information Request message
665 to provide configuration information.
666 mask-request, mask, m
668 Address Mask Request (type 17). This message is used to ask a
669 device to send its subnet mask.
670 mask-reply, mask-rep, mr
672 Address Mask Reply (type 18). This message contains a subnet mask
673 and is sent in response to a Address Mask Request message.
674 traceroute, trace, tc
676 Traceroute (type 30). This message is normally sent by an
677 intermediate device when it receives an IP datagram with a
678 traceroute option. ICMP Traceroute messages are still experimental,
679 see RFC 1393. for more information.
680 ICMP Codes
682 These identifiers may be used as mnemonics for the ICMP code numbers
683 given to the --icmp-code. option. They are listed by the ICMP type
684 they correspond to.
685 Destination Unreachable
687 network-unreachable, netw-unr, net
688 Code 0. Datagram could not be delivered to its destination
689 network (probably due to some routing problem).
690 host-unreachable, host-unr, host
692 Code 1. Datagram was delivered to the destination network but
693 it was impossible to reach the specified host (probably due to
694 some routing problem).
695 protocol-unreachable, prot-unr, proto
697 Code 2. The protocol specified in the Protocol field of the IP
698 datagram is not supported by the host to which the datagram was
699 delivered.
700 port-unreachable, port-unr, port
702 Code 3. The TCP/UDP destination port was invalid.
703 needs-fragmentation, need-fra, frag
705 Code 4. Datagram had the DF bit set but it was too large for
706 the MTU of the next physical network so it had to be dropped.
707 source-route-failed, sour-rou, routefail
709 Code 5. IP datagram had a Source Route option but a router
710 couldn´t pass it to the next hop.
711 network-unknown, netw-unk, net?
713 Code 6. Destination network is unknown. This code is never
714 used. Instead, Network Unreachable is used.
715 host-unknown, host-unk, host?
717 Code 7. Specified host is unknown. Usually generated by a
718 router local to the destination host to inform of a bad
719 address.
720 host-isolated, host-iso, isolated
722 Code 8. Source Host Isolated. Not used.
723 network-prohibited, netw-pro, !net
725 Code 9. Communication with destination network is
726 administratively prohibited (source device is not allowed to
727 send packets to the destination network).
728 host-prohibited, host-pro, !host
730 Code 10. Communication with destination host is
731 administratively prohibited. (The source device is allowed to
732 send packets to the destination network but not to the
733 destination device.)
734 network-tos, unreachable-network-tos, netw-tos, tosnet
736 Code 11. Destination network unreachable because it cannot
737 provide the type of service specified in the IP TOS field.
738 host-tos, unreachable-host-tos, toshost
740 Code 12. Destination host unreachable because it cannot provide
741 the type of service specified in the IP TOS field.
742 communication-prohibited, comm-pro, !comm
744 Code 13. Datagram could not be forwarded due to filtering that
745 blocks the message based on its contents.
746 host-precedence-violation, precedence-violation, prec-vio,
748 violation
749 Code 14. Precedence value in the IP TOS field is not permitted.
750 precedence-cutoff, prec-cut, cutoff
752 Code 15. Precedence value in the IP TOS field is lower than the
753 minimum allowed for the network.
754 Redirect
756 redirect-network, redi-net, net
757 Code 0. Redirect all future datagrams with the same destination
758 network as the original datagram, to the router specified in
759 the Address field. The use of this code is prohibited by RFC
760 1812..
761 redirect-host, redi-host, host
763 Code 1. Redirect all future datagrams with the same destination
764 host as the original datagram, to the router specified in the
765 Address field.
766 redirect-network-tos, redi-ntos, redir-ntos
768 Code 2. Redirect all future datagrams with the same destination
769 network and IP TOS value as the original datagram, to the
770 router specified in the Address field. The use of this code is
771 prohibited by RFC 1812.
772 redirect-host-tos, redi-htos, redir-htos
774 Code 3. Redirect all future datagrams with the same destination
775 host and IP TOS value as the original datagram, to the router
776 specified in the Address field.
777 Router Advertisement
779 normal-advertisement, norm-adv, normal, zero, default, def
780 Code 0. Normal router advertisement. In Mobile IP: Mobility
781 agent can act as a router for IP datagrams not related to
782 mobile nodes.
783 not-route-common-traffic, not-rou, mobile-ip, !route,
785 !commontraffic
786 Code 16. Used for Mobile IP. The mobility agent does not route
787 common traffic. All foreign agents must forward to a default
788 router any datagrams received from a registered mobile node
789 Time Exceeded
791 ttl-exceeded-in-transit, ttl-exc, ttl-transit
792 Code 0. IP Time To Live expired during transit.
793 fragment-reassembly-time-exceeded, frag-exc, frag-time
795 Code 1. Fragment reassembly time has been exceeded.
796 Parameter Problem
798 pointer-indicates-error, poin-ind, pointer
799 Code 0. The pointer field indicates the location of the
800 problem. See the --icmp-param-pointer option.
801 missing-required-option, miss-option, option-missing
803 Code 1. IP datagram was expected to have an option that is not
804 present.
805 bad-length, bad-len, badlen
807 Code 2. The length of the IP datagram is incorrect.
808
810 --arp-type type (ICMP Type) .
