1NPING(1)                     Nping Reference Guide                    NPING(1)
2
3
4

NAME

6       nping - Network packet generation tool / ping utility
7

SYNOPSIS

9       nping [Options] {targets}
10

DESCRIPTION

12       Nping is an open-source tool for network packet generation, response
13       analysis and response time measurement. Nping allows users to generate
14       network packets of a wide range of protocols, letting them tune
15       virtually any field of the protocol headers. While Nping can be used as
16       a simple ping utility to detect active hosts, it can also be used as a
17       raw packet generator for network stack stress tests, ARP poisoning,
18       Denial of Service attacks, route tracing, and other purposes.
19
20       Additionally, Nping offers a special mode of operation called the "Echo
21       Mode", that lets users see how the generated probes change in transit,
22       revealing the differences between the transmitted packets and the
23       packets received at the other end. See section "Echo Mode" for details.
24
25       The output from Nping is a list of the packets that are being sent and
26       received. The level of detail depends on the options used.
27
28       A typical Nping execution is shown in Example 1. The only Nping
29       arguments used in this example are -c, to specify the number of times
30       to target each host, --tcp to specify TCP Probe Mode, -p 80,433 to
31       specify the target ports; and then the two target hostnames.
32
33       Example 1. A representative Nping execution
34
35           # nping -c 1 --tcp -p 80,433 scanme.nmap.org google.com
36
37           Starting Nping ( http://nmap.org/nping )
38           SENT (0.0120s) TCP 96.16.226.135:50091 > 64.13.134.52:80 S ttl=64 id=52072 iplen=40  seq=1077657388 win=1480
39           RCVD (0.1810s) TCP 64.13.134.52:80 > 96.16.226.135:50091 SA ttl=53 id=0 iplen=44  seq=4158134847 win=5840 <mss 1460>
40           SENT (1.0140s) TCP 96.16.226.135:50091 > 74.125.45.100:80 S ttl=64 id=13932 iplen=40  seq=1077657388 win=1480
41           RCVD (1.1370s) TCP 74.125.45.100:80 > 96.16.226.135:50091 SA ttl=52 id=52913 iplen=44  seq=2650443864 win=5720 <mss 1430>
42           SENT (2.0140s) TCP 96.16.226.135:50091 > 64.13.134.52:433 S ttl=64 id=8373 iplen=40  seq=1077657388 win=1480
43           SENT (3.0140s) TCP 96.16.226.135:50091 > 74.125.45.100:433 S ttl=64 id=23624 iplen=40  seq=1077657388 win=1480
44
45           Statistics for host scanme.nmap.org (64.13.134.52):
46            |  Probes Sent: 2 | Rcvd: 1 | Lost: 1  (50.00%)
47            |_ Max rtt: 169.720ms | Min rtt: 169.720ms | Avg rtt: 169.720ms
48           Statistics for host google.com (74.125.45.100):
49            |  Probes Sent: 2 | Rcvd: 1 | Lost: 1  (50.00%)
50            |_ Max rtt: 122.686ms | Min rtt: 122.686ms | Avg rtt: 122.686ms
51           Raw packets sent: 4 (160B) | Rcvd: 2 (92B) | Lost: 2 (50.00%)
52           Tx time: 3.00296s | Tx bytes/s: 53.28 | Tx pkts/s: 1.33
53           Rx time: 3.00296s | Rx bytes/s: 30.64 | Rx pkts/s: 0.67
54           Nping done: 2 IP addresses pinged in 4.01 seconds
55

OPTIONS SUMMARY

57       This options summary is printed when Nping is run with no arguments. It
58       helps people remember the most common options, but is no substitute for
59       the in-depth documentation in the rest of this manual. Some obscure
60       options aren't even included here.
61
62           Nping 0.5.59BETA1 ( http://nmap.org/nping )
63           Usage: nping [Probe mode] [Options] {target specification}
64
65           TARGET SPECIFICATION:
66             Targets may be specified as hostnames, IP addresses, networks, etc.
67             Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
68           PROBE MODES:
69             --tcp-connect                    : Unprivileged TCP connect probe mode.
70             --tcp                            : TCP probe mode.
71             --udp                            : UDP probe mode.
72             --icmp                           : ICMP probe mode.
73             --arp                            : ARP/RARP probe mode.
74             --tr, --traceroute               : Traceroute mode (can only be used with
75                                                TCP/UDP/ICMP modes).
76           TCP CONNECT MODE:
77              -p, --dest-port <port spec>     : Set destination port(s).
78              -g, --source-port <portnumber>  : Try to use a custom source port.
79           TCP PROBE MODE:
80              -g, --source-port <portnumber>  : Set source port.
81              -p, --dest-port <port spec>     : Set destination port(s).
82              --seq <seqnumber>               : Set sequence number.
83              --flags <flag list>             : Set TCP flags (ACK,PSH,RST,SYN,FIN...)
84              --ack <acknumber>               : Set ACK number.
85              --win <size>                    : Set window size.
86              --badsum                        : Use a random invalid checksum.
87           UDP PROBE MODE:
88              -g, --source-port <portnumber>  : Set source port.
89              -p, --dest-port <port spec>     : Set destination port(s).
90              --badsum                        : Use a random invalid checksum.
91           ICMP PROBE MODE:
92             --icmp-type <type>               : ICMP type.
93             --icmp-code <code>               : ICMP code.
94             --icmp-id <id>                   : Set identifier.
95             --icmp-seq <n>                   : Set sequence number.
96             --icmp-redirect-addr <addr>      : Set redirect address.
97             --icmp-param-pointer <pnt>       : Set parameter problem pointer.
98             --icmp-advert-lifetime <time>    : Set router advertisement lifetime.
99             --icmp-advert-entry <IP,pref>    : Add router advertisement entry.
100             --icmp-orig-time  <timestamp>    : Set originate timestamp.
101             --icmp-recv-time  <timestamp>    : Set receive timestamp.
102             --icmp-trans-time <timestamp>    : Set transmit timestamp.
103           ARP/RARP PROBE MODE:
104             --arp-type <type>                : Type: ARP, ARP-reply, RARP, RARP-reply.
105             --arp-sender-mac <mac>           : Set sender MAC address.
106             --arp-sender-ip  <addr>          : Set sender IP address.
107             --arp-target-mac <mac>           : Set target MAC address.
108             --arp-target-ip  <addr>          : Set target IP address.
109           IPv4 OPTIONS:
110             -S, --source-ip                  : Set source IP address.
111             --dest-ip <addr>                 : Set destination IP address (used as an
112                                                alternative to {target specification} ).
113             --tos <tos>                      : Set type of service field (8bits).
114             --id  <id>                       : Set identification field (16 bits).
115             --df                             : Set Don't Fragment flag.
116             --mf                             : Set More Fragments flag.
117             --ttl <hops>                     : Set time to live [0-255].
118             --badsum-ip                      : Use a random invalid checksum.
119             --ip-options <S|R [route]|L [route]|T|U ...> : Set IP options
120             --ip-options <hex string>                    : Set IP options
121             --mtu <size>                     : Set MTU. Packets get fragmented if MTU is
122                                                small enough.
123           IPv6 OPTIONS:
124             -6, --IPv6                       : Use IP version 6.
125             --dest-ip                        : Set destination IP address (used as an
126                                                alternative to {target specification}).
127             --hop-limit                      : Set hop limit (same as IPv4 TTL).
128             --traffic-class <class> :        : Set traffic class.
129             --flow <label>                   : Set flow label.
130           ETHERNET OPTIONS:
131             --dest-mac <mac>                 : Set destination mac address. (Disables
132                                                ARP resolution)
133             --source-mac <mac>               : Set source MAC address.
134             --ether-type <type>              : Set EtherType value.
135           PAYLOAD OPTIONS:
136             --data <hex string>              : Include a custom payload.
137             --data-string <text>             : Include a custom ASCII text.
138             --data-length <len>              : Include len random bytes as payload.
139           ECHO CLIENT/SERVER:
140             --echo-client <passphrase>       : Run Nping in client mode.
141             --echo-server <passphrase>       : Run Nping in server mode.
142             --echo-port <port>               : Use custom <port> to listen or connect.
143             --no-crypto                      : Disable encryption and authentication.
144             --once                           : Stop the server after one connection.
145             --safe-payloads                  : Erase application data in echoed packets.
146           TIMING AND PERFORMANCE:
147             Options which take <time> are in seconds, or append 'ms' (milliseconds),
148             's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m, 0.25h).
149             --delay <time>                   : Adjust delay between probes.
150             --rate  <rate>                   : Send num packets per second.
151           MISC:
152             -h, --help                       : Display help information.
153             -V, --version                    : Display current version number.
154             -c, --count <n>                  : Stop after <n> rounds.
155             -e, --interface <name>           : Use supplied network interface.
156             -H, --hide-sent                  : Do not display sent packets.
157             -N, --no-capture                 : Do not try to capture replies.
158             --privileged                     : Assume user is fully privileged.
159             --unprivileged                   : Assume user lacks raw socket privileges.
160             --send-eth                       : Send packets at the raw ethernet layer.
161             --send-ip                        : Send packets using raw IP sockets.
162             --bpf-filter <filter spec>       : Specify custom BPF filter.
163           OUTPUT:
164             -v                               : Increment verbosity level by one.
165             -v[level]                        : Set verbosity level. E.g: -v4
166             -d                               : Increment debugging level by one.
167             -d[level]                        : Set debugging level. E.g: -d3
168             -q                               : Decrease verbosity level by one.
169             -q[N]                            : Decrease verbosity level N times
170             --quiet                          : Set verbosity and debug level to minimum.
171             --debug                          : Set verbosity and debug to the max level.
172           EXAMPLES:
173             nping scanme.nmap.org
174             nping --tcp -p 80 --flags rst --ttl 2 192.168.1.1
175             nping --icmp --icmp-type time --delay 500ms 192.168.254.254
176             nping --echo-server "public" -e wlan0 -vvv
177             nping --echo-client "public" echo.nmap.org --tcp -p1-1024 --flags ack
178
179           SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES
180
181

