1NPING(1)                     Nping Reference Guide                    NPING(1)
2
3
4

NAME

6       nping - Network packet generation tool / ping utility
7

SYNOPSIS

9       nping [Options] {targets}
10

DESCRIPTION

12       Nping is an open-source tool for network packet generation, response
13       analysis and response time measurement. Nping allows users to generate
14       network packets of a wide range of protocols, letting them tune
15       virtually any field of the protocol headers. While Nping can be used as
16       a simple ping utility to detect active hosts, it can also be used as a
17       raw packet generator for network stack stress tests, ARP poisoning,
18       Denial of Service attacks, route tracing, and other purposes.
19
20       Additionally, Nping offers a special mode of operation called the "Echo
21       Mode", that lets users see how the generated probes change in transit,
22       revealing the differences between the transmitted packets and the
23       packets received at the other end. See section "Echo Mode" for details.
24
25       The output from Nping is a list of the packets that are being sent and
26       received. The level of detail depends on the options used.
27
28       A typical Nping execution is shown in Example 1. The only Nping
29       arguments used in this example are -c, to specify the number of times
30       to target each host, --tcp to specify TCP Probe Mode, -p 80,433 to
31       specify the target ports; and then the two target hostnames.
32
33       Example 1. A representative Nping execution
34
35           # nping -c 1 --tcp -p 80,433 scanme.nmap.org google.com
36
37           Starting Nping ( https://nmap.org/nping )
38           SENT (0.0120s) TCP 96.16.226.135:50091 > 64.13.134.52:80 S ttl=64 id=52072 iplen=40  seq=1077657388 win=1480
39           RCVD (0.1810s) TCP 64.13.134.52:80 > 96.16.226.135:50091 SA ttl=53 id=0 iplen=44  seq=4158134847 win=5840 <mss 1460>
40           SENT (1.0140s) TCP 96.16.226.135:50091 > 74.125.45.100:80 S ttl=64 id=13932 iplen=40  seq=1077657388 win=1480
41           RCVD (1.1370s) TCP 74.125.45.100:80 > 96.16.226.135:50091 SA ttl=52 id=52913 iplen=44  seq=2650443864 win=5720 <mss 1430>
42           SENT (2.0140s) TCP 96.16.226.135:50091 > 64.13.134.52:433 S ttl=64 id=8373 iplen=40  seq=1077657388 win=1480
43           SENT (3.0140s) TCP 96.16.226.135:50091 > 74.125.45.100:433 S ttl=64 id=23624 iplen=40  seq=1077657388 win=1480
44
45           Statistics for host scanme.nmap.org (64.13.134.52):
46            |  Probes Sent: 2 | Rcvd: 1 | Lost: 1  (50.00%)
47            |_ Max rtt: 169.720ms | Min rtt: 169.720ms | Avg rtt: 169.720ms
48           Statistics for host google.com (74.125.45.100):
49            |  Probes Sent: 2 | Rcvd: 1 | Lost: 1  (50.00%)
50            |_ Max rtt: 122.686ms | Min rtt: 122.686ms | Avg rtt: 122.686ms
51           Raw packets sent: 4 (160B) | Rcvd: 2 (92B) | Lost: 2 (50.00%)
52           Tx time: 3.00296s | Tx bytes/s: 53.28 | Tx pkts/s: 1.33
53           Rx time: 3.00296s | Rx bytes/s: 30.64 | Rx pkts/s: 0.67
54           Nping done: 2 IP addresses pinged in 4.01 seconds
55
56       The newest version of Nping can be obtained with Nmap at
57       https://nmap.org. The newest version of this man page is available at
58       https://nmap.org/book/nping-man.html.
59
60       -->
61         .SH "OPTIONS SUMMARY"
62
63       This options summary is printed when Nping is run with no arguments. It
64       helps people remember the most common options, but is no substitute for
65       the in-depth documentation in the rest of this manual. Some obscure
66       options aren't even included here.
67
68           Nping 0.5.59BETA1 ( https://nmap.org/nping )
69           Usage: nping [Probe mode] [Options] {target specification}
70
71           TARGET SPECIFICATION:
72             Targets may be specified as hostnames, IP addresses, networks, etc.
73             Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
74           PROBE MODES:
75             --tcp-connect                    : Unprivileged TCP connect probe mode.
76             --tcp                            : TCP probe mode.
77             --udp                            : UDP probe mode.
78             --icmp                           : ICMP probe mode.
79             --arp                            : ARP/RARP probe mode.
80             --tr, --traceroute               : Traceroute mode (can only be used with
81                                                TCP/UDP/ICMP modes).
82           TCP CONNECT MODE:
83              -p, --dest-port <port spec>     : Set destination port(s).
84              -g, --source-port <portnumber>  : Try to use a custom source port.
85           TCP PROBE MODE:
86              -g, --source-port <portnumber>  : Set source port.
87              -p, --dest-port <port spec>     : Set destination port(s).
88              --seq <seqnumber>               : Set sequence number.
89              --flags <flag list>             : Set TCP flags (ACK,PSH,RST,SYN,FIN...)
90              --ack <acknumber>               : Set ACK number.
91              --win <size>                    : Set window size.
92              --badsum                        : Use a random invalid checksum.
93           UDP PROBE MODE:
94              -g, --source-port <portnumber>  : Set source port.
95              -p, --dest-port <port spec>     : Set destination port(s).
96              --badsum                        : Use a random invalid checksum.
97           ICMP PROBE MODE:
98             --icmp-type <type>               : ICMP type.
99             --icmp-code <code>               : ICMP code.
100             --icmp-id <id>                   : Set identifier.
101             --icmp-seq <n>                   : Set sequence number.
102             --icmp-redirect-addr <addr>      : Set redirect address.
103             --icmp-param-pointer <pnt>       : Set parameter problem pointer.
104             --icmp-advert-lifetime <time>    : Set router advertisement lifetime.
105             --icmp-advert-entry <IP,pref>    : Add router advertisement entry.
106             --icmp-orig-time  <timestamp>    : Set originate timestamp.
107             --icmp-recv-time  <timestamp>    : Set receive timestamp.
108             --icmp-trans-time <timestamp>    : Set transmit timestamp.
109           ARP/RARP PROBE MODE:
110             --arp-type <type>                : Type: ARP, ARP-reply, RARP, RARP-reply.
111             --arp-sender-mac <mac>           : Set sender MAC address.
112             --arp-sender-ip  <addr>          : Set sender IP address.
113             --arp-target-mac <mac>           : Set target MAC address.
114             --arp-target-ip  <addr>          : Set target IP address.
115           IPv4 OPTIONS:
116             -S, --source-ip                  : Set source IP address.
117             --dest-ip <addr>                 : Set destination IP address (used as an
118                                                alternative to {target specification} ).
119             --tos <tos>                      : Set type of service field (8bits).
120             --id  <id>                       : Set identification field (16 bits).
121             --df                             : Set Don't Fragment flag.
122             --mf                             : Set More Fragments flag.
123             --ttl <hops>                     : Set time to live [0-255].
124             --badsum-ip                      : Use a random invalid checksum.
125             --ip-options <S|R [route]|L [route]|T|U ...> : Set IP options
126             --ip-options <hex string>                    : Set IP options
127             --mtu <size>                     : Set MTU. Packets get fragmented if MTU is
128                                                small enough.
129           IPv6 OPTIONS:
130             -6, --IPv6                       : Use IP version 6.
131             --dest-ip                        : Set destination IP address (used as an
132                                                alternative to {target specification}).
133             --hop-limit                      : Set hop limit (same as IPv4 TTL).
134             --traffic-class <class> :        : Set traffic class.
135             --flow <label>                   : Set flow label.
136           ETHERNET OPTIONS:
137             --dest-mac <mac>                 : Set destination mac address. (Disables
138                                                ARP resolution)
139             --source-mac <mac>               : Set source MAC address.
140             --ether-type <type>              : Set EtherType value.
141           PAYLOAD OPTIONS:
142             --data <hex string>              : Include a custom payload.
143             --data-string <text>             : Include a custom ASCII text.
144             --data-length <len>              : Include len random bytes as payload.
145           ECHO CLIENT/SERVER:
146             --echo-client <passphrase>       : Run Nping in client mode.
147             --echo-server <passphrase>       : Run Nping in server mode.
148             --echo-port <port>               : Use custom <port> to listen or connect.
149             --no-crypto                      : Disable encryption and authentication.
150             --once                           : Stop the server after one connection.
151             --safe-payloads                  : Erase application data in echoed packets.
152           TIMING AND PERFORMANCE:
153             Options which take <time> are in seconds, or append 'ms' (milliseconds),
154             's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m, 0.25h).
155             --delay <time>                   : Adjust delay between probes.
156             --rate  <rate>                   : Send num packets per second.
157           MISC:
158             -h, --help                       : Display help information.
159             -V, --version                    : Display current version number.
160             -c, --count <n>                  : Stop after <n> rounds.
161             -e, --interface <name>           : Use supplied network interface.
162             -H, --hide-sent                  : Do not display sent packets.
163             -N, --no-capture                 : Do not try to capture replies.
164             --privileged                     : Assume user is fully privileged.
165             --unprivileged                   : Assume user lacks raw socket privileges.
166             --send-eth                       : Send packets at the raw ethernet layer.
167             --send-ip                        : Send packets using raw IP sockets.
168             --bpf-filter <filter spec>       : Specify custom BPF filter.
169           OUTPUT:
170             -v                               : Increment verbosity level by one.
171             -v[level]                        : Set verbosity level. E.g: -v4
172             -d                               : Increment debugging level by one.
173             -d[level]                        : Set debugging level. E.g: -d3
174             -q                               : Decrease verbosity level by one.
175             -q[N]                            : Decrease verbosity level N times
176             --quiet                          : Set verbosity and debug level to minimum.
177             --debug                          : Set verbosity and debug to the max level.
178           EXAMPLES:
179             nping scanme.nmap.org
180             nping --tcp -p 80 --flags rst --ttl 2 192.168.1.1
181             nping --icmp --icmp-type time --delay 500ms 192.168.254.254
182             nping --echo-server "public" -e wlan0 -vvv
183             nping --echo-client "public" echo.nmap.org --tcp -p1-1024 --flags ack
184
185           SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES
186
187