811 This option specifies which type of ARP messages should be
812 generated. type can be supplied in two different ways. You can use
813 the official numbers assigned by IANA[2] (e.g. --arp-type 1 for
814 ARP Request), or you can use one of the mnemonics from the section
815 called “ARP Types”.
816 --arp-sender-mac mac (Sender MAC address) .
818 This option sets the Sender Hardware Address field of the ARP
819 header. Although ARP supports many types of link layer addresses,
820 currently Nping only supports MAC addresses. mac must be specified
821 using the traditional MAC notation (e.g. 00:0a:8a:32:f4:ae). You
822 can also use hyphens as separators (e.g. 00-0a-8a-32-f4-ae).
823 --arp-sender-ip addr (Sender IP address) .
825 This option sets the Sender IP field of the ARP header. addr can
826 be given as an IPv4 address or a hostname.
827 --arp-target-mac mac (target MAC address) .
829 This option sets the Target Hardware Address field of the ARP
830 header.
831 --arp-target-ip addr (target ip address) .
833 This option sets the Target IP field of the ARP header.
834 ARP Types
836 These identifiers may be used as mnemonics for the ARP type numbers
837 given to the --arp-type. option.
838 arp-request, arp, a
840 ARP Request (type 1). ARP requests are used to translate network
841 layer addresses (normally IP addresses) to link layer addresses
842 (usually MAC addresses). Basically, and ARP request is a
843 broadcasted message that asks the host in the same network segment
844 that has a given IP address to provide its MAC address.
845 arp-reply, arp-rep, ar
847 ARP Reply (type 2). An ARP reply is a message that a host sends in
848 response to an ARP request to provide its link layer address.
849 rarp-request, rarp, r
851 RARP Requests (type 3). RARP requests are used to translate a link
852 layer address (normally a MAC address) to a network layer address
853 (usually an IP address). Basically a RARP request is a broadcasted
854 message sent by a host that wants to know his own IP address
855 because it doesn´t have any. It was the first protocol designed to
856 solve the bootstrapping problem. However, RARP is now obsolete and
857 DHCP is used instead. For more information about RARP see RFC 903..
858 rarp-reply, rarp-rep, rr
860 RARP Reply (type 4). A RARP reply is a message sent in response to
861 a RARP request to provide an IP address to the host that sent the
862 RARP request in the first place.
863 drarp-request, drarp, d
865 Dynamic RARP Request (type 5). Dynamic RARP is an extension to RARP
866 used to obtain or assign a network layer address from a fixed link
867 layer address. DRARP was used mainly in Sun Microsystems platforms
868 in the late 90´s but now it´s no longer used. See RFC 1931. for
869 more information.
870 drarp-reply, drarp-rep, dr
872 Dynamic RARP Reply (type 6). A DRARP reply is a message sent in
873 response to a RARP request to provide network layer address.
874 drarp-error, drarp-err, de
876 DRARP Error (type 7). DRARP Error messages are usually sent in
877 response to DRARP requests to inform of some error. In DRARP Error
878 messages, the Target Protocol Address field is used to carry an
879 error code (usually in the first byte). The error code is intended
880 to tell why no target protocol address is being returned. For more
881 information see RFC 1931.
882 inarp-request, inarp, i
884 Inverse ARP Request (type 8). InARP requests are used to translate
885 a link layer address to a network layer address. It is similar to
886 RARP request but in this case, the sender of the InARP request
887 wants to know the network layer address of another node, not its
888 own address. InARP is mainly used in Frame Relay and ATM networks.
889 For more information see RFC 2390..
890 inarp-reply, inarp-rep, ir
892 Inverse ARP Reply (type 9). InARP reply messages are sent in
893 response to InARP requests to provide the network layer address
894 associated with the host that has a given link layer address.
895 arp-nak, an
897 ARP NAK (type 10). ARP NAK messages are an extension to the ATMARP
898 protocol and they are used to improve the robustness of the ATMARP
899 server mechanism. With ARP NAK, a client can determine the
900 difference between a catastrophic server failure and an ATMARP
901 table lookup failure. See RFC 1577. for more information.
902
904 -S addr, --source-ip addr (Source IP Address) .
905 Sets the source IP address. This option lets you specify a custom
906 IP address to be used as source IP address in sent packets. This
907 allows spoofing the sender of the packets. addr can be an IPv4
908 address or a hostname.
909 --dest-ip addr (Destination IP Address) .
911 Adds a target to Nping´s target list. This option is provided for
912 consistency but its use is deprecated in favor of plain target
913 specifications. See the section called “TARGET SPECIFICATION”.
914 --tos tos (Type of Service) .
916 Sets the IP TOS field. The TOS field is used to carry information
917 to provide quality of service features. It is normally used to
918 support a technique called Differentiated Services. See RFC 2474.
919 for more information. tos must be a number in the range [0–255].
920 --id id (Identification) .
922 Sets the IPv4 Identification field. The Identification field is a
923 16-bit value that is common to all fragments belonging to a
924 particular message. The value is used by the receiver to reassemble
925 the original message from the fragments received. id must be a
926 number in the range [0–65535].
927 --df (Don´t Fragment) .
929 Sets the Don´t Fragment bit in sent packets. When an IP datagram
930 has its DF flag set, intermediate devices are not allowed to
931 fragment it so if it needs to travel across a network with a MTU
932 smaller that datagram length the datagram will have to be dropped.