TARGET SPECIFICATION

183       Everything on the Nping command line that isn't an option or an option
184       argument is treated as a target host specification. Nping uses the same
185       syntax for target specifications that Nmap does. The simplest case is a
186       single target given by IP address or hostname.
187
188       Nping supports CIDR-style.  addressing. You can append /numbits to an
189       IPv4 address or hostname and Nping will send probes to every IP address
190       for which the first numbits are the same as for the reference IP or
191       hostname given. For example, 192.168.10.0/24 would send probes to the
192       256 hosts between 192.168.10.0 (binary: 11000000 10101000 00001010
193       00000000) and 192.168.10.255 (binary: 11000000 10101000 00001010
194       11111111), inclusive.  192.168.10.40/24 would ping exactly the same
195       targets. Given that the host scanme.nmap.org.  is at the IP address
196       64.13.134.52, the specification scanme.nmap.org/16 would send probes to
197       the 65,536 IP addresses between 64.13.0.0 and 64.13.255.255. The
198       smallest allowed value is /0, which targets the whole Internet. The
199       largest value is /32, which targets just the named host or IP address
200       because all address bits are fixed.
201
202       CIDR notation is short but not always flexible enough. For example, you
203       might want to send probes to 192.168.0.0/16 but skip any IPs ending
204       with .0 or .255 because they may be used as subnet network and
205       broadcast addresses. Nping supports this through octet range
206       addressing. Rather than specify a normal IP address, you can specify a
207       comma-separated list of numbers or ranges for each octet. For example,
208       192.168.0-255.1-254 will skip all addresses in the range that end in .0
209       or .255, and 192.168.3-5,7.1 will target the four addresses
210       192.168.3.1, 192.168.4.1, 192.168.5.1, and 192.168.7.1. Either side of
211       a range may be omitted; the default values are 0 on the left and 255 on
212       the right. Using - by itself is the same as 0-255, but remember to use
213       0- in the first octet so the target specification doesn't look like a
214       command-line option. Ranges need not be limited to the final octets:
215       the specifier 0-.-.13.37 will send probes to all IP addresses on the
216       Internet ending in .13.37. This sort of broad sampling can be useful
217       for Internet surveys and research.
218
219       IPv6 addresses can only be specified by their fully qualified IPv6
220       address or hostname. CIDR and octet ranges aren't supported for IPv6
221       because they are rarely useful.
222
223       Nping accepts multiple host specifications on the command line, and
224       they don't need to be the same type. The command nping scanme.nmap.org
225       192.168.0.0/8 10.0.0,1,3-7.- does what you would expect.
226

OPTION SPECIFICATION

228       Nping is designed to be very flexible and fit a wide variety of needs.
229       As with most command-line tools, its behavior can be adjusted using
230       command-line options. These general principles apply to option
231       arguments, unless stated otherwise.
232
233       Options that take integer numbers can accept values specified in
234       decimal, octal or hexadecimal base. When a number starts with 0x, it
235       will be treated as hexadecimal; when it simply starts with 0, it will
236       be treated as octal. Otherwise, Nping will assume the number has been
237       specified in base 10. Virtually all numbers that can be supplied from
238       the command line are unsigned so, as a general rule, the minimum value
239       is zero. Users may also specify the word random or rand to make Nping
240       generate a random value within the expected range.
241
242       IP addresses may be given as IPv4 addresses (e.g.  192.168.1.1), IPv6
243       addresses (e.g.  2001:db8:85a3::8e4c:760:7146), or hostnames, which
244       will be resolved using the default DNS server configured in the host
245       system.
246
247       Options that take MAC addresses accept the usual colon-separated 6 hex
248       byte format (e.g.  00:50:56:d4:01:98). Hyphens may also be used instead
249       of colons (e.g.  00-50-56-c0-00-08). The special word random or rand
250       sets a random address and the word broadcast or bcast sets
251       ff:ff:ff:ff:ff:ff.
252

GENERAL OPERATION

254       Unlike other ping and packet generation tools, Nping supports multiple
255       target host and port specifications. While this provides great
256       flexibility, it is not obvious how Nping handles situations where there
257       is more than one host and/or more than one port to send probes to. This
258       section explains how Nping behaves in these cases.
259
260       When multiple target hosts are specified, Nping rotates among them in
261       round-robin fashion. This gives slow hosts more time to send their
262       responses before another probe is sent to them. Ports are also
263       scheduled using round robin. So, unless only one port is specified,
264       Nping never sends two probes to the same target host and port
265       consecutively.
266
267       The loop around targets is the “inner loop” and the loop around ports
268       is the “outer loop”. All targets will be sent a probe for a given port
269       before moving on to the next port. Between probes, Nping waits a
270       configurable amount of time called the “inter-probe delay”, which is
271       controlled by the --delay option. These examples show how it works.
272
273               # nping --tcp -c 2 1.1.1.1 -p 100-102
274
275               Starting Nping ( http://nmap.org/nping )
276               SENT (0.0210s) TCP 192.168.1.77 > 1.1.1.1:100
277               SENT (1.0230s) TCP 192.168.1.77 > 1.1.1.1:101
278               SENT (2.0250s) TCP 192.168.1.77 > 1.1.1.1:102
279               SENT (3.0280s) TCP 192.168.1.77 > 1.1.1.1:100
280               SENT (4.0300s) TCP 192.168.1.77 > 1.1.1.1:101
281               SENT (5.0320s) TCP 192.168.1.77 > 1.1.1.1:102
282
283               # nping --tcp -c 2 1.1.1.1 2.2.2.2 3.3.3.3 -p 8080
284
285               Starting Nping ( http://nmap.org/nping )
286               SENT (0.0230s) TCP 192.168.0.21 > 1.1.1.1:8080
287               SENT (1.0240s) TCP 192.168.0.21 > 2.2.2.2:8080
288               SENT (2.0260s) TCP 192.168.0.21 > 3.3.3.3:8080
289               SENT (3.0270s) TCP 192.168.0.21 > 1.1.1.1:8080
290               SENT (4.0290s) TCP 192.168.0.21 > 2.2.2.2:8080
291               SENT (5.0310s) TCP 192.168.0.21 > 3.3.3.3:8080
292
293               # nping --tcp -c 1 --delay 500ms 1.1.1.1 2.2.2.2 3.3.3.3 -p 137-139
294
295               Starting Nping ( http://nmap.org/nping )
296               SENT (0.0230s) TCP 192.168.0.21 > 1.1.1.1:137
297               SENT (0.5250s) TCP 192.168.0.21 > 2.2.2.2:137
298               SENT (1.0250s) TCP 192.168.0.21 > 3.3.3.3:137
299               SENT (1.5280s) TCP 192.168.0.21 > 1.1.1.1:138
300               SENT (2.0280s) TCP 192.168.0.21 > 2.2.2.2:138
301               SENT (2.5310s) TCP 192.168.0.21 > 3.3.3.3:138
302               SENT (3.0300s) TCP 192.168.0.21 > 1.1.1.1:139
303               SENT (3.5330s) TCP 192.168.0.21 > 2.2.2.2:139
304               SENT (4.0330s) TCP 192.168.0.21 > 3.3.3.3:139
305

PROBE MODES

307       Nping supports a wide variety of protocols. Although in some cases
308       Nping can automatically determine the mode from the options used, it is
309       generally a good idea to specify it explicitly.
310
311       --tcp-connect (TCP Connect mode) .
312           TCP connect mode is the default mode when a user does not have raw
313           packet privileges. Instead of writing raw packets as most other
314           modes do, Nping asks the underlying operating system to establish a
315           connection with the target machine and port by issuing the connect
316           system call. This is the same high-level system call that web
317           browsers, P2P clients, and most other network-enabled applications
318           use to establish a connection. It is part of a programming
319           interface known as the Berkeley Sockets API. Rather than read raw
320           packet responses off the wire, Nping uses this API to obtain status
321           information on each connection attempt. For this reason, you will
322           not be able to see the contents of the packets that are sent or
323           received but only status information about the TCP connection
324           establishment taking place.
325
326       --tcp (TCP mode) .
327           TCP is the mode that lets users create and send any kind of TCP
328           packet. TCP packets are sent embedded in IP packets that can also
329           be tuned. This mode can be used for many different purposes. For
330           example you could try to discover open ports by sending TCP SYN
331           messages without completing the three-way handshake. This technique
332           is often referred to as half-open scanning, because you don't open
333           a full TCP connection. You send a SYN packet, as if you are going
334           to open a real connection and then wait for a response. A SYN/ACK
335           indicates the port is open, while a RST indicates it's closed. If
336           no response is received one could assume that some intermediate
337           network device is filtering the responses. Another use could be to
338           see how a remote TCP/IP stack behaves when it receives a
339           non-RFC-compliant packet, like one with both SYN and RST flags set.
340           One could also do some evil by creating custom RST packets using an
341           spoofed IP address with the intent of closing an active TCP
342           connection.
343
344       --udp (UDP mode) .
345           UDP mode can have two different behaviours. Under normal
346           circumstances, it lets users create custom IP/UDP packets. However,
347           if Nping is run by a user without raw packet privileges and no
348           changes to the default protocol headers are requested, then Nping
349           enters the unprivileged UDP mode which basically sends UDP packets
350           to the specified target hosts and ports using the sendto system
351           call. Note that in this unprivileged mode it is not possible to see
352           low-level header information of the packets on the wire but only
353           status information about the amount of bytes that are being
354           transmitted and received. UDP mode can be used to interact with any
355           UDP-based server. Examples are DNS servers, streaming servers,
356           online gaming servers, and port knocking/single-packet.
357           authorization daemons.
358
359       --icmp (ICMP mode) .
360           ICMP mode is the default mode when the user runs Nping with raw
361           packet privileges. Any kind of ICMP message can be created. The
362           default ICMP type is Echo, i.e., ping. ICMP mode can be used for
363           many different purposes, from a simple request for a timestamp or a
364           netmask to the transmission of fake destination unreachable
365           messages, custom redirects, and router advertisements.
366
367       --arp (ARP/RARP mode) .
368           ARP lets you create and send a few different ARP-related packets.
369           These include ARP, RARP, DRARP, and InARP requests and replies.
370           This mode can ban be used to perform low-level host discovery, and
371           conduct ARP-cache poisoning attacks.
372
373       --traceroute (Traceroute mode) .
374           Traceroute is not a mode by itself but a complement to TCP, UDP,
375           and ICMP modes. When this option is specified Nping will set the IP
376           TTL value of the first probe to 1. When the next router receives
377           the packet it will drop it due to the expiration of the TTL and it
378           will generate an ICMP destination unreachable message. The next
379           probe will have a TTL of 2 so now the first router will forward the
380           packet while the second router will be the one that drops the
381           packet and generates the ICMP message. The third probe will have a
382           TTL value of 3 and so on. By examining the source addresses of all
383           those ICMP Destination Unreachable messages it is possible to
384           determine the path that the probes take until they reach their
385           final destination.
386