TARGET SPECIFICATION

189       Everything on the Nping command line that isn't an option or an option
190       argument is treated as a target host specification. Nping uses the same
191       syntax for target specifications that Nmap does. The simplest case is a
192       single target given by IP address or hostname.
193
194       Nping supports CIDR-style addressing. You can append /numbits to an
195       IPv4 address or hostname and Nping will send probes to every IP address
196       for which the first numbits are the same as for the reference IP or
197       hostname given. For example, 192.168.10.0/24 would send probes to the
198       256 hosts between 192.168.10.0 (binary: 11000000 10101000 00001010
199       00000000) and 192.168.10.255 (binary: 11000000 10101000 00001010
200       11111111), inclusive.  192.168.10.40/24 would ping exactly the same
201       targets. Given that the host scanme.nmap.org is at the IP address
202       64.13.134.52, the specification scanme.nmap.org/16 would send probes to
203       the 65,536 IP addresses between 64.13.0.0 and 64.13.255.255. The
204       smallest allowed value is /0, which targets the whole Internet. The
205       largest value is /32, which targets just the named host or IP address
206       because all address bits are fixed.
207
208       CIDR notation is short but not always flexible enough. For example, you
209       might want to send probes to 192.168.0.0/16 but skip any IPs ending
210       with .0 or .255 because they may be used as subnet network and
211       broadcast addresses. Nping supports this through octet range
212       addressing. Rather than specify a normal IP address, you can specify a
213       comma-separated list of numbers or ranges for each octet. For example,
214       192.168.0-255.1-254 will skip all addresses in the range that end in .0
215       or .255, and 192.168.3-5,7.1 will target the four addresses
216       192.168.3.1, 192.168.4.1, 192.168.5.1, and 192.168.7.1. Either side of
217       a range may be omitted; the default values are 0 on the left and 255 on
218       the right. Using - by itself is the same as 0-255, but remember to use
219       0- in the first octet so the target specification doesn't look like a
220       command-line option. Ranges need not be limited to the final octets:
221       the specifier 0-.-.13.37 will send probes to all IP addresses on the
222       Internet ending in .13.37. This sort of broad sampling can be useful
223       for Internet surveys and research.
224
225       IPv6 addresses can only be specified by their fully qualified IPv6
226       address or hostname. CIDR and octet ranges aren't supported for IPv6
227       because they are rarely useful.
228
229       Nping accepts multiple host specifications on the command line, and
230       they don't need to be the same type. The command nping scanme.nmap.org
231       192.168.0.0/8 10.0.0,1,3-7.- does what you would expect.
232

OPTION SPECIFICATION

234       Nping is designed to be very flexible and fit a wide variety of needs.
235       As with most command-line tools, its behavior can be adjusted using
236       command-line options. These general principles apply to option
237       arguments, unless stated otherwise.
238
239       Options that take integer numbers can accept values specified in
240       decimal, octal or hexadecimal base. When a number starts with 0x, it
241       will be treated as hexadecimal; when it simply starts with 0, it will
242       be treated as octal. Otherwise, Nping will assume the number has been
243       specified in base 10. Virtually all numbers that can be supplied from
244       the command line are unsigned so, as a general rule, the minimum value
245       is zero. Users may also specify the word random or rand to make Nping
246       generate a random value within the expected range.
247
248       IP addresses may be given as IPv4 addresses (e.g.  192.168.1.1), IPv6
249       addresses (e.g.  2001:db8:85a3::8e4c:760:7146), or hostnames, which
250       will be resolved using the default DNS server configured in the host
251       system.
252
253       Options that take MAC addresses accept the usual colon-separated 6 hex
254       byte format (e.g.  00:50:56:d4:01:98). Hyphens may also be used instead
255       of colons (e.g.  00-50-56-c0-00-08). The special word random or rand
256       sets a random address and the word broadcast or bcast sets
257       ff:ff:ff:ff:ff:ff.
258

GENERAL OPERATION

260       Unlike other ping and packet generation tools, Nping supports multiple
261       target host and port specifications. While this provides great
262       flexibility, it is not obvious how Nping handles situations where there
263       is more than one host and/or more than one port to send probes to. This
264       section explains how Nping behaves in these cases.
265
266       When multiple target hosts are specified, Nping rotates among them in
267       round-robin fashion. This gives slow hosts more time to send their
268       responses before another probe is sent to them. Ports are also
269       scheduled using round robin. So, unless only one port is specified,
270       Nping never sends two probes to the same target host and port
271       consecutively.
272
273       The loop around targets is the “inner loop” and the loop around ports
274       is the “outer loop”. All targets will be sent a probe for a given port
275       before moving on to the next port. Between probes, Nping waits a
276       configurable amount of time called the “inter-probe delay”, which is
277       controlled by the --delay option. These examples show how it works.
278
279               # nping --tcp -c 2 1.1.1.1 -p 100-102
280
281               Starting Nping ( https://nmap.org/nping )
282               SENT (0.0210s) TCP 192.168.1.77 > 1.1.1.1:100
283               SENT (1.0230s) TCP 192.168.1.77 > 1.1.1.1:101
284               SENT (2.0250s) TCP 192.168.1.77 > 1.1.1.1:102
285               SENT (3.0280s) TCP 192.168.1.77 > 1.1.1.1:100
286               SENT (4.0300s) TCP 192.168.1.77 > 1.1.1.1:101
287               SENT (5.0320s) TCP 192.168.1.77 > 1.1.1.1:102
288
289               # nping --tcp -c 2 1.1.1.1 2.2.2.2 3.3.3.3 -p 8080
290
291               Starting Nping ( https://nmap.org/nping )
292               SENT (0.0230s) TCP 192.168.0.21 > 1.1.1.1:8080
293               SENT (1.0240s) TCP 192.168.0.21 > 2.2.2.2:8080
294               SENT (2.0260s) TCP 192.168.0.21 > 3.3.3.3:8080
295               SENT (3.0270s) TCP 192.168.0.21 > 1.1.1.1:8080
296               SENT (4.0290s) TCP 192.168.0.21 > 2.2.2.2:8080
297               SENT (5.0310s) TCP 192.168.0.21 > 3.3.3.3:8080
298
299               # nping --tcp -c 1 --delay 500ms 1.1.1.1 2.2.2.2 3.3.3.3 -p 137-139
300
301               Starting Nping ( https://nmap.org/nping )
302               SENT (0.0230s) TCP 192.168.0.21 > 1.1.1.1:137
303               SENT (0.5250s) TCP 192.168.0.21 > 2.2.2.2:137
304               SENT (1.0250s) TCP 192.168.0.21 > 3.3.3.3:137
305               SENT (1.5280s) TCP 192.168.0.21 > 1.1.1.1:138
306               SENT (2.0280s) TCP 192.168.0.21 > 2.2.2.2:138
307               SENT (2.5310s) TCP 192.168.0.21 > 3.3.3.3:138
308               SENT (3.0300s) TCP 192.168.0.21 > 1.1.1.1:139
309               SENT (3.5330s) TCP 192.168.0.21 > 2.2.2.2:139
310               SENT (4.0330s) TCP 192.168.0.21 > 3.3.3.3:139
311