933 Normally an ICMP Destination Unreachable message is generated and
934 sent back to the sender.
935 --mf (More Fragments) .
937 Sets the More Fragments bit in sent packets. The MF flag is set to
938 indicate the receiver that the current datagram is a fragment of
939 some larger datagram. When set to zero it indicates that the
940 current datagram is either the last fragment in the set or that it
941 is the only fragment.
942 --ttl hops (Time To Live) .
944 Sets the IPv4 Time-To-Live (TTL) field in sent packets to the given
945 value. The TTL field specifies how long the datagram is allowed to
946 exist on the network. It was originally intended to represent a
947 number of seconds but it actually represents the number of hops a
948 packet can traverse before being dropped. The TTL tries to avoid a
949 situation in which undeliverable datagrams keep being forwarded
950 from one router to another endlessly. hops must be a number in the
951 range [0–255].
952 --badsum-ip (Invalid IP checksum) .
954 Asks Nping to use an invalid IP checksum for packets sent to target
955 hosts. Note that some systems (like most Linux kernels), may fix
956 the checksum before placing the packet on the wire, so even if
957 Nping shows the incorrect checksum in its output, the packets may
958 be transparently corrected by the kernel.
959 --ip-options S|R [route]|L [route]|T|U ..., --ip-options hex string (IP
961 Options) .
962 The IP protocol offers several options which may be placed in
963 packet headers. Unlike the ubiquitous TCP options, IP options are
964 rarely seen due to practicality and security concerns. In fact,
965 many Internet routers block the most dangerous options such as
966 source routing. Yet options can still be useful in some cases for
967 determining and manipulating the network route to target machines.
968 For example, you may be able to use the record route option to
969 determine a path to a target even when more traditional
970 traceroute-style approaches fail. Or if your packets are being
971 dropped by a certain firewall, you may be able to specify a
972 different route with the strict or loose source routing options.
973 The most powerful way to specify IP options is to simply pass in
975 hexadecimal data as the argument to --ip-options. Precede each hex
976 byte value with \x. You may repeat certain characters by following
977 them with an asterisk and then the number of times you wish them to
978 repeat. For example, \x01\x07\x04\x00*4 is the same as
979 \x01\x07\x04\x00\x00\x00\x00.
980 Note that if you specify a number of bytes that is not a multiple
982 of four, an incorrect IP header length will be set in the IP
983 packet. The reason for this is that the IP header length field can
984 only express multiples of four. In those cases, the length is
985 computed by dividing the header length by 4 and rounding down. This
986 will affect the way the header that follows the IP header is
987 interpreted, showing bogus information in Nping or in the output of
988 any sniffer. Although this kind of situation might be useful for
989 some stack stress tests, users would normally want to specify
990 explicit padding, so the correct header length is set.
991 Nping also offers a shortcut mechanism for specifying options.
993 Simply pass the letter R, T, or U to request record-route,
994 record-timestamp, or both options together, respectively. Loose or
995 strict source routing may be specified with an L or S followed by a
996 space and then a space-separated list of IP addresses.
997 For more information and examples of using IP options with Nping,
999 see the mailing list post at
1000 http://seclists.org/nmap-dev/2006/q3/0052.html.
1001 --mtu size (Maximum Transmission Unit) .
1003 This option sets a fictional MTU in Nping so IP datagrams larger
1004 than size are fragmented before transmission. size must be
1005 specified in bytes and corresponds to the number of octets that can
1006 be carried on a single link-layer frame.
1007
1009 -6, --ipv6 (Use IPv6) .
1010 Tells Nping to use IP version 6 instead of the default IPv4. It is
1011 generally a good idea to specify this option as early as possible
1012 in the command line so Nping can parse it soon and know in advance
1013 that the rest of the parameters refer to IPv6. The command syntax
1014 is the same as usual except that you also add the -6 option. Of
1015 course, you must use IPv6 syntax if you specify an address rather
1016 than a hostname. An address might look like
1017 3ffe:7501:4819:2000:210:f3ff:fe03:14d0, so hostnames are
1018 recommended.
1019 While IPv6 hasn´t exactly taken the world by storm, it gets
1021 significant use in some (usually Asian) countries and most modern
1022 operating systems support it. To use Nping with IPv6, both the
1023 source and target of your packets must be configured for IPv6. If
1024 your ISP (like most of them) does not allocate IPv6 addresses to
1025 you, free tunnel brokers are widely available and work fine with
1026 Nping. You can use the free IPv6 tunnel broker service at
1027 http://www.tunnelbroker.net.
1028 Please note that IPv6 support is still highly experimental and many
1030 modes and options may not work with it.
1031 -S addr, --source-ip addr (Source IP Address) .
1033 Sets the source IP address. This option lets you specify a custom
1034 IP address to be used as source IP address in sent packets. This
1035 allows spoofing the sender of the packets. addr can be an IPv6
1036 address or a hostname.
1037 --dest-ip addr (Destination IP Address) .
1039 Adds a target to Nping´s target list. This option is provided for
1040 consistency but its use is deprecated in favor of plain target
1041 specifications. See the section called “TARGET SPECIFICATION”.
1042 --flow label (Flow Label) .