TCP CONNECT MODE

388       -p port_spec, --dest-port port_spec (Target ports) .
389           This option specifies which ports you want to try to connect to. It
390           can be a single port, a comma-separated list of ports (e.g.
391           80,443,8080), a range (e.g.  1-1023), and any combination of those
392           (e.g.  21-25,80,443,1024-2048). The beginning and/or end values of
393           a range may be omitted, causing Nping to use 1 and 65535,
394           respectively. So you can specify -p- to target ports from 1 through
395           65535. Using port zero is allowed if you specify it explicitly.
396
397       -g portnumber, --source-port portnumber (Spoof source port) .
398           This option asks Nping to use the specified port as source port for
399           the TCP connections. Note that this might not work on all systems
400           or may require root privileges. Specified value must be an integer
401           in the range [0–65535].
402

TCP MODE

404       -p port_spec, --dest-port port_spec (Target ports)
405           This option specifies which destination ports you want to send
406           probes to. It can be a single port, a comma-separated list of ports
407           (e.g.  80,443,8080), a range (e.g.  1-1023), and any combination of
408           those (e.g.  21-25,80,443,1024-2048). The beginning and/or end
409           values of a range may be omitted, causing Nping to use 1 and 65535,
410           respectively. So you can specify -p- to target ports from 1 through
411           65535. Using port zero is allowed if you specify it explicitly.
412
413       -g portnumber, --source-port portnumber (Spoof source port)
414           This option asks Nping to use the specified port as source port for
415           the TCP connections. Note that this might not work on all systems
416           or may require root privileges. Specified value must be an integer
417           in the range [0–65535].
418
419       --seq seqnumber (Sequence Number) .
420           Specifies the TCP sequence number. In SYN packets this is the
421           initial sequence number (ISN). In a normal transmission this
422           corresponds to the sequence number of the first byte of data in the
423           segment.  seqnumber must be a number in the range [0–4294967295].
424
425       --flags flags (TCP Flags) .
426           This option specifies which flags should be set in the TCP packet.
427           flags may be specified in three different ways:
428
429            1. As a comma-separated list of flags, e.g.  --flags syn,ack,rst
430
431            2. As a list of one-character flag initials, e.g.  --flags SAR
432               tells Nping to set flags SYN, ACK, and RST.
433
434            3. As an 8-bit hexadecimal number, where the supplied number is
435               the exact value that will be placed in the flags field of the
436               TCP header. The number should start with the prefix 0x and
437               should be in the range [0x00–0xFF], e.g.  --flags 0x20 sets the
438               URG flag as 0x20 corresponds to binary 00100000 and the URG
439               flag is represented by the third bit.
440
441           There are 8 possible flags to set: CWR, ECN, URG, ACK, PSH, RST,
442           SYN, and FIN. The special value ALL means to set all flags.  NONE
443           means to set no flags. It is important that if you don't want any
444           flag to be set, you request it explicitly because in some cases the
445           SYN flag may be set by default. Here is a brief description of the
446           meaning of each flag:
447
448           CWR (Congestion Window Reduced) .
449               Set by an ECN-Capable sender when it reduces its congestion
450               window (due to a retransmit timeout, a fast retransmit or in
451               response to an ECN notification.
452
453           ECN (Explicit Congestion Notification) .
454               During the three-way handshake it indicates that sender is
455               capable of performing explicit congestion notification.
456               Normally it means that a packet with the IP Congestion
457               Experienced flag set was received during normal transmission.
458               See RFC 3168.  for more information.
459
460           URG (Urgent) .
461               Segment is urgent and the urgent pointer field carries valid
462               information.
463
464           ACK (Acknowledgement) .
465               The segment carries an acknowledgement and the value of the
466               acknowledgement number field is valid and contains the next
467               sequence number that is expected from the receiver.
468
469           PSH (Push) .
470               The data in this segment should be immediately pushed to the
471               application layer on arrival.
472
473           RST (Reset) .
474               There was some problem and the sender wants to abort the
475               connection.
476
477           SYN (Synchronize) .
478               The segment is a request to synchronize sequence numbers and
479               establish a connection. The sequence number field contains the
480               sender's initial sequence number.
481
482           FIN (Finish) .
483               The sender wants to close the connection.
484
485       --win size (Window Size) .
486           Specifies the TCP window size, this is, the number of octets the
487           sender of the segment is willing to accept from the receiver at one
488           time. This is usually the size of the reception buffer that the OS
489           allocates for a given connection.  size must be a number in the
490           range [0–65535].
491
492       --badsum (Invalid Checksum) .
493           Asks Nping to use an invalid TCP checksum for the packets sent to
494           target hosts. Since virtually all host IP stacks properly drop
495           these packets, any responses received are likely coming from a
496           firewall or an IDS that didn't bother to verify the checksum. For
497           more details on this technique, see http://nmap.org/p60-12.html.
498

UDP MODE

500       -p port_spec, --dest-port port_spec (Target ports) .
501           This option specifies which ports you want UDP datagrams to be sent
502           to. It can be a single port, a comma-separated list of ports (e.g.
503           80,443,8080), a range (e.g.  1-1023), and any combination of those
504           (e.g.  21-25,80,443,1024-2048). The beginning and/or end values of
505           a range may be omitted, causing Nping to use 1 and 65535,
506           respectively. So you can specify -p- to target ports from 1 through
507           65535. Using port zero is allowed if you specify it explicitly.
508
509       -g portnumber, --source-port portnumber (Spoof source port) .
510           This option asks Nping to use the specified port as source port for
511           the transmitted datagrams. Note that this might not work on all
512           systems or may require root privileges. Specified value must be an
513           integer in the range [0–65535].
514
515       --badsum (Invalid Checksum)
516           Asks Nping to use an invalid UDP checksum for the packets sent to
517           target hosts. Since virtually all host IP stacks properly drop
518           these packets, any responses received are likely coming from a
519           firewall or an IDS that didn't bother to verify the checksum. For
520           more details on this technique, see http://nmap.org/p60-12.html.
521