PROBE MODES

313       Nping supports a wide variety of protocols. Although in some cases
314       Nping can automatically determine the mode from the options used, it is
315       generally a good idea to specify it explicitly.
316
317       --tcp-connect (TCP Connect mode)
318           TCP connect mode is the default mode when a user does not have raw
319           packet privileges. Instead of writing raw packets as most other
320           modes do, Nping asks the underlying operating system to establish a
321           connection with the target machine and port by issuing the connect
322           system call. This is the same high-level system call that web
323           browsers, P2P clients, and most other network-enabled applications
324           use to establish a connection. It is part of a programming
325           interface known as the Berkeley Sockets API. Rather than read raw
326           packet responses off the wire, Nping uses this API to obtain status
327           information on each connection attempt. For this reason, you will
328           not be able to see the contents of the packets that are sent or
329           received but only status information about the TCP connection
330           establishment taking place.
331
332       --tcp (TCP mode)
333           TCP is the mode that lets users create and send any kind of TCP
334           packet. TCP packets are sent embedded in IP packets that can also
335           be tuned. This mode can be used for many different purposes. For
336           example you could try to discover open ports by sending TCP SYN
337           messages without completing the three-way handshake. This technique
338           is often referred to as half-open scanning, because you don't open
339           a full TCP connection. You send a SYN packet, as if you are going
340           to open a real connection and then wait for a response. A SYN/ACK
341           indicates the port is open, while a RST indicates it's closed. If
342           no response is received one could assume that some intermediate
343           network device is filtering the responses. Another use could be to
344           see how a remote TCP/IP stack behaves when it receives a
345           non-RFC-compliant packet, like one with both SYN and RST flags set.
346           One could also do some evil by creating custom RST packets using an
347           spoofed IP address with the intent of closing an active TCP
348           connection.
349
350       --udp (UDP mode)
351           UDP mode can have two different behaviours. Under normal
352           circumstances, it lets users create custom IP/UDP packets. However,
353           if Nping is run by a user without raw packet privileges and no
354           changes to the default protocol headers are requested, then Nping
355           enters the unprivileged UDP mode which basically sends UDP packets
356           to the specified target hosts and ports using the sendto system
357           call. Note that in this unprivileged mode it is not possible to see
358           low-level header information of the packets on the wire but only
359           status information about the amount of bytes that are being
360           transmitted and received. UDP mode can be used to interact with any
361           UDP-based server. Examples are DNS servers, streaming servers,
362           online gaming servers, and port knocking/single-packet
363           authorization daemons.
364
365       --icmp (ICMP mode)
366           ICMP mode is the default mode when the user runs Nping with raw
367           packet privileges. Any kind of ICMP message can be created. The
368           default ICMP type is Echo, i.e., ping. ICMP mode can be used for
369           many different purposes, from a simple request for a timestamp or a
370           netmask to the transmission of fake destination unreachable
371           messages, custom redirects, and router advertisements.
372
373       --arp (ARP/RARP mode)
374           ARP lets you create and send a few different ARP-related packets.
375           These include ARP, RARP, DRARP, and InARP requests and replies.
376           This mode can ban be used to perform low-level host discovery, and
377           conduct ARP-cache poisoning attacks.
378
379       --traceroute (Traceroute mode)
380           Traceroute is not a mode by itself but a complement to TCP, UDP,
381           and ICMP modes. When this option is specified Nping will set the IP
382           TTL value of the first probe to 1. When the next router receives
383           the packet it will drop it due to the expiration of the TTL and it
384           will generate an ICMP destination unreachable message. The next
385           probe will have a TTL of 2 so now the first router will forward the
386           packet while the second router will be the one that drops the
387           packet and generates the ICMP message. The third probe will have a
388           TTL value of 3 and so on. By examining the source addresses of all
389           those ICMP Destination Unreachable messages it is possible to
390           determine the path that the probes take until they reach their
391           final destination.
392

TCP CONNECT MODE

394       -p port_spec, --dest-port port_spec (Target ports)
395           This option specifies which ports you want to try to connect to. It
396           can be a single port, a comma-separated list of ports (e.g.
397           80,443,8080), a range (e.g.  1-1023), and any combination of those
398           (e.g.  21-25,80,443,1024-2048). The beginning and/or end values of
399           a range may be omitted, causing Nping to use 1 and 65535,
400           respectively. So you can specify -p- to target ports from 1 through
401           65535. Using port zero is allowed if you specify it explicitly.
402
403       -g portnumber, --source-port portnumber (Spoof source port)
404           This option asks Nping to use the specified port as source port for
405           the TCP connections. Note that this might not work on all systems
406           or may require root privileges. Specified value must be an integer
407           in the range [0–65535].
408

TCP MODE

410       -p port_spec, --dest-port port_spec (Target ports)
411           This option specifies which destination ports you want to send
412           probes to. It can be a single port, a comma-separated list of ports
413           (e.g.  80,443,8080), a range (e.g.  1-1023), and any combination of
414           those (e.g.  21-25,80,443,1024-2048). The beginning and/or end
415           values of a range may be omitted, causing Nping to use 1 and 65535,
416           respectively. So you can specify -p- to target ports from 1 through
417           65535. Using port zero is allowed if you specify it explicitly.
418
419       -g portnumber, --source-port portnumber (Spoof source port)
420           This option asks Nping to use the specified port as source port for
421           the TCP connections. Note that this might not work on all systems
422           or may require root privileges. Specified value must be an integer
423           in the range [0–65535].
424
425       --seq seqnumber (Sequence Number)
426           Specifies the TCP sequence number. In SYN packets this is the
427           initial sequence number (ISN). In a normal transmission this
428           corresponds to the sequence number of the first byte of data in the
429           segment.  seqnumber must be a number in the range [0–4294967295].
430
431       --flags flags (TCP Flags)
432           This option specifies which flags should be set in the TCP packet.
433           flags may be specified in three different ways:
434
435            1. As a comma-separated list of flags, e.g.  --flags syn,ack,rst
436
437            2. As a list of one-character flag initials, e.g.  --flags SAR
438               tells Nping to set flags SYN, ACK, and RST.
439
440            3. As an 8-bit hexadecimal number, where the supplied number is
441               the exact value that will be placed in the flags field of the
442               TCP header. The number should start with the prefix 0x and
443               should be in the range [0x00–0xFF], e.g.  --flags 0x20 sets the
444               URG flag as 0x20 corresponds to binary 00100000 and the URG
445               flag is represented by the third bit.
446
447           There are 8 possible flags to set: CWR, ECN, URG, ACK, PSH, RST,
448           SYN, and FIN. The special value ALL means to set all flags.  NONE
449           means to set no flags. It is important that if you don't want any
450           flag to be set, you request it explicitly because in some cases the
451           SYN flag may be set by default. Here is a brief description of the
452           meaning of each flag:
453
454           CWR (Congestion Window Reduced)
455               Set by an ECN-Capable sender when it reduces its congestion
456               window (due to a retransmit timeout, a fast retransmit or in
457               response to an ECN notification.
458
459           ECN (Explicit Congestion Notification)
460               During the three-way handshake it indicates that sender is
461               capable of performing explicit congestion notification.
462               Normally it means that a packet with the IP Congestion
463               Experienced flag set was received during normal transmission.
464               See RFC 3168 for more information.
465
466           URG (Urgent)
467               Segment is urgent and the urgent pointer field carries valid
468               information.
469
470           ACK (Acknowledgement)
471               The segment carries an acknowledgement and the value of the
472               acknowledgement number field is valid and contains the next
473               sequence number that is expected from the receiver.
474
475           PSH (Push)
476               The data in this segment should be immediately pushed to the
477               application layer on arrival.
478
479           RST (Reset)
480               There was some problem and the sender wants to abort the
481               connection.
482
483           SYN (Synchronize)
484               The segment is a request to synchronize sequence numbers and
485               establish a connection. The sequence number field contains the
486               sender's initial sequence number.
487
488           FIN (Finish)
489               The sender wants to close the connection.
490
491       --win size (Window Size)
492           Specifies the TCP window size, this is, the number of octets the
493           sender of the segment is willing to accept from the receiver at one
494           time. This is usually the size of the reception buffer that the OS
495           allocates for a given connection.  size must be a number in the
496           range [0–65535].
497
498       --badsum (Invalid Checksum)
499           Asks Nping to use an invalid TCP checksum for the packets sent to
500           target hosts. Since virtually all host IP stacks properly drop
501           these packets, any responses received are likely coming from a
502           firewall or an IDS that didn't bother to verify the checksum. For
503           more details on this technique, see https://nmap.org/p60-12.html.
504