1044 Sets the IPv6 Flow Label. The Flow Label field is 20 bits long and
1045 is intended to provide certain quality-of-service properties for
1046 real-time datagram delivery. However, it has not been widely
1047 adopted, and not all routers or endpoints support it. Check RFC
1048 2460. for more information. label must be an integer in the range
1049 [0–1048575].
1050 --traffic-class class (Traffic Class) .
1052 Sets the IPv6 Traffic Class. This field is similar to the TOS field
1053 in IPv4, and is intended to provide the Differentiated Services
1054 method, enabling scalable service discrimination in the Internet
1055 without the need for per-flow state and signaling at every hop.
1056 Check RFC 2474. for more information. class must be an integer in
1057 the range [0–255].
1058 --hop-limit hops (Hop Limit) .
1060 Sets the IPv6 Hop Limit field in sent packets to the given value.
1061 The Hop Limit field specifies how long the datagram is allowed to
1062 exist on the network. It represents the number of hops a packet can
1063 traverse before being dropped. As with the TTL in IPv4, IPv6 Hop
1064 Limit tries to avoid a situation in which undeliverable datagrams
1065 keep being forwarded from one router to another endlessly. hops
1066 must be a number in the range [0–255].
1067
1069 In most cases Nping sends packets at the raw IP level. This means that
1070 Nping creates its own IP packets and transmits them through a raw
1071 socket. However, in some cases it may be necessary to send packets at
1072 the raw Ethernet level. This happens, for example, when Nping is run
1073 under Windows (as Microsoft has disabled raw socket support since
1074 Windows XP SP2), or when Nping is asked to send ARP packets. Since in
1075 some cases it is necessary to construct ethernet frames, Nping offers
1076 some options to manipulate the different fields.
1077 --dest-mac mac (Ethernet Destination MAC Address) .
1079 This option sets the destination MAC address that should be set in
1080 outgoing Ethernet frames. This is useful in case Nping can´t
1081 determine the next hop´s MAC address or when you want to route
1082 probes through a router other than the configured default gateway.
1083 The MAC address should have the usual format of six colon-separated
1084 bytes, e.g. 00:50:56:d4:01:98. Alternatively, hyphens may be used
1085 instead of colons. Use the word random or rand to generate a random
1086 address, and broadcast or bcast to use ff:ff:ff:ff:ff:ff. If you
1087 set up a bogus destination MAC address your probes may not reach
1088 the intended targets.
1089 --source-mac mac (Ethernet Source MAC Address) .
1091 This option sets the source MAC address that should be set in
1092 outgoing Ethernet frames. This is useful in case Nping can´t
1093 determine your network interface MAC address or when you want to
1094 inject traffic into the network while hiding your network card´s
1095 real address. The syntax is the same as for --dest-mac. If you set
1096 up a bogus source MAC address you may not receive probe replies.
1097 --ether-type type (Ethertype) .
1099 This option sets the Ethertype field of the ethernet frame. The
1100 Ethertype is used to indicate which protocol is encapsulated in the
1101 payload. type can be supplied in two different ways. You can use
1102 the official numbers listed by the IEEE[3] (e.g. --ether-type
1103 0x0800 for IP version 4), or one of the mnemonics from the section
1104 called “Ethernet Types”.
1105 Ethernet Types
1107 These identifiers may be used as mnemonics for the Ethertype numbers
1108 given to the --arp-type. option.
1109 ipv4, ip, 4
1111 Internet Protocol version 4 (type 0x0800).
1112 ipv6, 6
1114 Internet Protocol version 6 (type 0x86DD).
1115 arp
1117 Address Resolution Protocol (type 0x0806).
1118 rarp
1120 Reverse Address Resolution Protocol (type 0x8035).
1121 frame-relay, frelay, fr
1123 Frame Relay (type 0x0808).
1124 ppp
1126 Point-to-Point Protocol (type 0x880B).
1127 gsmp
1129 General Switch Management Protocol (type 0x880C).
1130 mpls
1132 Multiprotocol Label Switching (type 0x8847).
1133 mps-ual, mps
1135 Multiprotocol Label Switching with Upstream-assigned Label (type
1136 0x8848).
1137 mcap
1139 Multicast Channel Allocation Protocol (type 0x8861).
1140 pppoe-discovery, pppoe-d
1142 PPP over Ethernet Discovery Stage (type 0x8863).
1143 pppoe-session, pppoe-s
1145 PPP over Ethernet Session Stage (type 0x8864).
1146 ctag
1148 Customer VLAN Tag Type (type 0x8100).
1149 epon
1151 Ethernet Passive Optical Network (type 0x8808).
1152 pbnac
1154 Port-based network access control (type 0x888E).
1155 stag
1157 Service VLAN tag identifier (type 0x88A8).
1158 ethexp1
1160 Local Experimental Ethertype 1 (type 0x88B5).
1161 ethexp2
1163 Local Experimental Ethertype 2 (type 0x88B6).
1164 ethoui
1166 OUI Extended Ethertype (type 0x88B7).
1167 preauth
1169 Pre-Authentication (type 0x88C7).
1170 lldp
1172 Link Layer Discovery Protocol (type 0x88CC).
1173 mac-security, mac-sec, macsec
1175 Media Access Control Security (type 0x88E5).
1176 mvrp
1178 Multiple VLAN Registration Protocol (type 0x88F5).
1179 mmrp
1181 Multiple Multicast Registration Protocol (type 0x88F6).
1182 frrr
1184 Fast Roaming Remote Request (type 0x890D).
1185
1187 --data hex string (Append custom binary data to sent packets) .