ICMP MODE

523       --icmp-type type (ICMP type) .
524           This option specifies which type of ICMP messages should be
525           generated.  type can be supplied in two different ways. You can use
526           the official type numbers assigned by IANA[1] (e.g.  --icmp-type 8
527           for ICMP Echo Request), or you can use any of the mnemonics listed
528           in the section called “ICMP Types”.
529
530       --icmp-code code (ICMP code) .
531           This option specifies which ICMP code should be included in the
532           generated ICMP messages.  code can be supplied in two different
533           ways. You can use the official code numbers assigned by IANA[1]
534           (e.g.  --icmp-code 1 for Fragment Reassembly Time Exceeded), or you
535           can use any of the mnemonics listed in the section called “ICMP
536           Codes”.
537
538       --icmp-id id (ICMP identifier) .
539           This option specifies the value of the identifier used in some of
540           the ICMP messages. In general it is used to match request and reply
541           messages.  id must be a number in the range [0–65535].
542
543       --icmp-seq seq (ICMP sequence) .
544           This option specifies the value of the sequence number field used
545           in some ICMP messages. In general it is used to match request and
546           reply messages.  id must be a number in the range [0–65535].
547
548       --icmp-redirect-addr addr (ICMP Redirect address) .
549           This option sets the address field in ICMP Redirect messages. In
550           other words, it sets the IP address of the router that should be
551           used when sending IP datagrams to the original destination.  addr
552           can be either an IPv4 address or a hostname.
553
554       --icmp-param-pointer pointer (ICMP Parameter Problem pointer) .
555           This option specifies the pointer that indicates the location of
556           the problem in ICMP Parameter Problem messages.  pointer should be
557           a number in the range [0–255]. Normally this option is only used
558           when ICMP code is set to 0 ("Pointer indicates the error").
559
560       --icmp-advert-lifetime ttl (ICMP Router Advertisement Lifetime) .
561           This option specifies the router advertisement lifetime, this is,
562           the number of seconds the information carried in an ICMP Router
563           Advertisement can be considered valid for.  ttl must be a positive
564           integer in the range [0–65535].
565
566       --icmp-advert-entry addr,pref (ICMP Router Advertisement Entry) .
567           This option adds a Router Advertisement entry to an ICMP Router
568           Advertisement message. The parameter must be two values separated
569           by a comma.  addr is the router's IP and can be specified either as
570           an IP address in dot-decimal notation or as a hostname.  pref is
571           the preference level for the specified IP. It must be a number in
572           the range [0–4294967295]. An example is --icmp-advert-entry
573           192.168.128.1,3.
574
575       --icmp-orig-time timestamp (ICMP Originate Timestamp) .
576           This option sets the Originate Timestamp in ICMP Timestamp
577           messages. The Originate Timestamp is expressed as the number of
578           milliseconds since midnight UTC and it corresponds to the time the
579           sender last touched the Timestamp message before its transmission.
580           timestamp can be specified as a regular time (e.g.  10s, 3h,
581           1000ms), or the special string now. You can add or subtract values
582           from now, for example --icmp-orig-time now-2s, --icmp-orig-time
583           now+1h, --icmp-orig-time now+200ms.
584
585       --icmp-recv-time timestamp (ICMP Receive Timestamp) .
586           This option sets the Receive Timestamp in ICMP Timestamp messages.
587           The Receive Timestamp is expressed as the number of milliseconds
588           since midnight UTC and it corresponds to the time the echoer first
589           touched the Timestamp message on receipt.  timestamp is as with
590           --icmp-orig-time.
591
592       --icmp-trans-time timestamp (ICMP Transmit Timestamp) .
593           This option sets the Transmit Timestamp in ICMP Timestamp messages.
594           The Transmit Timestamp is expressed as the number of milliseconds
595           since midnight UTC and it corresponds to the time the echoer last
596           touched the Timestamp message before its transmission.  timestamp
597           is as with --icmp-orig-time.
598
599   ICMP Types
600       These identifiers may be used as mnemonics for the ICMP type numbers
601       given to the --icmp-type.  option. In general there are three forms of
602       each identifier: the full name (e.g.  destination-unreachable), the
603       short name (e.g.  dest-unr), or the initials (e.g.  du). In ICMP types
604       that request something, the word "request" is omitted.
605
606       echo-reply, echo-rep, er
607           Echo Reply (type 0). This message is sent in response to an Echo
608           Request message.
609
610       destination-unreachable, dest-unr, du
611           Destination Unreachable (type 3). This message indicates that a
612           datagram could not be delivered to its destination.
613
614       source-quench, sour-que, sq
615           Source Quench (type 4). This message is used by a congested IP
616           device to tell other device that is sending packets too fast and
617           that it should slow down.
618
619       redirect, redi, r
620           Redirect (type 5). This message is normally used by routers to
621           inform a host that there is a better route to use for sending
622           datagrams. See also the --icmp-redirect-addr option.
623
624       echo-request, echo, e
625           Echo Request (type 8). This message is used to test the
626           connectivity of another device on a network.
627
628       router-advertisement, rout-adv, ra
629           Router Advertisement (type 9). This message is used by routers to
630           let hosts know of their existence and capabilities. See also the
631           --icmp-advert-lifetime option.
632
633       router-solicitation, rout-sol, rs
634           Router Solicitation (type 10). This message is used by hosts to
635           request Router Advertisement messages from any listening routers.
636
637       time-exceeded, time-exc, te
638           Time Exceeded (type 11). This message is generated by some
639           intermediate device (normally a router) to indicate that a datagram
640           has been discarded before reaching its destination because the IP
641           TTL expired.
642
643       parameter-problem, member-pro, pp
644           Parameter Problem (type 12). This message is used when a device
645           finds a problem with a parameter in an IP header and it cannot
646           continue processing it. See also the --icmp-param-pointer option.
647
648       timestamp, time, tm
649           Timestamp Request (type 13). This message is used to request a
650           device to send a timestamp value for propagation time calculation
651           and clock synchronization. See also the --icmp-orig-time,
652           --icmp-recv-time, and --icmp-trans-time.
653
654       timestamp-reply, time-rep, tr
655           Timestamp Reply (type 14). This message is sent in response to a
656           Timestamp Request message.
657
658       information, info, i
659           Information Request (type 15). This message is now obsolete but it
660           was originally used to request configuration information from
661           another device.
662
663       information-reply, info-rep, ir
664           Information Reply (type 16). This message is now obsolete but it
665           was originally sent in response to an Information Request message
666           to provide configuration information.
667
668       mask-request, mask, m
669           Address Mask Request (type 17). This message is used to ask a
670           device to send its subnet mask.
671
672       mask-reply, mask-rep, mr
673           Address Mask Reply (type 18). This message contains a subnet mask
674           and is sent in response to a Address Mask Request message.
675
676       traceroute, trace, tc
677           Traceroute (type 30). This message is normally sent by an
678           intermediate device when it receives an IP datagram with a
679           traceroute option. ICMP Traceroute messages are still experimental,
680           see RFC 1393.  for more information.
681
682   ICMP Codes
683       These identifiers may be used as mnemonics for the ICMP code numbers
684       given to the --icmp-code.  option. They are listed by the ICMP type
685       they correspond to.
686
687       Destination Unreachable
688           network-unreachable, netw-unr, net
689               Code 0. Datagram could not be delivered to its destination
690               network (probably due to some routing problem).
691
692           host-unreachable, host-unr, host
693               Code 1. Datagram was delivered to the destination network but
694               it was impossible to reach the specified host (probably due to
695               some routing problem).
696
697           protocol-unreachable, prot-unr, proto
698               Code 2. The protocol specified in the Protocol field of the IP
699               datagram is not supported by the host to which the datagram was
700               delivered.
701
702           port-unreachable, port-unr, port
703               Code 3. The TCP/UDP destination port was invalid.
704
705           needs-fragmentation, need-fra, frag
706               Code 4. Datagram had the DF bit set but it was too large for
707               the MTU of the next physical network so it had to be dropped.
708
709           source-route-failed, sour-rou, routefail
710               Code 5. IP datagram had a Source Route option but a router
711               couldn't pass it to the next hop.
712
713           network-unknown, netw-unk, net?
714               Code 6. Destination network is unknown. This code is never
715               used. Instead, Network Unreachable is used.
716
717           host-unknown, host-unk, host?
718               Code 7. Specified host is unknown. Usually generated by a
719               router local to the destination host to inform of a bad
720               address.
721
722           host-isolated, host-iso, isolated
723               Code 8. Source Host Isolated. Not used.
724
725           network-prohibited, netw-pro, !net
726               Code 9. Communication with destination network is
727               administratively prohibited (source device is not allowed to
728               send packets to the destination network).
729
730           host-prohibited, host-pro, !host
731               Code 10. Communication with destination host is
732               administratively prohibited. (The source device is allowed to
733               send packets to the destination network but not to the
734               destination device.)
735
736           network-tos, unreachable-network-tos, netw-tos, tosnet
737               Code 11. Destination network unreachable because it cannot
738               provide the type of service specified in the IP TOS field.
739
740           host-tos, unreachable-host-tos, toshost
741               Code 12. Destination host unreachable because it cannot provide
742               the type of service specified in the IP TOS field.
743
744           communication-prohibited, comm-pro, !comm
745               Code 13. Datagram could not be forwarded due to filtering that
746               blocks the message based on its contents.
747
748           host-precedence-violation, precedence-violation, prec-vio,
749           violation
750               Code 14. Precedence value in the IP TOS field is not permitted.
751
752           precedence-cutoff, prec-cut, cutoff
753               Code 15. Precedence value in the IP TOS field is lower than the
754               minimum allowed for the network.
755
756       Redirect
757           redirect-network, redi-net, net
758               Code 0. Redirect all future datagrams with the same destination
759               network as the original datagram, to the router specified in
760               the Address field. The use of this code is prohibited by RFC
761               1812..
762
763           redirect-host, redi-host, host
764               Code 1. Redirect all future datagrams with the same destination
765               host as the original datagram, to the router specified in the
766               Address field.
767
768           redirect-network-tos, redi-ntos, redir-ntos
769               Code 2. Redirect all future datagrams with the same destination
770               network and IP TOS value as the original datagram, to the
771               router specified in the Address field. The use of this code is
772               prohibited by RFC 1812.
773
774           redirect-host-tos, redi-htos, redir-htos
775               Code 3. Redirect all future datagrams with the same destination
776               host and IP TOS value as the original datagram, to the router
777               specified in the Address field.
778
779       Router Advertisement
780           normal-advertisement, norm-adv, normal, zero, default, def
781               Code 0. Normal router advertisement. In Mobile IP: Mobility
782               agent can act as a router for IP datagrams not related to
783               mobile nodes.
784
785           not-route-common-traffic, not-rou, mobile-ip, !route,
786           !commontraffic
787               Code 16. Used for Mobile IP. The mobility agent does not route
788               common traffic. All foreign agents must forward to a default
789               router any datagrams received from a registered mobile node
790
791       Time Exceeded
792           ttl-exceeded-in-transit, ttl-exc, ttl-transit
793               Code 0. IP Time To Live expired during transit.
794
795           fragment-reassembly-time-exceeded, frag-exc, frag-time
796               Code 1. Fragment reassembly time has been exceeded.
797
798       Parameter Problem
799           pointer-indicates-error, poin-ind, pointer
800               Code 0. The pointer field indicates the location of the
801               problem. See the --icmp-param-pointer option.
802
803           missing-required-option, miss-option, option-missing
804               Code 1. IP datagram was expected to have an option that is not
805               present.
806
807           bad-length, bad-len, badlen
808               Code 2. The length of the IP datagram is incorrect.
809