UDP MODE

506       -p port_spec, --dest-port port_spec (Target ports)
507           This option specifies which ports you want UDP datagrams to be sent
508           to. It can be a single port, a comma-separated list of ports (e.g.
509           80,443,8080), a range (e.g.  1-1023), and any combination of those
510           (e.g.  21-25,80,443,1024-2048). The beginning and/or end values of
511           a range may be omitted, causing Nping to use 1 and 65535,
512           respectively. So you can specify -p- to target ports from 1 through
513           65535. Using port zero is allowed if you specify it explicitly.
514
515       -g portnumber, --source-port portnumber (Spoof source port)
516           This option asks Nping to use the specified port as source port for
517           the transmitted datagrams. Note that this might not work on all
518           systems or may require root privileges. Specified value must be an
519           integer in the range [0–65535].
520
521       --badsum (Invalid Checksum)
522           Asks Nping to use an invalid UDP checksum for the packets sent to
523           target hosts. Since virtually all host IP stacks properly drop
524           these packets, any responses received are likely coming from a
525           firewall or an IDS that didn't bother to verify the checksum. For
526           more details on this technique, see https://nmap.org/p60-12.html.
527

ICMP MODE

529       --icmp-type type (ICMP type)
530           This option specifies which type of ICMP messages should be
531           generated.  type can be supplied in two different ways. You can use
532           the official type numbers assigned by IANA[1] (e.g.  --icmp-type 8
533           for ICMP Echo Request), or you can use any of the mnemonics listed
534           in the section called “ICMP Types”.
535
536       --icmp-code code (ICMP code)
537           This option specifies which ICMP code should be included in the
538           generated ICMP messages.  code can be supplied in two different
539           ways. You can use the official code numbers assigned by IANA[1]
540           (e.g.  --icmp-code 1 for Fragment Reassembly Time Exceeded), or you
541           can use any of the mnemonics listed in the section called “ICMP
542           Codes”.
543
544       --icmp-id id (ICMP identifier)
545           This option specifies the value of the identifier used in some of
546           the ICMP messages. In general it is used to match request and reply
547           messages.  id must be a number in the range [0–65535].
548
549       --icmp-seq seq (ICMP sequence)
550           This option specifies the value of the sequence number field used
551           in some ICMP messages. In general it is used to match request and
552           reply messages.  id must be a number in the range [0–65535].
553
554       --icmp-redirect-addr addr (ICMP Redirect address)
555           This option sets the address field in ICMP Redirect messages. In
556           other words, it sets the IP address of the router that should be
557           used when sending IP datagrams to the original destination.  addr
558           can be either an IPv4 address or a hostname.
559
560       --icmp-param-pointer pointer (ICMP Parameter Problem pointer)
561           This option specifies the pointer that indicates the location of
562           the problem in ICMP Parameter Problem messages.  pointer should be
563           a number in the range [0–255]. Normally this option is only used
564           when ICMP code is set to 0 ("Pointer indicates the error").
565
566       --icmp-advert-lifetime ttl (ICMP Router Advertisement Lifetime)
567           This option specifies the router advertisement lifetime, this is,
568           the number of seconds the information carried in an ICMP Router
569           Advertisement can be considered valid for.  ttl must be a positive
570           integer in the range [0–65535].
571
572       --icmp-advert-entry addr,pref (ICMP Router Advertisement Entry)
573           This option adds a Router Advertisement entry to an ICMP Router
574           Advertisement message. The parameter must be two values separated
575           by a comma.  addr is the router's IP and can be specified either as
576           an IP address in dot-decimal notation or as a hostname.  pref is
577           the preference level for the specified IP. It must be a number in
578           the range [0–4294967295]. An example is --icmp-advert-entry
579           192.168.128.1,3.
580
581       --icmp-orig-time timestamp (ICMP Originate Timestamp)
582           This option sets the Originate Timestamp in ICMP Timestamp
583           messages. The Originate Timestamp is expressed as the number of
584           milliseconds since midnight UTC and it corresponds to the time the
585           sender last touched the Timestamp message before its transmission.
586           timestamp can be specified as a regular time (e.g.  10s, 3h,
587           1000ms), or the special string now. You can add or subtract values
588           from now, for example --icmp-orig-time now-2s, --icmp-orig-time
589           now+1h, --icmp-orig-time now+200ms.
590
591       --icmp-recv-time timestamp (ICMP Receive Timestamp)
592           This option sets the Receive Timestamp in ICMP Timestamp messages.
593           The Receive Timestamp is expressed as the number of milliseconds
594           since midnight UTC and it corresponds to the time the echoer first
595           touched the Timestamp message on receipt.  timestamp is as with
596           --icmp-orig-time.
597
598       --icmp-trans-time timestamp (ICMP Transmit Timestamp)
599           This option sets the Transmit Timestamp in ICMP Timestamp messages.
600           The Transmit Timestamp is expressed as the number of milliseconds
601           since midnight UTC and it corresponds to the time the echoer last
602           touched the Timestamp message before its transmission.  timestamp
603           is as with --icmp-orig-time.
604
605   ICMP Types
606       These identifiers may be used as mnemonics for the ICMP type numbers
607       given to the --icmp-type option. In general there are three forms of
608       each identifier: the full name (e.g.  destination-unreachable), the
609       short name (e.g.  dest-unr), or the initials (e.g.  du). In ICMP types
610       that request something, the word "request" is omitted.
611
612       echo-reply, echo-rep, er
613           Echo Reply (type 0). This message is sent in response to an Echo
614           Request message.
615
616       destination-unreachable, dest-unr, du
617           Destination Unreachable (type 3). This message indicates that a
618           datagram could not be delivered to its destination.
619
620       source-quench, sour-que, sq
621           Source Quench (type 4). This message is used by a congested IP
622           device to tell other device that is sending packets too fast and
623           that it should slow down.
624
625       redirect, redi, r
626           Redirect (type 5). This message is normally used by routers to
627           inform a host that there is a better route to use for sending
628           datagrams. See also the --icmp-redirect-addr option.
629
630       echo-request, echo, e
631           Echo Request (type 8). This message is used to test the
632           connectivity of another device on a network.
633
634       router-advertisement, rout-adv, ra
635           Router Advertisement (type 9). This message is used by routers to
636           let hosts know of their existence and capabilities. See also the
637           --icmp-advert-lifetime option.
638
639       router-solicitation, rout-sol, rs
640           Router Solicitation (type 10). This message is used by hosts to
641           request Router Advertisement messages from any listening routers.
642
643       time-exceeded, time-exc, te
644           Time Exceeded (type 11). This message is generated by some
645           intermediate device (normally a router) to indicate that a datagram
646           has been discarded before reaching its destination because the IP
647           TTL expired.
648
649       parameter-problem, member-pro, pp
650           Parameter Problem (type 12). This message is used when a device
651           finds a problem with a parameter in an IP header and it cannot
652           continue processing it. See also the --icmp-param-pointer option.
653
654       timestamp, time, tm
655           Timestamp Request (type 13). This message is used to request a
656           device to send a timestamp value for propagation time calculation
657           and clock synchronization. See also the --icmp-orig-time,
658           --icmp-recv-time, and --icmp-trans-time.
659
660       timestamp-reply, time-rep, tr
661           Timestamp Reply (type 14). This message is sent in response to a
662           Timestamp Request message.
663
664       information, info, i
665           Information Request (type 15). This message is now obsolete but it
666           was originally used to request configuration information from
667           another device.
668
669       information-reply, info-rep, ir
670           Information Reply (type 16). This message is now obsolete but it
671           was originally sent in response to an Information Request message
672           to provide configuration information.
673
674       mask-request, mask, m
675           Address Mask Request (type 17). This message is used to ask a
676           device to send its subnet mask.
677
678       mask-reply, mask-rep, mr
679           Address Mask Reply (type 18). This message contains a subnet mask
680           and is sent in response to a Address Mask Request message.
681
682       traceroute, trace, tc
683           Traceroute (type 30). This message is normally sent by an
684           intermediate device when it receives an IP datagram with a
685           traceroute option. ICMP Traceroute messages are still experimental,
686           see RFC 1393 for more information.
687
688   ICMP Codes
689       These identifiers may be used as mnemonics for the ICMP code numbers
690       given to the --icmp-code option. They are listed by the ICMP type they
691       correspond to.
692
693       Destination Unreachable
694           network-unreachable, netw-unr, net
695               Code 0. Datagram could not be delivered to its destination
696               network (probably due to some routing problem).
697
698           host-unreachable, host-unr, host
699               Code 1. Datagram was delivered to the destination network but
700               it was impossible to reach the specified host (probably due to
701               some routing problem).
702
703           protocol-unreachable, prot-unr, proto
704               Code 2. The protocol specified in the Protocol field of the IP
705               datagram is not supported by the host to which the datagram was
706               delivered.
707
708           port-unreachable, port-unr, port
709               Code 3. The TCP/UDP destination port was invalid.
710
711           needs-fragmentation, need-fra, frag
712               Code 4. Datagram had the DF bit set but it was too large for
713               the MTU of the next physical network so it had to be dropped.
714
715           source-route-failed, sour-rou, routefail
716               Code 5. IP datagram had a Source Route option but a router
717               couldn't pass it to the next hop.
718
719           network-unknown, netw-unk, net?
720               Code 6. Destination network is unknown. This code is never
721               used. Instead, Network Unreachable is used.
722
723           host-unknown, host-unk, host?
724               Code 7. Specified host is unknown. Usually generated by a
725               router local to the destination host to inform of a bad
726               address.
727
728           host-isolated, host-iso, isolated
729               Code 8. Source Host Isolated. Not used.
730
731           network-prohibited, netw-pro, !net
732               Code 9. Communication with destination network is
733               administratively prohibited (source device is not allowed to
734               send packets to the destination network).
735
736           host-prohibited, host-pro, !host
737               Code 10. Communication with destination host is
738               administratively prohibited. (The source device is allowed to
739               send packets to the destination network but not to the
740               destination device.)
741
742           network-tos, unreachable-network-tos, netw-tos, tosnet
743               Code 11. Destination network unreachable because it cannot
744               provide the type of service specified in the IP TOS field.
745
746           host-tos, unreachable-host-tos, toshost
747               Code 12. Destination host unreachable because it cannot provide
748               the type of service specified in the IP TOS field.
749
750           communication-prohibited, comm-pro, !comm
751               Code 13. Datagram could not be forwarded due to filtering that
752               blocks the message based on its contents.
753
754           host-precedence-violation, precedence-violation, prec-vio,
755           violation
756               Code 14. Precedence value in the IP TOS field is not permitted.
757
758           precedence-cutoff, prec-cut, cutoff
759               Code 15. Precedence value in the IP TOS field is lower than the
760               minimum allowed for the network.
761
762       Redirect
763           redirect-network, redi-net, net
764               Code 0. Redirect all future datagrams with the same destination
765               network as the original datagram, to the router specified in
766               the Address field. The use of this code is prohibited by RFC
767               1812.
768
769           redirect-host, redi-host, host
770               Code 1. Redirect all future datagrams with the same destination
771               host as the original datagram, to the router specified in the
772               Address field.
773
774           redirect-network-tos, redi-ntos, redir-ntos
775               Code 2. Redirect all future datagrams with the same destination
776               network and IP TOS value as the original datagram, to the
777               router specified in the Address field. The use of this code is
778               prohibited by RFC 1812.
779
780           redirect-host-tos, redi-htos, redir-htos
781               Code 3. Redirect all future datagrams with the same destination
782               host and IP TOS value as the original datagram, to the router
783               specified in the Address field.
784
785       Router Advertisement
786           normal-advertisement, norm-adv, normal, zero, default, def
787               Code 0. Normal router advertisement. In Mobile IP: Mobility
788               agent can act as a router for IP datagrams not related to
789               mobile nodes.
790
791           not-route-common-traffic, not-rou, mobile-ip, !route,
792           !commontraffic
793               Code 16. Used for Mobile IP. The mobility agent does not route
794               common traffic. All foreign agents must forward to a default
795               router any datagrams received from a registered mobile node
796
797       Time Exceeded
798           ttl-exceeded-in-transit, ttl-exc, ttl-transit
799               Code 0. IP Time To Live expired during transit.
800
801           fragment-reassembly-time-exceeded, frag-exc, frag-time
802               Code 1. Fragment reassembly time has been exceeded.
803
804       Parameter Problem
805           pointer-indicates-error, poin-ind, pointer
806               Code 0. The pointer field indicates the location of the
807               problem. See the --icmp-param-pointer option.
808
809           missing-required-option, miss-option, option-missing
810               Code 1. IP datagram was expected to have an option that is not
811               present.
812
813           bad-length, bad-len, badlen
814               Code 2. The length of the IP datagram is incorrect.
815