1188 This option lets you include binary data as payload in sent
1189 packets. hex string may be specified in any of the following
1190 formats: 0xAABBCCDDEEFF..., AABBCCDDEEFF... or
1191 \xAA\xBB\xCC\xDD\xEE\xFF.... Examples of use are --data 0xdeadbeef
1192 and --data \xCA\xFE\x09. Note that if you specify a number like
1193 0x00ff no byte-order conversion is performed. Make sure you specify
1194 the information in the byte order expected by the receiver.
1195 --data-string string (Append custom string to sent packets) .
1197 This option lets you include a regular string as payload in sent
1198 packets. string can contain any string. However, note that some
1199 characters may depend on your system´s locale and the receiver may
1200 not see the same information. Also, make sure you enclose the
1201 string in double quotes and escape any special characters from the
1202 shell. Example: --data-string "Jimmy Jazz...".
1203 --data-length len (Append random data to sent packets) .
1205 This option lets you include len random bytes of data as payload in
1206 sent packets. len must be an integer in the range [0–65400].
1207 However, values higher than 1400 are not recommended because it may
1208 not be possible to transmit packets due to network MTU limitations.
1209
1211 The "Echo Mode" is a novel technique implemented by Nping which lets
1212 users see how network packets change in transit, from the host where
1213 they originated to the target machine. Basically, the Echo mode turns
1214 Nping into two different pieces: the Echo server and the Echo client.
1215 The Echo server is a network service that has the ability to capture
1216 packets from the network and send a copy ("echo them") to the
1217 originating client through a side TCP channel. The Echo client is the
1218 part that generates such network packets, transmits them to the server,
1219 and receives their echoed version through a side TCP channel that it
1220 has previously established with the Echo server.
1221 This scheme lets the client see the differences between the packets
1223 that it sends and what is actually received by the server. By having
1224 the server send back copies of the received packets through the side
1225 channel, things like NAT devices become immediately apparent to the
1226 client because it notices the changes in the source IP address (and
1227 maybe even source port). Other devices like those that perform traffic
1228 shaping, changing TCP window sizes or adding TCP options transparently
1229 between hosts, turn up too.
1230 The Echo mode is also useful for troubleshooting routing and firewall
1232 issues. Among other things, it can be used to determine if the traffic
1233 generated by the Nping client is being dropped in transit and never
1234 gets to its destination or if the responses are the ones that don´t get
1235 back to it.
1236 Internally, client and server communicate over an encrypted and
1238 authenticated channel, using the Nping Echo Protocol (NEP), whose
1239 technical specification can be found in
1240 http://nmap.org/svn/nping/docs/EchoProtoRFC.txt
1241 The following paragraphs describe the different options available in
1243 Nping´s Echo mode.
1244 --ec passphrase, --echo-client passphrase (Run Echo client) .
1246 This option tells Nping to run as an Echo client. passphrase is a
1247 sequence of ASCII characters that is used used to generate the
1248 cryptographic keys needed for encryption and authentication in a
1249 given session. The passphrase should be a secret that is also known
1250 by the server, and it may contain any number of printable ASCII
1251 characters. Passphrases that contain whitespace or special
1252 characters must be enclosed in double quotes.
1253 When running Nping as an Echo client, most options from the regular
1255 raw probe modes apply. The client may be configured to send
1256 specific probes using flags like --tcp, --icmp or --udp. Protocol
1257 header fields may be manipulated normally using the appropriate
1258 options (e.g. --ttl, --seq, --icmp-type, etc.). The only
1259 exceptions are ARP-related flags, which are not supported in Echo
1260 mode, as protocols like ARP are closely related to the data link
1261 layer and its probes can´t pass through different network segments.
1262 --es passphrase, --echo-server passphrase (Run Echo server) .
1264 This option tells Nping to run as an Echo server. passphrase is a
1265 sequence of ASCII characters that is used used to generate the
1266 cryptographic keys needed for encryption and authentication in a
1267 given session. The passphrase should be a secret that is also known
1268 by the clients, and it may contain any number of printable ASCII
1269 characters. Passphrases that contain whitespace or special
1270 characters must be enclosed in double quotes. Note that although it
1271 is not recommended, it is possible to use empty passphrases,
1272 supplying --echo-server "". However, if what you want is to set up
1273 an open Echo server, it is better to use option --no-crypto. See
1274 below for details.
1275 --ep port, --echo-port port (Set Echo TCP port number) .
1277 This option asks Nping to use the specified TCP port number for the
1278 Echo side channel connection. If this option is used with
1279 --echo-server, it specifies the port on which the server listens
1280 for connections. If it is used with --echo-client, it specifies the
1281 port to connect to on the remote host. By default, port number 9929
1282 is used.
1283 --nc, --no-crypto (Disable encryption and authentication) .
1285 This option asks Nping not to use any cryptographic operations
1286 during an Echo session. In practical terms, this means that the
1287 Echo side channel session data will be transmitted in the clear,
1288 and no authentication will be performed by the server or client
1289 during the session establishment phase. When --no-crypto is used,
1290 the passphrase supplied with --echo-server or --echo-client is
1291 ignored.