ARP MODE

811       --arp-type type (ICMP Type) .
812           This option specifies which type of ARP messages should be
813           generated.  type can be supplied in two different ways. You can use
814           the official numbers assigned by IANA[2] (e.g.  --arp-type 1 for
815           ARP Request), or you can use one of the mnemonics from the section
816           called “ARP Types”.
817
818       --arp-sender-mac mac (Sender MAC address) .
819           This option sets the Sender Hardware Address field of the ARP
820           header. Although ARP supports many types of link layer addresses,
821           currently Nping only supports MAC addresses.  mac must be specified
822           using the traditional MAC notation (e.g.  00:0a:8a:32:f4:ae). You
823           can also use hyphens as separators (e.g.  00-0a-8a-32-f4-ae).
824
825       --arp-sender-ip addr (Sender IP address) .
826           This option sets the Sender IP field of the ARP header.  addr can
827           be given as an IPv4 address or a hostname.
828
829       --arp-target-mac mac (target MAC address) .
830           This option sets the Target Hardware Address field of the ARP
831           header.
832
833       --arp-target-ip addr (target ip address) .
834           This option sets the Target IP field of the ARP header.
835
836   ARP Types
837       These identifiers may be used as mnemonics for the ARP type numbers
838       given to the --arp-type.  option.
839
840       arp-request, arp, a
841           ARP Request (type 1). ARP requests are used to translate network
842           layer addresses (normally IP addresses) to link layer addresses
843           (usually MAC addresses). Basically, and ARP request is a
844           broadcasted message that asks the host in the same network segment
845           that has a given IP address to provide its MAC address.
846
847       arp-reply, arp-rep, ar
848           ARP Reply (type 2). An ARP reply is a message that a host sends in
849           response to an ARP request to provide its link layer address.
850
851       rarp-request, rarp, r
852           RARP Requests (type 3). RARP requests are used to translate a link
853           layer address (normally a MAC address) to a network layer address
854           (usually an IP address). Basically a RARP request is a broadcasted
855           message sent by a host that wants to know his own IP address
856           because it doesn't have any. It was the first protocol designed to
857           solve the bootstrapping problem. However, RARP is now obsolete and
858           DHCP is used instead. For more information about RARP see RFC 903..
859
860       rarp-reply, rarp-rep, rr
861           RARP Reply (type 4). A RARP reply is a message sent in response to
862           a RARP request to provide an IP address to the host that sent the
863           RARP request in the first place.
864
865       drarp-request, drarp, d
866           Dynamic RARP Request (type 5). Dynamic RARP is an extension to RARP
867           used to obtain or assign a network layer address from a fixed link
868           layer address. DRARP was used mainly in Sun Microsystems platforms
869           in the late 90's but now it's no longer used. See RFC 1931.  for
870           more information.
871
872       drarp-reply, drarp-rep, dr
873           Dynamic RARP Reply (type 6). A DRARP reply is a message sent in
874           response to a RARP request to provide network layer address.
875
876       drarp-error, drarp-err, de
877           DRARP Error (type 7). DRARP Error messages are usually sent in
878           response to DRARP requests to inform of some error. In DRARP Error
879           messages, the Target Protocol Address field is used to carry an
880           error code (usually in the first byte). The error code is intended
881           to tell why no target protocol address is being returned. For more
882           information see RFC 1931.
883
884       inarp-request, inarp, i
885           Inverse ARP Request (type 8). InARP requests are used to translate
886           a link layer address to a network layer address. It is similar to
887           RARP request but in this case, the sender of the InARP request
888           wants to know the network layer address of another node, not its
889           own address. InARP is mainly used in Frame Relay and ATM networks.
890           For more information see RFC 2390..
891
892       inarp-reply, inarp-rep, ir
893           Inverse ARP Reply (type 9). InARP reply messages are sent in
894           response to InARP requests to provide the network layer address
895           associated with the host that has a given link layer address.
896
897       arp-nak, an
898           ARP NAK (type 10). ARP NAK messages are an extension to the ATMARP
899           protocol and they are used to improve the robustness of the ATMARP
900           server mechanism. With ARP NAK, a client can determine the
901           difference between a catastrophic server failure and an ATMARP
902           table lookup failure. See RFC 1577.  for more information.
903

IPV4 OPTIONS

905       -S addr, --source-ip addr (Source IP Address) .
906           Sets the source IP address. This option lets you specify a custom
907           IP address to be used as source IP address in sent packets. This
908           allows spoofing the sender of the packets.  addr can be an IPv4
909           address or a hostname.
910
911       --dest-ip addr (Destination IP Address) .
912           Adds a target to Nping's target list. This option is provided for
913           consistency but its use is deprecated in favor of plain target
914           specifications. See the section called “TARGET SPECIFICATION”.
915
916       --tos tos (Type of Service) .
917           Sets the IP TOS field. The TOS field is used to carry information
918           to provide quality of service features. It is normally used to
919           support a technique called Differentiated Services. See RFC 2474.
920           for more information.  tos must be a number in the range [0–255].
921
922       --id id (Identification) .
923           Sets the IPv4 Identification field. The Identification field is a
924           16-bit value that is common to all fragments belonging to a
925           particular message. The value is used by the receiver to reassemble
926           the original message from the fragments received.  id must be a
927           number in the range [0–65535].
928
929       --df (Don't Fragment) .
930           Sets the Don't Fragment bit in sent packets. When an IP datagram
931           has its DF flag set, intermediate devices are not allowed to
932           fragment it so if it needs to travel across a network with a MTU
933           smaller that datagram length the datagram will have to be dropped.
934           Normally an ICMP Destination Unreachable message is generated and
935           sent back to the sender.
936
937       --mf (More Fragments) .
938           Sets the More Fragments bit in sent packets. The MF flag is set to
939           indicate the receiver that the current datagram is a fragment of
940           some larger datagram. When set to zero it indicates that the
941           current datagram is either the last fragment in the set or that it
942           is the only fragment.
943
944       --ttl hops (Time To Live) .
945           Sets the IPv4 Time-To-Live (TTL) field in sent packets to the given
946           value. The TTL field specifies how long the datagram is allowed to
947           exist on the network. It was originally intended to represent a
948           number of seconds but it actually represents the number of hops a
949           packet can traverse before being dropped. The TTL tries to avoid a
950           situation in which undeliverable datagrams keep being forwarded
951           from one router to another endlessly.  hops must be a number in the
952           range [0–255].
953
954       --badsum-ip (Invalid IP checksum) .
955           Asks Nping to use an invalid IP checksum for packets sent to target
956           hosts. Note that some systems (like most Linux kernels), may fix
957           the checksum before placing the packet on the wire, so even if
958           Nping shows the incorrect checksum in its output, the packets may
959           be transparently corrected by the kernel.
960
961       --ip-options S|R [route]|L [route]|T|U ..., --ip-options hex string (IP
962       Options) .
963           The IP protocol offers several options which may be placed in
964           packet headers. Unlike the ubiquitous TCP options, IP options are
965           rarely seen due to practicality and security concerns. In fact,
966           many Internet routers block the most dangerous options such as
967           source routing. Yet options can still be useful in some cases for
968           determining and manipulating the network route to target machines.
969           For example, you may be able to use the record route option to
970           determine a path to a target even when more traditional
971           traceroute-style approaches fail. Or if your packets are being
972           dropped by a certain firewall, you may be able to specify a
973           different route with the strict or loose source routing options.
974
975           The most powerful way to specify IP options is to simply pass in
976           hexadecimal data as the argument to --ip-options. Precede each hex
977           byte value with \x. You may repeat certain characters by following
978           them with an asterisk and then the number of times you wish them to
979           repeat. For example, \x01\x07\x04\x00*4 is the same as
980           \x01\x07\x04\x00\x00\x00\x00.
981
982           Note that if you specify a number of bytes that is not a multiple
983           of four, an incorrect IP header length will be set in the IP
984           packet. The reason for this is that the IP header length field can
985           only express multiples of four. In those cases, the length is
986           computed by dividing the header length by 4 and rounding down. This
987           will affect the way the header that follows the IP header is
988           interpreted, showing bogus information in Nping or in the output of
989           any sniffer. Although this kind of situation might be useful for
990           some stack stress tests, users would normally want to specify
991           explicit padding, so the correct header length is set.
992
993           Nping also offers a shortcut mechanism for specifying options.
994           Simply pass the letter R, T, or U to request record-route,
995           record-timestamp, or both options together, respectively. Loose or
996           strict source routing may be specified with an L or S followed by a
997           space and then a space-separated list of IP addresses.
998
999           For more information and examples of using IP options with Nping,
1000           see the mailing list post at
1001           http://seclists.org/nmap-dev/2006/q3/0052.html.
1002
1003       --mtu size (Maximum Transmission Unit) .
1004           This option sets a fictional MTU in Nping so IP datagrams larger
1005           than size are fragmented before transmission.  size must be
1006           specified in bytes and corresponds to the number of octets that can
1007           be carried on a single link-layer frame.
1008