ARP MODE

817       --arp-type type (ICMP Type)
818           This option specifies which type of ARP messages should be
819           generated.  type can be supplied in two different ways. You can use
820           the official numbers assigned by IANA[2] (e.g.  --arp-type 1 for
821           ARP Request), or you can use one of the mnemonics from the section
822           called “ARP Types”.
823
824       --arp-sender-mac mac (Sender MAC address)
825           This option sets the Sender Hardware Address field of the ARP
826           header. Although ARP supports many types of link layer addresses,
827           currently Nping only supports MAC addresses.  mac must be specified
828           using the traditional MAC notation (e.g.  00:0a:8a:32:f4:ae). You
829           can also use hyphens as separators (e.g.  00-0a-8a-32-f4-ae).
830
831       --arp-sender-ip addr (Sender IP address)
832           This option sets the Sender IP field of the ARP header.  addr can
833           be given as an IPv4 address or a hostname.
834
835       --arp-target-mac mac (target MAC address)
836           This option sets the Target Hardware Address field of the ARP
837           header.
838
839       --arp-target-ip addr (target ip address)
840           This option sets the Target IP field of the ARP header.
841
842   ARP Types
843       These identifiers may be used as mnemonics for the ARP type numbers
844       given to the --arp-type option.
845
846       arp-request, arp, a
847           ARP Request (type 1). ARP requests are used to translate network
848           layer addresses (normally IP addresses) to link layer addresses
849           (usually MAC addresses). Basically, and ARP request is a
850           broadcasted message that asks the host in the same network segment
851           that has a given IP address to provide its MAC address.
852
853       arp-reply, arp-rep, ar
854           ARP Reply (type 2). An ARP reply is a message that a host sends in
855           response to an ARP request to provide its link layer address.
856
857       rarp-request, rarp, r
858           RARP Requests (type 3). RARP requests are used to translate a link
859           layer address (normally a MAC address) to a network layer address
860           (usually an IP address). Basically a RARP request is a broadcasted
861           message sent by a host that wants to know his own IP address
862           because it doesn't have any. It was the first protocol designed to
863           solve the bootstrapping problem. However, RARP is now obsolete and
864           DHCP is used instead. For more information about RARP see RFC 903.
865
866       rarp-reply, rarp-rep, rr
867           RARP Reply (type 4). A RARP reply is a message sent in response to
868           a RARP request to provide an IP address to the host that sent the
869           RARP request in the first place.
870
871       drarp-request, drarp, d
872           Dynamic RARP Request (type 5). Dynamic RARP is an extension to RARP
873           used to obtain or assign a network layer address from a fixed link
874           layer address. DRARP was used mainly in Sun Microsystems platforms
875           in the late 90's but now it's no longer used. See RFC 1931 for more
876           information.
877
878       drarp-reply, drarp-rep, dr
879           Dynamic RARP Reply (type 6). A DRARP reply is a message sent in
880           response to a RARP request to provide network layer address.
881
882       drarp-error, drarp-err, de
883           DRARP Error (type 7). DRARP Error messages are usually sent in
884           response to DRARP requests to inform of some error. In DRARP Error
885           messages, the Target Protocol Address field is used to carry an
886           error code (usually in the first byte). The error code is intended
887           to tell why no target protocol address is being returned. For more
888           information see RFC 1931.
889
890       inarp-request, inarp, i
891           Inverse ARP Request (type 8). InARP requests are used to translate
892           a link layer address to a network layer address. It is similar to
893           RARP request but in this case, the sender of the InARP request
894           wants to know the network layer address of another node, not its
895           own address. InARP is mainly used in Frame Relay and ATM networks.
896           For more information see RFC 2390.
897
898       inarp-reply, inarp-rep, ir
899           Inverse ARP Reply (type 9). InARP reply messages are sent in
900           response to InARP requests to provide the network layer address
901           associated with the host that has a given link layer address.
902
903       arp-nak, an
904           ARP NAK (type 10). ARP NAK messages are an extension to the ATMARP
905           protocol and they are used to improve the robustness of the ATMARP
906           server mechanism. With ARP NAK, a client can determine the
907           difference between a catastrophic server failure and an ATMARP
908           table lookup failure. See RFC 1577 for more information.
909