1292 This option must be specified if Nping was compiled without openSSL
1294 support. Note that, for technical reasons, a passphrase still needs
1295 to be supplied after the --echo-client or --echo-server flags, even
1296 though it will be ignored.
1297 The --no-crypto flag might be useful when setting up a public Echo
1299 server, because it allows users to connect to the Echo server
1300 without the need for any passphrase or shared secret. However, it
1301 is strongly recommended to not use --no-crypto unless absolutely
1302 necessary. Public Echo servers should be configured to use the
1303 passphrase "public" or the empty passphrase (--echo-server "") as
1304 the use of cryptography does not only provide confidentiality and
1305 authentication but also message integrity.
1306 --once (Serve one client and quit) .
1308 This option asks the Echo server to quit after serving one client.
1309 This is useful when only a single Echo session wants to be
1310 established as it eliminates the need to access the remote host to
1311 shutdown the server.
1312 The following examples illustrate how Nping´s Echo mode can be used to
1314 discover intermediate devices.
1315 Example 2. Discovering NAT devices
1317 # nping --echo-client "public" echo.nmap.org --udp
1319 Starting Nping ( http://nmap.org/nping )
1321 SENT (1.0970s) UDP 10.1.20.128:53 > 178.79.165.17:40125 ttl=64 id=32523 iplen=28
1322 CAPT (1.1270s) UDP 80.38.10.21:45657 > 178.79.165.17:40125 ttl=54 id=32523 iplen=28
1323 RCVD (1.1570s) ICMP 178.79.165.17 > 10.1.20.128 Port unreachable (type=3/code=3) ttl=49 id=16619 iplen=56
1324 [...]
1325 SENT (5.1020s) UDP 10.1.20.128:53 > 178.79.165.17:40125 ttl=64 id=32523 iplen=28
1326 CAPT (5.1335s) UDP 80.38.10.21:45657 > 178.79.165.17:40125 ttl=54 id=32523 iplen=28
1327 RCVD (5.1600s) ICMP 178.79.165.17 > 10.1.20.128 Port unreachable (type=3/code=3) ttl=49 id=16623 iplen=56
1328 Max rtt: 60.628ms | Min rtt: 58.378ms | Avg rtt: 59.389ms
1330 Raw packets sent: 5 (140B) | Rcvd: 5 (280B) | Lost: 0 (0.00%)| Echoed: 5 (140B)
1331 Tx time: 4.00459s | Tx bytes/s: 34.96 | Tx pkts/s: 1.25
1332 Rx time: 5.00629s | Rx bytes/s: 55.93 | Rx pkts/s: 1.00
1333 Nping done: 1 IP address pinged in 6.18 seconds
1334 The output clearly shows the presence of a NAT device in the client´s
1337 local network. Note how the captured packet (CAPT) differs from the
1338 SENT packet: the source address for the original packets is in the
1339 reserved 10.0.0.0/8 range, while the address seen by the server is
1340 80.38.10.21, the Internet side address of the NAT device. The source
1341 port was also modified by the device. The line starting with RCVD
1342 corresponds to the responses generated by the TCP/IP stack of the
1343 machine where the Echo server is run.
1344 Example 3. Discovering a transparent proxy
1346 # nping --echo-client "public" echo.nmap.org --tcp -p80
1348 Starting Nping ( http://nmap.org/nping )
1350 SENT (1.2160s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40 seq=567704200 win=1480
1351 RCVD (1.2180s) TCP 178.79.165.17:80 > 10.0.1.77:41659 SA ttl=128 id=13177 iplen=44 seq=3647106954 win=16384 <mss 1460>
1352 SENT (2.2150s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40 seq=567704200 win=1480
1353 SENT (3.2180s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40 seq=567704200 win=1480
1354 SENT (4.2190s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40 seq=567704200 win=1480
1355 SENT (5.2200s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40 seq=567704200 win=1480
1356 Max rtt: 2.062ms | Min rtt: 2.062ms | Avg rtt: 2.062ms
1358 Raw packets sent: 5 (200B) | Rcvd: 1 (46B) | Lost: 4 (80.00%)| Echoed: 0 (0B)
1359 Tx time: 4.00504s | Tx bytes/s: 49.94 | Tx pkts/s: 1.25
1360 Rx time: 5.00618s | Rx bytes/s: 9.19 | Rx pkts/s: 0.20
1361 Nping done: 1 IP address pinged in 6.39 seconds
1362 In this example, the output is a bit more tricky. The absence of error
1365 messages shows that the Echo client has successfully established an
1366 Echo session with the server. However, no CAPT packets can be seen in
1367 the output. This means that none of the transmitted packets reached the
1368 server. Interestingly, a TCP SYN-ACK packet was received in response to
1369 the first TCP-SYN packet (and also, it is known that the target host
1370 does not have port 80 open). This behavior reveals the presence of a
1371 transparent web proxy cache server (which in this case is an old MS ISA
1372 server).
1373
1375 --delay time (Delay between probes) .
1376 This option lets you control for how long will Nping wait before
1377 sending the next probe. Like in many other ping tools, the default
1378 delay is one second. time must be a positive integer or floating
1379 point number. By default it is specified in seconds, however you
1380 can give an explicit unit by appending ms for milliseconds, s for
1381 seconds, m for minutes, or h for hours (e.g. 2.5s, 45m, 2h).