IPV6 OPTIONS

1010       -6, --ipv6 (Use IPv6) .
1011           Tells Nping to use IP version 6 instead of the default IPv4. It is
1012           generally a good idea to specify this option as early as possible
1013           in the command line so Nping can parse it soon and know in advance
1014           that the rest of the parameters refer to IPv6. The command syntax
1015           is the same as usual except that you also add the -6 option. Of
1016           course, you must use IPv6 syntax if you specify an address rather
1017           than a hostname. An address might look like
1018           3ffe:7501:4819:2000:210:f3ff:fe03:14d0, so hostnames are
1019           recommended.
1020
1021           While IPv6 hasn't exactly taken the world by storm, it gets
1022           significant use in some (usually Asian) countries and most modern
1023           operating systems support it. To use Nping with IPv6, both the
1024           source and target of your packets must be configured for IPv6. If
1025           your ISP (like most of them) does not allocate IPv6 addresses to
1026           you, free tunnel brokers are widely available and work fine with
1027           Nping. You can use the free IPv6 tunnel broker service at
1028           http://www.tunnelbroker.net.
1029
1030           Please note that IPv6 support is still highly experimental and many
1031           modes and options may not work with it.
1032
1033       -S addr, --source-ip addr (Source IP Address) .
1034           Sets the source IP address. This option lets you specify a custom
1035           IP address to be used as source IP address in sent packets. This
1036           allows spoofing the sender of the packets.  addr can be an IPv6
1037           address or a hostname.
1038
1039       --dest-ip addr (Destination IP Address) .
1040           Adds a target to Nping's target list. This option is provided for
1041           consistency but its use is deprecated in favor of plain target
1042           specifications. See the section called “TARGET SPECIFICATION”.
1043
1044       --flow label (Flow Label) .
1045           Sets the IPv6 Flow Label. The Flow Label field is 20 bits long and
1046           is intended to provide certain quality-of-service properties for
1047           real-time datagram delivery. However, it has not been widely
1048           adopted, and not all routers or endpoints support it. Check RFC
1049           2460.  for more information.  label must be an integer in the range
1050           [0–1048575].
1051
1052       --traffic-class class (Traffic Class) .
1053           Sets the IPv6 Traffic Class. This field is similar to the TOS field
1054           in IPv4, and is intended to provide the Differentiated Services
1055           method, enabling scalable service discrimination in the Internet
1056           without the need for per-flow state and signaling at every hop.
1057           Check RFC 2474.  for more information.  class must be an integer in
1058           the range [0–255].
1059
1060       --hop-limit hops (Hop Limit) .
1061           Sets the IPv6 Hop Limit field in sent packets to the given value.
1062           The Hop Limit field specifies how long the datagram is allowed to
1063           exist on the network. It represents the number of hops a packet can
1064           traverse before being dropped. As with the TTL in IPv4, IPv6 Hop
1065           Limit tries to avoid a situation in which undeliverable datagrams
1066           keep being forwarded from one router to another endlessly.  hops
1067           must be a number in the range [0–255].
1068

ETHERNET OPTIONS

1070       In most cases Nping sends packets at the raw IP level. This means that
1071       Nping creates its own IP packets and transmits them through a raw
1072       socket. However, in some cases it may be necessary to send packets at
1073       the raw Ethernet level. This happens, for example, when Nping is run
1074       under Windows (as Microsoft has disabled raw socket support since
1075       Windows XP SP2), or when Nping is asked to send ARP packets. Since in
1076       some cases it is necessary to construct ethernet frames, Nping offers
1077       some options to manipulate the different fields.
1078
1079       --dest-mac mac (Ethernet Destination MAC Address) .
1080           This option sets the destination MAC address that should be set in
1081           outgoing Ethernet frames. This is useful in case Nping can't
1082           determine the next hop's MAC address or when you want to route
1083           probes through a router other than the configured default gateway.
1084           The MAC address should have the usual format of six colon-separated
1085           bytes, e.g.  00:50:56:d4:01:98. Alternatively, hyphens may be used
1086           instead of colons. Use the word random or rand to generate a random
1087           address, and broadcast or bcast to use ff:ff:ff:ff:ff:ff. If you
1088           set up a bogus destination MAC address your probes may not reach
1089           the intended targets.
1090
1091       --source-mac mac (Ethernet Source MAC Address) .
1092           This option sets the source MAC address that should be set in
1093           outgoing Ethernet frames. This is useful in case Nping can't
1094           determine your network interface MAC address or when you want to
1095           inject traffic into the network while hiding your network card's
1096           real address. The syntax is the same as for --dest-mac. If you set
1097           up a bogus source MAC address you may not receive probe replies.
1098
1099       --ether-type type (Ethertype) .
1100           This option sets the Ethertype field of the ethernet frame. The
1101           Ethertype is used to indicate which protocol is encapsulated in the
1102           payload.  type can be supplied in two different ways. You can use
1103           the official numbers listed by the IEEE[3] (e.g.  --ether-type
1104           0x0800 for IP version 4), or one of the mnemonics from the section
1105           called “Ethernet Types”.
1106
1107   Ethernet Types
1108       These identifiers may be used as mnemonics for the Ethertype numbers
1109       given to the --arp-type.  option.
1110
1111       ipv4, ip, 4
1112           Internet Protocol version 4 (type 0x0800).
1113
1114       ipv6, 6
1115           Internet Protocol version 6 (type 0x86DD).
1116
1117       arp
1118           Address Resolution Protocol (type 0x0806).
1119
1120       rarp
1121           Reverse Address Resolution Protocol (type 0x8035).
1122
1123       frame-relay, frelay, fr
1124           Frame Relay (type 0x0808).
1125
1126       ppp
1127           Point-to-Point Protocol (type 0x880B).
1128
1129       gsmp
1130           General Switch Management Protocol (type 0x880C).
1131
1132       mpls
1133           Multiprotocol Label Switching (type 0x8847).
1134
1135       mps-ual, mps
1136           Multiprotocol Label Switching with Upstream-assigned Label (type
1137           0x8848).
1138
1139       mcap
1140           Multicast Channel Allocation Protocol (type 0x8861).
1141
1142       pppoe-discovery, pppoe-d
1143           PPP over Ethernet Discovery Stage (type 0x8863).
1144
1145       pppoe-session, pppoe-s
1146           PPP over Ethernet Session Stage (type 0x8864).
1147
1148       ctag
1149           Customer VLAN Tag Type (type 0x8100).
1150
1151       epon
1152           Ethernet Passive Optical Network (type 0x8808).
1153
1154       pbnac
1155           Port-based network access control (type 0x888E).
1156
1157       stag
1158           Service VLAN tag identifier (type 0x88A8).
1159
1160       ethexp1
1161           Local Experimental Ethertype 1 (type 0x88B5).
1162
1163       ethexp2
1164           Local Experimental Ethertype 2 (type 0x88B6).
1165
1166       ethoui
1167           OUI Extended Ethertype (type 0x88B7).
1168
1169       preauth
1170           Pre-Authentication (type 0x88C7).
1171
1172       lldp
1173           Link Layer Discovery Protocol (type 0x88CC).
1174
1175       mac-security, mac-sec, macsec
1176           Media Access Control Security (type 0x88E5).
1177
1178       mvrp
1179           Multiple VLAN Registration Protocol (type 0x88F5).
1180
1181       mmrp
1182           Multiple Multicast Registration Protocol (type 0x88F6).
1183
1184       frrr
1185           Fast Roaming Remote Request (type 0x890D).
1186

PAYLOAD OPTIONS

1188       --data hex string (Append custom binary data to sent packets) .
1189           This option lets you include binary data as payload in sent
1190           packets.  hex string may be specified in any of the following
1191           formats: 0xAABBCCDDEEFF..., AABBCCDDEEFF...  or
1192           \xAA\xBB\xCC\xDD\xEE\xFF.... Examples of use are --data 0xdeadbeef
1193           and --data \xCA\xFE\x09. Note that if you specify a number like
1194           0x00ff no byte-order conversion is performed. Make sure you specify
1195           the information in the byte order expected by the receiver.
1196
1197       --data-string string (Append custom string to sent packets) .
1198           This option lets you include a regular string as payload in sent
1199           packets.  string can contain any string. However, note that some
1200           characters may depend on your system's locale and the receiver may
1201           not see the same information. Also, make sure you enclose the
1202           string in double quotes and escape any special characters from the
1203           shell. Example: --data-string "Jimmy Jazz...".
1204
1205       --data-length len (Append random data to sent packets) .
1206           This option lets you include len random bytes of data as payload in
1207           sent packets.  len must be an integer in the range [0–65400].
1208           However, values higher than 1400 are not recommended because it may
1209           not be possible to transmit packets due to network MTU limitations.
1210