IPV4 OPTIONS

911       -S addr, --source-ip addr (Source IP Address)
912           Sets the source IP address. This option lets you specify a custom
913           IP address to be used as source IP address in sent packets. This
914           allows spoofing the sender of the packets.  addr can be an IPv4
915           address or a hostname.
916
917       --dest-ip addr (Destination IP Address)
918           Adds a target to Nping's target list. This option is provided for
919           consistency but its use is deprecated in favor of plain target
920           specifications. See the section called “TARGET SPECIFICATION”.
921
922       --tos tos (Type of Service)
923           Sets the IP TOS field. The TOS field is used to carry information
924           to provide quality of service features. It is normally used to
925           support a technique called Differentiated Services. See RFC 2474
926           for more information.  tos must be a number in the range [0–255].
927
928       --id id (Identification)
929           Sets the IPv4 Identification field. The Identification field is a
930           16-bit value that is common to all fragments belonging to a
931           particular message. The value is used by the receiver to reassemble
932           the original message from the fragments received.  id must be a
933           number in the range [0–65535].
934
935       --df (Don't Fragment)
936           Sets the Don't Fragment bit in sent packets. When an IP datagram
937           has its DF flag set, intermediate devices are not allowed to
938           fragment it so if it needs to travel across a network with a MTU
939           smaller that datagram length the datagram will have to be dropped.
940           Normally an ICMP Destination Unreachable message is generated and
941           sent back to the sender.
942
943       --mf (More Fragments)
944           Sets the More Fragments bit in sent packets. The MF flag is set to
945           indicate the receiver that the current datagram is a fragment of
946           some larger datagram. When set to zero it indicates that the
947           current datagram is either the last fragment in the set or that it
948           is the only fragment.
949
950       --ttl hops (Time To Live)
951           Sets the IPv4 Time-To-Live (TTL) field in sent packets to the given
952           value. The TTL field specifies how long the datagram is allowed to
953           exist on the network. It was originally intended to represent a
954           number of seconds but it actually represents the number of hops a
955           packet can traverse before being dropped. The TTL tries to avoid a
956           situation in which undeliverable datagrams keep being forwarded
957           from one router to another endlessly.  hops must be a number in the
958           range [0–255].
959
960       --badsum-ip (Invalid IP checksum)
961           Asks Nping to use an invalid IP checksum for packets sent to target
962           hosts. Note that some systems (like most Linux kernels), may fix
963           the checksum before placing the packet on the wire, so even if
964           Nping shows the incorrect checksum in its output, the packets may
965           be transparently corrected by the kernel.
966
967       --ip-options S|R [route]|L [route]|T|U ..., --ip-options hex string (IP
968       Options)
969           The IP protocol offers several options which may be placed in
970           packet headers. Unlike the ubiquitous TCP options, IP options are
971           rarely seen due to practicality and security concerns. In fact,
972           many Internet routers block the most dangerous options such as
973           source routing. Yet options can still be useful in some cases for
974           determining and manipulating the network route to target machines.
975           For example, you may be able to use the record route option to
976           determine a path to a target even when more traditional
977           traceroute-style approaches fail. Or if your packets are being
978           dropped by a certain firewall, you may be able to specify a
979           different route with the strict or loose source routing options.
980
981           The most powerful way to specify IP options is to simply pass in
982           hexadecimal data as the argument to --ip-options. Precede each hex
983           byte value with \x. You may repeat certain characters by following
984           them with an asterisk and then the number of times you wish them to
985           repeat. For example, \x01\x07\x04\x00*4 is the same as
986           \x01\x07\x04\x00\x00\x00\x00.
987
988           Note that if you specify a number of bytes that is not a multiple
989           of four, an incorrect IP header length will be set in the IP
990           packet. The reason for this is that the IP header length field can
991           only express multiples of four. In those cases, the length is
992           computed by dividing the header length by 4 and rounding down. This
993           will affect the way the header that follows the IP header is
994           interpreted, showing bogus information in Nping or in the output of
995           any sniffer. Although this kind of situation might be useful for
996           some stack stress tests, users would normally want to specify
997           explicit padding, so the correct header length is set.
998
999           Nping also offers a shortcut mechanism for specifying options.
1000           Simply pass the letter R, T, or U to request record-route,
1001           record-timestamp, or both options together, respectively. Loose or
1002           strict source routing may be specified with an L or S followed by a
1003           space and then a space-separated list of IP addresses.
1004
1005           For more information and examples of using IP options with Nping,
1006           see the mailing list post at
1007           http://seclists.org/nmap-dev/2006/q3/0052.html.
1008
1009       --mtu size (Maximum Transmission Unit)
1010           This option sets a fictional MTU in Nping so IP datagrams larger
1011           than size are fragmented before transmission.  size must be
1012           specified in bytes and corresponds to the number of octets that can
1013           be carried on a single link-layer frame.
1014

IPV6 OPTIONS

1016       -6, --ipv6 (Use IPv6)
1017           Tells Nping to use IP version 6 instead of the default IPv4. It is
1018           generally a good idea to specify this option as early as possible
1019           in the command line so Nping can parse it soon and know in advance
1020           that the rest of the parameters refer to IPv6. The command syntax
1021           is the same as usual except that you also add the -6 option. Of
1022           course, you must use IPv6 syntax if you specify an address rather
1023           than a hostname. An address might look like
1024           3ffe:7501:4819:2000:210:f3ff:fe03:14d0, so hostnames are
1025           recommended.
1026
1027           While IPv6 hasn't exactly taken the world by storm, it gets
1028           significant use in some (usually Asian) countries and most modern
1029           operating systems support it. To use Nping with IPv6, both the
1030           source and target of your packets must be configured for IPv6. If
1031           your ISP (like most of them) does not allocate IPv6 addresses to
1032           you, free tunnel brokers are widely available and work fine with
1033           Nping. You can use the free IPv6 tunnel broker service at
1034           http://www.tunnelbroker.net.
1035
1036           Please note that IPv6 support is still highly experimental and many
1037           modes and options may not work with it.
1038
1039       -S addr, --source-ip addr (Source IP Address)
1040           Sets the source IP address. This option lets you specify a custom
1041           IP address to be used as source IP address in sent packets. This
1042           allows spoofing the sender of the packets.  addr can be an IPv6
1043           address or a hostname.
1044
1045       --dest-ip addr (Destination IP Address)
1046           Adds a target to Nping's target list. This option is provided for
1047           consistency but its use is deprecated in favor of plain target
1048           specifications. See the section called “TARGET SPECIFICATION”.
1049
1050       --flow label (Flow Label)
1051           Sets the IPv6 Flow Label. The Flow Label field is 20 bits long and
1052           is intended to provide certain quality-of-service properties for
1053           real-time datagram delivery. However, it has not been widely
1054           adopted, and not all routers or endpoints support it. Check RFC
1055           2460 for more information.  label must be an integer in the range
1056           [0–1048575].
1057
1058       --traffic-class class (Traffic Class)
1059           Sets the IPv6 Traffic Class. This field is similar to the TOS field
1060           in IPv4, and is intended to provide the Differentiated Services
1061           method, enabling scalable service discrimination in the Internet
1062           without the need for per-flow state and signaling at every hop.
1063           Check RFC 2474 for more information.  class must be an integer in
1064           the range [0–255].
1065
1066       --hop-limit hops (Hop Limit)
1067
1068           Sets the IPv6 Hop Limit field in sent packets to the given value.
1069           The Hop Limit field specifies how long the datagram is allowed to
1070           exist on the network. It represents the number of hops a packet can
1071           traverse before being dropped. As with the TTL in IPv4, IPv6 Hop
1072           Limit tries to avoid a situation in which undeliverable datagrams
1073           keep being forwarded from one router to another endlessly.  hops
1074           must be a number in the range [0–255].
1075