1382 --rate rate (Send probes at a given rate) .
1384 This option specifies the number of probes that Nping should send
1385 per second. This option and --delay are inverses; --rate 20 is the
1386 same as --delay 0.05. If both options are used, only the last one
1387 in the parameter list counts.
1388
1390 -h, --help (Display help) .
1391 Displays help information and exits.
1392 -V, --version (Display version) .
1394 Displays the program´s version number and quits.
1395 -c rounds, --count rounds (Stop after a given number of rounds) .
1397 This option lets you specify the number of times that Nping should
1398 loop over target hosts (and in some cases target ports). Nping
1399 calls these “rounds”. In a basic execution with only one target
1400 (and only one target port in TCP/UDP modes), the number of rounds
1401 matches the number of probes sent to the target host. However, in
1402 more complex executions where Nping is run against multiple targets
1403 and multiple ports, the number of rounds is the number of times
1404 that Nping sends a complete set of probes that covers all target
1405 IPs and all target ports. For example, if Nping is asked to send
1406 TCP SYN packets to hosts 192.168.1.0-255 and ports 80 and 433, then
1407 256 × 2 = 512 packets are sent in one round. So if you specify -c
1408 100, Nping will loop over the different target hosts and ports 100
1409 times, sending a total of 256 × 2 × 100 = 51200 packets. By default
1410 Nping runs for 5 rounds. If a value of 0 is specified, Nping will
1411 run for 232 rounds.
1412 -e name, --interface name (Set the network interface to be used) .
1414 This option tells Nping what interface should be used to send and
1415 receive packets. Nping should be able to detect this automatically,
1416 but it will tell you if it cannot. name must be the name of an
1417 existing network interface with an assigned IP address.
1418 --privileged (Assume that the user is fully privileged) .
1420 Tells Nping to simply assume that it is privileged enough to
1421 perform raw socket sends, packet sniffing, and similar operations
1422 that usually require special privileges. By default Nping quits if
1423 such operations are requested by a user that has no root or
1424 administrator privileges. This option may be useful on Linux, BSD
1425 or similar systems that can be configured to allow unprivileged
1426 users to perform raw-packet transmissions. The NPING_PRIVILEGED.
1427 environment variable may be set as an alternative to using
1428 --privileged.
1429 --unprivileged (Assume that the user lacks raw socket privileges) .
1431 This option is the opposite of --privileged. It tells Nping to
1432 treat the user as lacking network raw socket and sniffing
1433 privileges. This is useful for testing, debugging, or when the raw
1434 network functionality of your operating system is somehow broken.
1435 The NPING_UNPRIVILEGED. environment variable may be set as an
1436 alternative to using --unprivileged.
1437 --send-eth (Use raw ethernet sending) .
1439 Asks Nping to send packets at the raw ethernet (data link) layer
1440 rather than the higher IP (network) layer. By default, Nping
1441 chooses the one which is generally best for the platform it is
1442 running on. Raw sockets (IP layer) are generally most efficient for
1443 Unix machines, while ethernet frames are required for Windows
1444 operation since Microsoft disabled raw socket support. Nping still
1445 uses raw IP packets despite this option when there is no other
1446 choice (such as non-ethernet connections).
1447 --send-ip (Send at raw IP level) .
1449 Asks Nping to send packets via raw IP sockets rather than sending
1450 lower level ethernet frames. It is the complement to the --send-eth
1451 option.
1452 --bpf-filter filter spec --filter filter spec (Set custom BPF filter) .
1454 This option lets you use a custom BPF filter. By default Nping
1455 chooses a filter that is intended to capture most common responses
1456 to the particular probes that are sent. For example, when sending
1457 TCP packets, the filter is set to capture packets whose destination
1458 port matches the probe´s source port or ICMP error messages that
1459 may be generated by the target or any intermediate device as a
1460 result of the probe. If for some reason you expect strange packets
1461 in response to sent probes or you just want to sniff a particular
1462 kind of traffic, you can specify a custom filter using the BPF
1463 syntax used by tools like tcpdump.. See the documentation at
1464 http://www.tcpdump.org/ for more information.
1465 -H, --hide-sent (Do not display sent packets) .
1467 This option tells Nping not to print information about sent
1468 packets. This can be useful when using very short inter-probe
1469 delays (i.e., when flooding), because printing information to the
1470 standard output has a computational cost and disabling it can
1471 probably speed things up a bit. Also, it may be useful when using
1472 Nping to detect active hosts or open ports (e.g. sending probes to
1473 all TCP ports in a /24 subnet). In that case, users may not want to
1474 see thousands of sent probes but just the replies generated by
1475 active hosts.
1476 -N, --no-capture (Do not attempt to capture replies) .
1478 This option tells Nping to skip packet capture. This means that
1479 packets in response to sent probes will not be processed or
1480 displayed. This can be useful when doing flooding and network stack
1481 stress tests. Note that when this option is specified, most of the
1482 statistics shown at the end of the execution will be useless. This
1483 option does not work with TCP Connect mode.
1484
1486 -v[level], --verbose [level] (Increase or set verbosity level) .