ECHO MODE

1212       The "Echo Mode" is a novel technique implemented by Nping which lets
1213       users see how network packets change in transit, from the host where
1214       they originated to the target machine. Basically, the Echo mode turns
1215       Nping into two different pieces: the Echo server and the Echo client.
1216       The Echo server is a network service that has the ability to capture
1217       packets from the network and send a copy ("echo them") to the
1218       originating client through a side TCP channel. The Echo client is the
1219       part that generates such network packets, transmits them to the server,
1220       and receives their echoed version through a side TCP channel that it
1221       has previously established with the Echo server.
1222
1223       This scheme lets the client see the differences between the packets
1224       that it sends and what is actually received by the server. By having
1225       the server send back copies of the received packets through the side
1226       channel, things like NAT devices become immediately apparent to the
1227       client because it notices the changes in the source IP address (and
1228       maybe even source port). Other devices like those that perform traffic
1229       shaping, changing TCP window sizes or adding TCP options transparently
1230       between hosts, turn up too.
1231
1232       The Echo mode is also useful for troubleshooting routing and firewall
1233       issues. Among other things, it can be used to determine if the traffic
1234       generated by the Nping client is being dropped in transit and never
1235       gets to its destination or if the responses are the ones that don't get
1236       back to it.
1237
1238       Internally, client and server communicate over an encrypted and
1239       authenticated channel, using the Nping Echo Protocol (NEP), whose
1240       technical specification can be found in
1241       http://nmap.org/svn/nping/docs/EchoProtoRFC.txt
1242
1243       The following paragraphs describe the different options available in
1244       Nping's Echo mode.
1245
1246       --ec passphrase, --echo-client passphrase (Run Echo client) .
1247           This option tells Nping to run as an Echo client.  passphrase is a
1248           sequence of ASCII characters that is used to generate the
1249           cryptographic keys needed for encryption and authentication in a
1250           given session. The passphrase should be a secret that is also known
1251           by the server, and it may contain any number of printable ASCII
1252           characters. Passphrases that contain whitespace or special
1253           characters must be enclosed in double quotes.
1254
1255           When running Nping as an Echo client, most options from the regular
1256           raw probe modes apply. The client may be configured to send
1257           specific probes using flags like --tcp, --icmp or --udp. Protocol
1258           header fields may be manipulated normally using the appropriate
1259           options (e.g.  --ttl, --seq, --icmp-type, etc.). The only
1260           exceptions are ARP-related flags, which are not supported in Echo
1261           mode, as protocols like ARP are closely related to the data link
1262           layer and its probes can't pass through different network segments.
1263
1264       --es passphrase, --echo-server passphrase (Run Echo server) .
1265           This option tells Nping to run as an Echo server.  passphrase is a
1266           sequence of ASCII characters that is used to generate the
1267           cryptographic keys needed for encryption and authentication in a
1268           given session. The passphrase should be a secret that is also known
1269           by the clients, and it may contain any number of printable ASCII
1270           characters. Passphrases that contain whitespace or special
1271           characters must be enclosed in double quotes. Note that although it
1272           is not recommended, it is possible to use empty passphrases,
1273           supplying --echo-server "". However, if what you want is to set up
1274           an open Echo server, it is better to use option --no-crypto. See
1275           below for details.
1276
1277       --ep port, --echo-port port (Set Echo TCP port number) .
1278           This option asks Nping to use the specified TCP port number for the
1279           Echo side channel connection. If this option is used with
1280           --echo-server, it specifies the port on which the server listens
1281           for connections. If it is used with --echo-client, it specifies the
1282           port to connect to on the remote host. By default, port number 9929
1283           is used.
1284
1285       --nc, --no-crypto (Disable encryption and authentication) .
1286           This option asks Nping not to use any cryptographic operations
1287           during an Echo session. In practical terms, this means that the
1288           Echo side channel session data will be transmitted in the clear,
1289           and no authentication will be performed by the server or client
1290           during the session establishment phase. When --no-crypto is used,
1291           the passphrase supplied with --echo-server or --echo-client is
1292           ignored.
1293
1294           This option must be specified if Nping was compiled without openSSL
1295           support. Note that, for technical reasons, a passphrase still needs
1296           to be supplied after the --echo-client or --echo-server flags, even
1297           though it will be ignored.
1298
1299           The --no-crypto flag might be useful when setting up a public Echo
1300           server, because it allows users to connect to the Echo server
1301           without the need for any passphrase or shared secret. However, it
1302           is strongly recommended to not use --no-crypto unless absolutely
1303           necessary. Public Echo servers should be configured to use the
1304           passphrase "public" or the empty passphrase (--echo-server "") as
1305           the use of cryptography does not only provide confidentiality and
1306           authentication but also message integrity.
1307
1308       --once (Serve one client and quit) .
1309           This option asks the Echo server to quit after serving one client.
1310           This is useful when only a single Echo session wants to be
1311           established as it eliminates the need to access the remote host to
1312           shutdown the server.
1313
1314       --safe-payloads (Zero application data before echoing a packet) .
1315           This option asks the Echo server to erase any application layer
1316           data found in client packets before echoing them. When the option
1317           is enabled, the Echo server parses the packets received from Echo
1318           clients and tries to determine if they contain data beyond the
1319           transport layer. If such data is found, it is overwritten with
1320           zeroes before transmitting the packets to the appropriate Echo
1321           client.
1322
1323           Echo servers can handle multiple simultaneous clients running
1324           multiple echo sessions in parallel. In order to determine which
1325           packet needs to be echoed to which client and through which
1326           session, the Echo server uses an heuristic algorithm. Although we
1327           have taken every security measure that we could think of to prevent
1328           that a client receives an echoed packet that it did not generate,
1329           there is always a risk that our algorithm makes a mistake and
1330           delivers a packet to the wrong client. The --safe-payloads option
1331           is useful for public echo servers or critical deployments where
1332           that kind of mistake cannot be afforded.
1333
1334       The following examples illustrate how Nping's Echo mode can be used to
1335       discover intermediate devices.
1336
1337       Example 2. Discovering NAT devices
1338
1339               # nping --echo-client "public" echo.nmap.org --udp
1340
1341               Starting Nping ( http://nmap.org/nping )
1342               SENT (1.0970s) UDP 10.1.20.128:53 > 178.79.165.17:40125 ttl=64 id=32523 iplen=28
1343               CAPT (1.1270s) UDP 80.38.10.21:45657 > 178.79.165.17:40125 ttl=54 id=32523 iplen=28
1344               RCVD (1.1570s) ICMP 178.79.165.17 > 10.1.20.128 Port unreachable (type=3/code=3) ttl=49 id=16619 iplen=56
1345               [...]
1346               SENT (5.1020s) UDP 10.1.20.128:53 > 178.79.165.17:40125 ttl=64 id=32523 iplen=28
1347               CAPT (5.1335s) UDP 80.38.10.21:45657 > 178.79.165.17:40125 ttl=54 id=32523 iplen=28
1348               RCVD (5.1600s) ICMP 178.79.165.17 > 10.1.20.128 Port unreachable (type=3/code=3) ttl=49 id=16623 iplen=56
1349
1350               Max rtt: 60.628ms | Min rtt: 58.378ms | Avg rtt: 59.389ms
1351               Raw packets sent: 5 (140B) | Rcvd: 5 (280B) | Lost: 0 (0.00%)| Echoed: 5 (140B)
1352               Tx time: 4.00459s | Tx bytes/s: 34.96 | Tx pkts/s: 1.25
1353               Rx time: 5.00629s | Rx bytes/s: 55.93 | Rx pkts/s: 1.00
1354               Nping done: 1 IP address pinged in 6.18 seconds
1355
1356
1357       The output clearly shows the presence of a NAT device in the client's
1358       local network. Note how the captured packet (CAPT) differs from the
1359       SENT packet: the source address for the original packets is in the
1360       reserved 10.0.0.0/8 range, while the address seen by the server is
1361       80.38.10.21, the Internet side address of the NAT device. The source
1362       port was also modified by the device. The line starting with RCVD
1363       corresponds to the responses generated by the TCP/IP stack of the
1364       machine where the Echo server is run.
1365
1366       Example 3. Discovering a transparent proxy
1367
1368               # nping --echo-client "public" echo.nmap.org --tcp -p80
1369
1370               Starting Nping ( http://nmap.org/nping )
1371               SENT (1.2160s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40  seq=567704200 win=1480
1372               RCVD (1.2180s) TCP 178.79.165.17:80 > 10.0.1.77:41659 SA ttl=128 id=13177 iplen=44  seq=3647106954 win=16384 <mss 1460>
1373               SENT (2.2150s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40  seq=567704200 win=1480
1374               SENT (3.2180s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40  seq=567704200 win=1480
1375               SENT (4.2190s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40  seq=567704200 win=1480
1376               SENT (5.2200s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40  seq=567704200 win=1480
1377
1378               Max rtt: 2.062ms | Min rtt: 2.062ms | Avg rtt: 2.062ms
1379               Raw packets sent: 5 (200B) | Rcvd: 1 (46B) | Lost: 4 (80.00%)| Echoed: 0 (0B)
1380               Tx time: 4.00504s | Tx bytes/s: 49.94 | Tx pkts/s: 1.25
1381               Rx time: 5.00618s | Rx bytes/s: 9.19 | Rx pkts/s: 0.20
1382               Nping done: 1 IP address pinged in 6.39 seconds
1383
1384
1385       In this example, the output is a bit more tricky. The absence of error
1386       messages shows that the Echo client has successfully established an
1387       Echo session with the server. However, no CAPT packets can be seen in
1388       the output. This means that none of the transmitted packets reached the
1389       server. Interestingly, a TCP SYN-ACK packet was received in response to
1390       the first TCP-SYN packet (and also, it is known that the target host
1391       does not have port 80 open). This behavior reveals the presence of a
1392       transparent web proxy cache server (which in this case is an old MS ISA
1393       server).
1394

TIMING AND PERFORMANCE OPTIONS

1396       --delay time (Delay between probes) .
1397           This option lets you control for how long will Nping wait before
1398           sending the next probe. Like in many other ping tools, the default
1399           delay is one second.  time must be a positive integer or floating
1400           point number. By default it is specified in seconds, however you
1401           can give an explicit unit by appending ms for milliseconds, s for
1402           seconds, m for minutes, or h for hours (e.g.  2.5s, 45m, 2h).
1403
1404       --rate rate (Send probes at a given rate) .
1405           This option specifies the number of probes that Nping should send
1406           per second. This option and --delay are inverses; --rate 20 is the
1407           same as --delay 0.05. If both options are used, only the last one
1408           in the parameter list counts.
1409