ETHERNET OPTIONS

1077       In most cases Nping sends packets at the raw IP level. This means that
1078       Nping creates its own IP packets and transmits them through a raw
1079       socket. However, in some cases it may be necessary to send packets at
1080       the raw Ethernet level. This happens, for example, when Nping is run
1081       under Windows (as Microsoft has disabled raw socket support since
1082       Windows XP SP2), or when Nping is asked to send ARP packets. Since in
1083       some cases it is necessary to construct ethernet frames, Nping offers
1084       some options to manipulate the different fields.
1085
1086       --dest-mac mac (Ethernet Destination MAC Address)
1087           This option sets the destination MAC address that should be set in
1088           outgoing Ethernet frames. This is useful in case Nping can't
1089           determine the next hop's MAC address or when you want to route
1090           probes through a router other than the configured default gateway.
1091           The MAC address should have the usual format of six colon-separated
1092           bytes, e.g.  00:50:56:d4:01:98. Alternatively, hyphens may be used
1093           instead of colons. Use the word random or rand to generate a random
1094           address, and broadcast or bcast to use ff:ff:ff:ff:ff:ff. If you
1095           set up a bogus destination MAC address your probes may not reach
1096           the intended targets.
1097
1098       --source-mac mac (Ethernet Source MAC Address)
1099           This option sets the source MAC address that should be set in
1100           outgoing Ethernet frames. This is useful in case Nping can't
1101           determine your network interface MAC address or when you want to
1102           inject traffic into the network while hiding your network card's
1103           real address. The syntax is the same as for --dest-mac. If you set
1104           up a bogus source MAC address you may not receive probe replies.
1105
1106       --ether-type type (Ethertype)
1107           This option sets the Ethertype field of the ethernet frame. The
1108           Ethertype is used to indicate which protocol is encapsulated in the
1109           payload.  type can be supplied in two different ways. You can use
1110           the official numbers listed by the IEEE[3] (e.g.  --ether-type
1111           0x0800 for IP version 4), or one of the mnemonics from the section
1112           called “Ethernet Types”.
1113
1114   Ethernet Types
1115       These identifiers may be used as mnemonics for the Ethertype numbers
1116       given to the --arp-type option.
1117
1118       ipv4, ip, 4
1119           Internet Protocol version 4 (type 0x0800).
1120
1121       ipv6, 6
1122           Internet Protocol version 6 (type 0x86DD).
1123
1124       arp
1125           Address Resolution Protocol (type 0x0806).
1126
1127       rarp
1128           Reverse Address Resolution Protocol (type 0x8035).
1129
1130       frame-relay, frelay, fr
1131           Frame Relay (type 0x0808).
1132
1133       ppp
1134           Point-to-Point Protocol (type 0x880B).
1135
1136       gsmp
1137           General Switch Management Protocol (type 0x880C).
1138
1139       mpls
1140           Multiprotocol Label Switching (type 0x8847).
1141
1142       mps-ual, mps
1143           Multiprotocol Label Switching with Upstream-assigned Label (type
1144           0x8848).
1145
1146       mcap
1147           Multicast Channel Allocation Protocol (type 0x8861).
1148
1149       pppoe-discovery, pppoe-d
1150           PPP over Ethernet Discovery Stage (type 0x8863).
1151
1152       pppoe-session, pppoe-s
1153           PPP over Ethernet Session Stage (type 0x8864).
1154
1155       ctag
1156           Customer VLAN Tag Type (type 0x8100).
1157
1158       epon
1159           Ethernet Passive Optical Network (type 0x8808).
1160
1161       pbnac
1162           Port-based network access control (type 0x888E).
1163
1164       stag
1165           Service VLAN tag identifier (type 0x88A8).
1166
1167       ethexp1
1168           Local Experimental Ethertype 1 (type 0x88B5).
1169
1170       ethexp2
1171           Local Experimental Ethertype 2 (type 0x88B6).
1172
1173       ethoui
1174           OUI Extended Ethertype (type 0x88B7).
1175
1176       preauth
1177           Pre-Authentication (type 0x88C7).
1178
1179       lldp
1180           Link Layer Discovery Protocol (type 0x88CC).
1181
1182       mac-security, mac-sec, macsec
1183           Media Access Control Security (type 0x88E5).
1184
1185       mvrp
1186           Multiple VLAN Registration Protocol (type 0x88F5).
1187
1188       mmrp
1189           Multiple Multicast Registration Protocol (type 0x88F6).
1190
1191       frrr
1192           Fast Roaming Remote Request (type 0x890D).
1193

PAYLOAD OPTIONS

1195       --data hex string (Append custom binary data to sent packets)
1196           This option lets you include binary data as payload in sent
1197           packets.  hex string may be specified in any of the following
1198           formats: 0xAABBCCDDEEFF..., AABBCCDDEEFF...  or
1199           \xAA\xBB\xCC\xDD\xEE\xFF.... Examples of use are --data 0xdeadbeef
1200           and --data \xCA\xFE\x09. Note that if you specify a number like
1201           0x00ff no byte-order conversion is performed. Make sure you specify
1202           the information in the byte order expected by the receiver.
1203
1204       --data-string string (Append custom string to sent packets)
1205           This option lets you include a regular string as payload in sent
1206           packets.  string can contain any string. However, note that some
1207           characters may depend on your system's locale and the receiver may
1208           not see the same information. Also, make sure you enclose the
1209           string in double quotes and escape any special characters from the
1210           shell. Example: --data-string "Jimmy Jazz...".
1211
1212       --data-length len (Append random data to sent packets)
1213           This option lets you include len random bytes of data as payload in
1214           sent packets.  len must be an integer in the range [0–65400].
1215           However, values higher than 1400 are not recommended because it may
1216           not be possible to transmit packets due to network MTU limitations.
1217