1487 Increases the verbosity level, causing Nping to print more
1488 information during its execution. There are 9 levels of verbosity
1489 (-4 to 4). Every instance of -v increments the verbosity level by
1490 one (from its default value, level 0). Every instance of option -q
1491 decrements the verbosity level by one. Alternatively you can
1492 specify the level directly, as in -v3 or -v-1. These are the
1493 available levels:
1494 Level −4
1496 No output at all. In some circumstances you may not want Nping
1497 to produce any output (like when one of your work mates is
1498 watching over your shoulder). In that case level −4 can be
1499 useful because although you won´t see any response packets,
1500 probes will still be sent.
1501 Level −3
1503 Like level −4 but displays fatal error messages so you can
1504 actually see if Nping is running or it failed due to some
1505 error.
1506 Level −2
1508 Like level −3 but also displays warnings and recoverable
1509 errors.
1510 Level −1
1512 Displays traditional run-time information (version, start time,
1513 statistics, etc.) but does not display sent or received
1514 packets.
1515 Level 0
1517 This is the default verbosity level. It behaves like level −1
1518 but also displays sent and received packets and some other
1519 important information.
1520 Level 1
1522 Like level 0 but it displays detailed information about timing,
1523 flags, protocol details, etc.
1524 Level 2
1526 Like level 1 but displays very detailed information about sent
1527 and received packets and other interesting information.
1528 Level 3
1530 Like level 2 but also displays the raw hexadecimal dump of sent
1531 and received packets.
1532 Level 4
1534 Currently unused.
1535 -q[level], --reduce-verbosity [level] (Decrease verbosity level) .
1537 Decreases the verbosity level, causing Nping to print less
1538 information during its execution.
1539 -d[level] (Increase or set debugging level) .
1541 When even verbose mode doesn´t provide sufficient data for you,
1542 debugging is available to flood you with much more! As with the -v,
1543 debugging is enabled with a command-line flag -d and the debug
1544 level can be increased by specifying it multiple times. There are 7
1545 debugging levels (0 to 6). Every instance of -d increments
1546 debugging level by one. Provide an argument to -d to set the level
1547 directly; for example -d4.
1548 Debugging output is useful when you suspect a bug in Nping, or if
1550 you are simply confused as to what Nping is doing and why. As this
1551 feature is mostly intended for developers, debug lines aren´t
1552 always self-explanatory. You may get something like
1553 NSOCK (1.0000s) Callback: TIMER SUCCESS for EID 12; tcpconnect_event_handler(): Received callback of type TIMER with status SUCCESS
1555 If you don´t understand a line, your only recourses are to ignore
1557 it, look it up in the source code, or request help from the
1558 development list (nmap-dev). Some lines are self-explanatory, but
1559 the messages become more obscure as the debug level is increased.
1560 These are the available levels:
1561 Level 0
1563 Level 0. No debug information at all. This is the default
1564 level.
1565 Level 1
1567 In this level, only very important or high-level debug
1568 information will be printed.
1569 Level 2
1571 Like level 1 but also displays important or medium-level debug
1572 information
1573 Level 3
1575 Like level 2 but also displays regular and low-level debug
1576 information.
1577 Level 4
1579 Like level 3 but also displays messages only a real Nping freak
1580 would want to see.
1581 Level 5
1583 Like level 4 but it enables basic debug information related to
1584 external libraries like Nsock..
1585 Level 6
1587 Like level 5 but it enables full, very detailed, debug
1588 information related to external libraries like Nsock.
1589
1591 Like its author, Nping isn´t perfect. But you can help make it better
1592 by sending bug reports or even writing patches. If Nping doesn´t behave
1593 the way you expect, first upgrade to the latest Nmap version available
1594 from http://nmap.org/download.html. If the problem persists, do some
1595 research to determine whether it has already been discovered and
1596 addressed. Try searching for the error message on our search page at
1597 http://insecure.org/search.html or at Google. Also try browsing the
1598 nmap-dev archives at http://seclists.org/. Read this full manual page
1599 as well. If nothing comes out of this, mail a bug report to
1600 nmap-dev@insecure.org. Please include everything you have learned about
1601 the problem, as well as what version of Nping you are running and what
1602 operating system version it is running on. Problem reports and Nping
1603 usage questions sent to nmap-dev@insecure.org are far more likely to be
1604 answered than those sent to Fyodor directly. If you subscribe to the
1605 nmap-dev list before posting, your message will bypass moderation and
1606 get through more quickly. Subscribe at
1607 http://cgi.insecure.org/mailman/listinfo/nmap-dev.
1608 Code patches to fix bugs are even better than bug reports. Basic
1610 instructions for creating patch files with your changes are available
1611 at http://nmap.org/data/HACKING. Patches may be sent to nmap-dev
1612 (recommended) or to any of the authors listed in the next section
1613 directly.
1614
1616 Luis MartinGarcia luis.mgarc@gmail.com (http://aldabaknocking.com)
1617 Fyodor fyodor@insecure.org (http://insecure.org)
1619
1621 1. official type numbers assigned by IANA
1622 http://www.iana.org/assignments/icmp-parameters
1623 2. official numbers assigned by IANA
1625 http://www.iana.org/assignments/arp-parameters/
1626 3. official numbers listed by the IEEE
1628 http://standards.ieee.org/regauth/ethertype/eth.txt
1629Nping 02/11/2011 NPING(1)