MISCELLANEOUS OPTIONS

1411       -h, --help (Display help) .
1412           Displays help information and exits.
1413
1414       -V, --version (Display version) .
1415           Displays the program's version number and quits.
1416
1417       -c rounds, --count rounds (Stop after a given number of rounds) .
1418           This option lets you specify the number of times that Nping should
1419           loop over target hosts (and in some cases target ports). Nping
1420           calls these “rounds”. In a basic execution with only one target
1421           (and only one target port in TCP/UDP modes), the number of rounds
1422           matches the number of probes sent to the target host. However, in
1423           more complex executions where Nping is run against multiple targets
1424           and multiple ports, the number of rounds is the number of times
1425           that Nping sends a complete set of probes that covers all target
1426           IPs and all target ports. For example, if Nping is asked to send
1427           TCP SYN packets to hosts 192.168.1.0-255 and ports 80 and 433, then
1428           256 × 2 = 512 packets are sent in one round. So if you specify -c
1429           100, Nping will loop over the different target hosts and ports 100
1430           times, sending a total of 256 × 2 × 100 = 51200 packets. By default
1431           Nping runs for 5 rounds. If a value of 0 is specified, Nping will
1432           run continuously.
1433
1434       -e name, --interface name (Set the network interface to be used) .
1435           This option tells Nping what interface should be used to send and
1436           receive packets. Nping should be able to detect this automatically,
1437           but it will tell you if it cannot.  name must be the name of an
1438           existing network interface with an assigned IP address.
1439
1440       --privileged (Assume that the user is fully privileged) .
1441           Tells Nping to simply assume that it is privileged enough to
1442           perform raw socket sends, packet sniffing, and similar operations
1443           that usually require special privileges. By default Nping quits if
1444           such operations are requested by a user that has no root or
1445           administrator privileges. This option may be useful on Linux, BSD
1446           or similar systems that can be configured to allow unprivileged
1447           users to perform raw-packet transmissions. The NPING_PRIVILEGED.
1448           environment variable may be set as an alternative to using
1449           --privileged.
1450
1451       --unprivileged (Assume that the user lacks raw socket privileges) .
1452           This option is the opposite of --privileged. It tells Nping to
1453           treat the user as lacking network raw socket and sniffing
1454           privileges. This is useful for testing, debugging, or when the raw
1455           network functionality of your operating system is somehow broken.
1456           The NPING_UNPRIVILEGED.  environment variable may be set as an
1457           alternative to using --unprivileged.
1458
1459       --send-eth (Use raw ethernet sending) .
1460           Asks Nping to send packets at the raw ethernet (data link) layer
1461           rather than the higher IP (network) layer. By default, Nping
1462           chooses the one which is generally best for the platform it is
1463           running on. Raw sockets (IP layer) are generally most efficient for
1464           Unix machines, while ethernet frames are required for Windows
1465           operation since Microsoft disabled raw socket support. Nping still
1466           uses raw IP packets despite this option when there is no other
1467           choice (such as non-ethernet connections).
1468
1469       --send-ip (Send at raw IP level) .
1470           Asks Nping to send packets via raw IP sockets rather than sending
1471           lower level ethernet frames. It is the complement to the --send-eth
1472           option.
1473
1474       --bpf-filter filter spec --filter filter spec (Set custom BPF filter) .
1475           This option lets you use a custom BPF filter. By default Nping
1476           chooses a filter that is intended to capture most common responses
1477           to the particular probes that are sent. For example, when sending
1478           TCP packets, the filter is set to capture packets whose destination
1479           port matches the probe's source port or ICMP error messages that
1480           may be generated by the target or any intermediate device as a
1481           result of the probe. If for some reason you expect strange packets
1482           in response to sent probes or you just want to sniff a particular
1483           kind of traffic, you can specify a custom filter using the BPF
1484           syntax used by tools like tcpdump..  See the documentation at
1485           http://www.tcpdump.org/ for more information.
1486
1487       -H, --hide-sent (Do not display sent packets) .
1488           This option tells Nping not to print information about sent
1489           packets. This can be useful when using very short inter-probe
1490           delays (i.e., when flooding), because printing information to the
1491           standard output has a computational cost and disabling it can
1492           probably speed things up a bit. Also, it may be useful when using
1493           Nping to detect active hosts or open ports (e.g. sending probes to
1494           all TCP ports in a /24 subnet). In that case, users may not want to
1495           see thousands of sent probes but just the replies generated by
1496           active hosts.
1497
1498       -N, --no-capture (Do not attempt to capture replies) .
1499           This option tells Nping to skip packet capture. This means that
1500           packets in response to sent probes will not be processed or
1501           displayed. This can be useful when doing flooding and network stack
1502           stress tests. Note that when this option is specified, most of the
1503           statistics shown at the end of the execution will be useless. This
1504           option does not work with TCP Connect mode.
1505

OUTPUT OPTIONS

1507       -v[level], --verbose [level] (Increase or set verbosity level) .
1508           Increases the verbosity level, causing Nping to print more
1509           information during its execution. There are 9 levels of verbosity
1510           (-4 to 4). Every instance of -v increments the verbosity level by
1511           one (from its default value, level 0). Every instance of option -q
1512           decrements the verbosity level by one. Alternatively you can
1513           specify the level directly, as in -v3 or -v-1. These are the
1514           available levels:
1515
1516           Level −4
1517               No output at all. In some circumstances you may not want Nping
1518               to produce any output (like when one of your work mates is
1519               watching over your shoulder). In that case level −4 can be
1520               useful because although you won't see any response packets,
1521               probes will still be sent.
1522
1523           Level −3
1524               Like level −4 but displays fatal error messages so you can
1525               actually see if Nping is running or it failed due to some
1526               error.
1527
1528           Level −2
1529               Like level −3 but also displays warnings and recoverable
1530               errors.
1531
1532           Level −1
1533               Displays traditional run-time information (version, start time,
1534               statistics, etc.) but does not display sent or received
1535               packets.
1536
1537           Level 0
1538               This is the default verbosity level. It behaves like level −1
1539               but also displays sent and received packets and some other
1540               important information.
1541
1542           Level 1
1543               Like level 0 but it displays detailed information about timing,
1544               flags, protocol details, etc.
1545
1546           Level 2
1547               Like level 1 but displays very detailed information about sent
1548               and received packets and other interesting information.
1549
1550           Level 3
1551               Like level 2 but also displays the raw hexadecimal dump of sent
1552               and received packets.
1553
1554           Level 4 and higher
1555               Same as level 3.
1556
1557       -q[level], --reduce-verbosity [level] (Decrease verbosity level) .
1558           Decreases the verbosity level, causing Nping to print less
1559           information during its execution.
1560
1561       -d[level] (Increase or set debugging level) .
1562           When even verbose mode doesn't provide sufficient data for you,
1563           debugging is available to flood you with much more! As with the -v,
1564           debugging is enabled with a command-line flag -d and the debug
1565           level can be increased by specifying it multiple times. There are 7
1566           debugging levels (0 to 6). Every instance of -d increments
1567           debugging level by one. Provide an argument to -d to set the level
1568           directly; for example -d4.
1569
1570           Debugging output is useful when you suspect a bug in Nping, or if
1571           you are simply confused as to what Nping is doing and why. As this
1572           feature is mostly intended for developers, debug lines aren't
1573           always self-explanatory. You may get something like
1574
1575               NSOCK (1.0000s) Callback: TIMER SUCCESS for EID 12; tcpconnect_event_handler(): Received callback of type TIMER with status SUCCESS
1576
1577           If you don't understand a line, your only recourses are to ignore
1578           it, look it up in the source code, or request help from the
1579           development list (nmap-dev). Some lines are self-explanatory, but
1580           the messages become more obscure as the debug level is increased.
1581           These are the available levels:
1582
1583           Level 0
1584               Level 0. No debug information at all. This is the default
1585               level.
1586
1587           Level 1
1588               In this level, only very important or high-level debug
1589               information will be printed.
1590
1591           Level 2
1592               Like level 1 but also displays important or medium-level debug
1593               information
1594
1595           Level 3
1596               Like level 2 but also displays regular and low-level debug
1597               information.
1598
1599           Level 4
1600               Like level 3 but also displays messages only a real Nping freak
1601               would want to see.
1602
1603           Level 5
1604               Like level 4 but it enables basic debug information related to
1605               external libraries like Nsock..
1606
1607           Level 6
1608               Like level 5 but it enables full, very detailed, debug
1609               information related to external libraries like Nsock.
1610

BUGS

1612       Like its author, Nping isn't perfect. But you can help make it better
1613       by sending bug reports or even writing patches. If Nping doesn't behave
1614       the way you expect, first upgrade to the latest Nmap version available
1615       from http://nmap.org/download.html. If the problem persists, do some
1616       research to determine whether it has already been discovered and
1617       addressed. Try searching for the error message on our search page at
1618       http://insecure.org/search.html or at Google. Also try browsing the
1619       nmap-dev archives at http://seclists.org/.  Read this full manual page
1620       as well. If nothing comes out of this, mail a bug report to
1621       <dev@nmap.org>. Please include everything you have learned about the
1622       problem, as well as what version of Nping you are running and what
1623       operating system version it is running on. Problem reports and Nping
1624       usage questions sent to <dev@nmap.org> are far more likely to be
1625       answered than those sent to Fyodor directly. If you subscribe to the
1626       nmap-dev list before posting, your message will bypass moderation and
1627       get through more quickly. Subscribe at
1628       http://nmap.org/mailman/listinfo/dev.
1629
1630       Code patches to fix bugs are even better than bug reports. Basic
1631       instructions for creating patch files with your changes are available
1632       at https://svn.nmap.org/nmap/HACKING. Patches may be sent to nmap-dev
1633       (recommended) or to any of the authors listed in the next section
1634       directly.
1635

AUTHORS

1637       Luis MartinGarcia <luis.mgarc@gmail.com> (http://aldabaknocking.com)
1638
1639       Fyodor <fyodor@nmap.org> (http://insecure.org)
1640

NOTES

1642        1. official type numbers assigned by IANA
1643           http://www.iana.org/assignments/icmp-parameters
1644
1645        2. official numbers assigned by IANA
1646           http://www.iana.org/assignments/arp-parameters/
1647
1648        3. official numbers listed by the IEEE
1649           http://standards.ieee.org/regauth/ethertype/eth.txt
1650
1651
1652
1653Nping                             07/28/2013                          NPING(1)
Impressum