ECHO MODE

1219       The "Echo Mode" is a novel technique implemented by Nping which lets
1220       users see how network packets change in transit, from the host where
1221       they originated to the target machine. Basically, the Echo mode turns
1222       Nping into two different pieces: the Echo server and the Echo client.
1223       The Echo server is a network service that has the ability to capture
1224       packets from the network and send a copy ("echo them") to the
1225       originating client through a side TCP channel. The Echo client is the
1226       part that generates such network packets, transmits them to the server,
1227       and receives their echoed version through a side TCP channel that it
1228       has previously established with the Echo server.
1229
1230       This scheme lets the client see the differences between the packets
1231       that it sends and what is actually received by the server. By having
1232       the server send back copies of the received packets through the side
1233       channel, things like NAT devices become immediately apparent to the
1234       client because it notices the changes in the source IP address (and
1235       maybe even source port). Other devices like those that perform traffic
1236       shaping, changing TCP window sizes or adding TCP options transparently
1237       between hosts, turn up too.
1238
1239       The Echo mode is also useful for troubleshooting routing and firewall
1240       issues. Among other things, it can be used to determine if the traffic
1241       generated by the Nping client is being dropped in transit and never
1242       gets to its destination or if the responses are the ones that don't get
1243       back to it.
1244
1245       Internally, client and server communicate over an encrypted and
1246       authenticated channel, using the Nping Echo Protocol (NEP), whose
1247       technical specification can be found in
1248       https://nmap.org/svn/nping/docs/EchoProtoRFC.txt
1249
1250       The following paragraphs describe the different options available in
1251       Nping's Echo mode.
1252
1253       --ec passphrase, --echo-client passphrase (Run Echo client)
1254           This option tells Nping to run as an Echo client.  passphrase is a
1255           sequence of ASCII characters that is used used to generate the
1256           cryptographic keys needed for encryption and authentication in a
1257           given session. The passphrase should be a secret that is also known
1258           by the server, and it may contain any number of printable ASCII
1259           characters. Passphrases that contain whitespace or special
1260           characters must be enclosed in double quotes.
1261
1262           When running Nping as an Echo client, most options from the regular
1263           raw probe modes apply. The client may be configured to send
1264           specific probes using flags like --tcp, --icmp or --udp. Protocol
1265           header fields may be manipulated normally using the appropriate
1266           options (e.g.  --ttl, --seq, --icmp-type, etc.). The only
1267           exceptions are ARP-related flags, which are not supported in Echo
1268           mode, as protocols like ARP are closely related to the data link
1269           layer and its probes can't pass through different network segments.
1270
1271       --es passphrase, --echo-server passphrase (Run Echo server)
1272           This option tells Nping to run as an Echo server.  passphrase is a
1273           sequence of ASCII characters that is used used to generate the
1274           cryptographic keys needed for encryption and authentication in a
1275           given session. The passphrase should be a secret that is also known
1276           by the clients, and it may contain any number of printable ASCII
1277           characters. Passphrases that contain whitespace or special
1278           characters must be enclosed in double quotes. Note that although it
1279           is not recommended, it is possible to use empty passphrases,
1280           supplying --echo-server "". However, if what you want is to set up
1281           an open Echo server, it is better to use option --no-crypto. See
1282           below for details.
1283
1284       --ep port, --echo-port port (Set Echo TCP port number)
1285           This option asks Nping to use the specified TCP port number for the
1286           Echo side channel connection. If this option is used with
1287           --echo-server, it specifies the port on which the server listens
1288           for connections. If it is used with --echo-client, it specifies the
1289           port to connect to on the remote host. By default, port number 9929
1290           is used.
1291
1292       --nc, --no-crypto (Disable encryption and authentication)
1293           This option asks Nping not to use any cryptographic operations
1294           during an Echo session. In practical terms, this means that the
1295           Echo side channel session data will be transmitted in the clear,
1296           and no authentication will be performed by the server or client
1297           during the session establishment phase. When --no-crypto is used,
1298           the passphrase supplied with --echo-server or --echo-client is
1299           ignored.
1300
1301           This option must be specified if Nping was compiled without openSSL
1302           support. Note that, for technical reasons, a passphrase still needs
1303           to be supplied after the --echo-client or --echo-server flags, even
1304           though it will be ignored.
1305
1306           The --no-crypto flag might be useful when setting up a public Echo
1307           server, because it allows users to connect to the Echo server
1308           without the need for any passphrase or shared secret. However, it
1309           is strongly recommended to not use --no-crypto unless absolutely
1310           necessary. Public Echo servers should be configured to use the
1311           passphrase "public" or the empty passphrase (--echo-server "") as
1312           the use of cryptography does not only provide confidentiality and
1313           authentication but also message integrity.
1314
1315       --once (Serve one client and quit)
1316           This option asks the Echo server to quit after serving one client.
1317           This is useful when only a single Echo session wants to be
1318           established as it eliminates the need to access the remote host to
1319           shutdown the server.
1320
1321       --safe-payloads (Zero application data before echoing a packet)
1322           This option asks the Echo server to erase any application layer
1323           data found in client packets before echoing them. When the option
1324           is enabled, the Echo server parses the packets received from Echo
1325           clients and tries to determine if they contain data beyond the
1326           transport layer. If such data is found, it is overwritten with
1327           zeroes before transmitting the packets to the appropriate Echo
1328           client.
1329
1330           Echo servers can handle multiple simultaneous clients running
1331           multiple echo sessions in parallel. In order to determine which
1332           packet needs to be echoed to which client and through which
1333           session, the Echo server uses an heuristic algorithm. Although we
1334           have taken every security measure that we could think of to prevent
1335           that a client receives an echoed packet that it did not generate,
1336           there is always a risk that our algorithm makes a mistake and
1337           delivers a packet to the wrong client. The --safe-payloads option
1338           is useful for public echo servers or critical deployments where
1339           that kind of mistake cannot be afforded.
1340
1341       The following examples illustrate how Nping's Echo mode can be used to
1342       discover intermediate devices.
1343
1344       Example 2. Discovering NAT devices
1345
1346               # nping --echo-client "public" echo.nmap.org --udp
1347
1348               Starting Nping ( https://nmap.org/nping )
1349               SENT (1.0970s) UDP 10.1.20.128:53 > 178.79.165.17:40125 ttl=64 id=32523 iplen=28
1350               CAPT (1.1270s) UDP 80.38.10.21:45657 > 178.79.165.17:40125 ttl=54 id=32523 iplen=28
1351               RCVD (1.1570s) ICMP 178.79.165.17 > 10.1.20.128 Port unreachable (type=3/code=3) ttl=49 id=16619 iplen=56
1352               [...]
1353               SENT (5.1020s) UDP 10.1.20.128:53 > 178.79.165.17:40125 ttl=64 id=32523 iplen=28
1354               CAPT (5.1335s) UDP 80.38.10.21:45657 > 178.79.165.17:40125 ttl=54 id=32523 iplen=28
1355               RCVD (5.1600s) ICMP 178.79.165.17 > 10.1.20.128 Port unreachable (type=3/code=3) ttl=49 id=16623 iplen=56
1356
1357               Max rtt: 60.628ms | Min rtt: 58.378ms | Avg rtt: 59.389ms
1358               Raw packets sent: 5 (140B) | Rcvd: 5 (280B) | Lost: 0 (0.00%)| Echoed: 5 (140B)
1359               Tx time: 4.00459s | Tx bytes/s: 34.96 | Tx pkts/s: 1.25
1360               Rx time: 5.00629s | Rx bytes/s: 55.93 | Rx pkts/s: 1.00
1361               Nping done: 1 IP address pinged in 6.18 seconds
1362
1363
1364       The output clearly shows the presence of a NAT device in the client's
1365       local network. Note how the captured packet (CAPT) differs from the
1366       SENT packet: the source address for the original packets is in the
1367       reserved 10.0.0.0/8 range, while the address seen by the server is
1368       80.38.10.21, the Internet side address of the NAT device. The source
1369       port was also modified by the device. The line starting with RCVD
1370       corresponds to the responses generated by the TCP/IP stack of the
1371       machine where the Echo server is run.
1372
1373       Example 3. Discovering a transparent proxy
1374
1375               # nping --echo-client "public" echo.nmap.org --tcp -p80
1376
1377               Starting Nping ( https://nmap.org/nping )
1378               SENT (1.2160s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40  seq=567704200 win=1480
1379               RCVD (1.2180s) TCP 178.79.165.17:80 > 10.0.1.77:41659 SA ttl=128 id=13177 iplen=44  seq=3647106954 win=16384 <mss 1460>
1380               SENT (2.2150s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40  seq=567704200 win=1480
1381               SENT (3.2180s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40  seq=567704200 win=1480
1382               SENT (4.2190s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40  seq=567704200 win=1480
1383               SENT (5.2200s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40  seq=567704200 win=1480
1384
1385               Max rtt: 2.062ms | Min rtt: 2.062ms | Avg rtt: 2.062ms
1386               Raw packets sent: 5 (200B) | Rcvd: 1 (46B) | Lost: 4 (80.00%)| Echoed: 0 (0B)
1387               Tx time: 4.00504s | Tx bytes/s: 49.94 | Tx pkts/s: 1.25
1388               Rx time: 5.00618s | Rx bytes/s: 9.19 | Rx pkts/s: 0.20
1389               Nping done: 1 IP address pinged in 6.39 seconds
1390
1391
1392       In this example, the output is a bit more tricky. The absence of error
1393       messages shows that the Echo client has successfully established an
1394       Echo session with the server. However, no CAPT packets can be seen in
1395       the output. This means that none of the transmitted packets reached the
1396       server. Interestingly, a TCP SYN-ACK packet was received in response to
1397       the first TCP-SYN packet (and also, it is known that the target host
1398       does not have port 80 open). This behavior reveals the presence of a
1399       transparent web proxy cache server (which in this case is an old MS ISA
1400       server).
1401

TIMING AND PERFORMANCE OPTIONS

1403       --delay time (Delay between probes)
1404           This option lets you control for how long will Nping wait before
1405           sending the next probe. Like in many other ping tools, the default
1406           delay is one second.  time must be a positive integer or floating
1407           point number. By default it is specified in seconds, however you
1408           can give an explicit unit by appending ms for milliseconds, s for
1409           seconds, m for minutes, or h for hours (e.g.  2.5s, 45m, 2h).
1410
1411       --rate rate (Send probes at a given rate)
1412           This option specifies the number of probes that Nping should send
1413           per second. This option and --delay are inverses; --rate 20 is the
1414           same as --delay 0.05. If both options are used, only the last one
1415           in the parameter list counts.
1416

MISCELLANEOUS OPTIONS

1418       -h, --help (Display help)
1419           Displays help information and exits.
1420
1421       -V, --version (Display version)
1422           Displays the program's version number and quits.
1423
1424       -c rounds, --count rounds (Stop after a given number of rounds)
1425           This option lets you specify the number of times that Nping should
1426           loop over target hosts (and in some cases target ports). Nping
1427           calls these “rounds”. In a basic execution with only one target
1428           (and only one target port in TCP/UDP modes), the number of rounds
1429           matches the number of probes sent to the target host. However, in
1430           more complex executions where Nping is run against multiple targets
1431           and multiple ports, the number of rounds is the number of times
1432           that Nping sends a complete set of probes that covers all target
1433           IPs and all target ports. For example, if Nping is asked to send
1434           TCP SYN packets to hosts 192.168.1.0-255 and ports 80 and 433, then
1435           256 × 2 = 512 packets are sent in one round. So if you specify -c
1436           100, Nping will loop over the different target hosts and ports 100
1437           times, sending a total of 256 × 2 × 100 = 51200 packets. By default
1438           Nping runs for 5 rounds. If a value of 0 is specified, Nping will
1439           run continuously.
1440
1441       -e name, --interface name (Set the network interface to be used)
1442           This option tells Nping what interface should be used to send and
1443           receive packets. Nping should be able to detect this automatically,
1444           but it will tell you if it cannot.  name must be the name of an
1445           existing network interface with an assigned IP address.
1446
1447       --privileged (Assume that the user is fully privileged)
1448           Tells Nping to simply assume that it is privileged enough to
1449           perform raw socket sends, packet sniffing, and similar operations
1450           that usually require special privileges. By default Nping quits if
1451           such operations are requested by a user that has no root or
1452           administrator privileges. This option may be useful on Linux, BSD
1453           or similar systems that can be configured to allow unprivileged
1454           users to perform raw-packet transmissions. The NPING_PRIVILEGED
1455           environment variable may be set as an alternative to using
1456           --privileged.
1457
1458       --unprivileged (Assume that the user lacks raw socket privileges)
1459           This option is the opposite of --privileged. It tells Nping to
1460           treat the user as lacking network raw socket and sniffing
1461           privileges. This is useful for testing, debugging, or when the raw
1462           network functionality of your operating system is somehow broken.
1463           The NPING_UNPRIVILEGED environment variable may be set as an
1464           alternative to using --unprivileged.
1465
1466       --send-eth (Use raw ethernet sending)
1467           Asks Nping to send packets at the raw ethernet (data link) layer
1468           rather than the higher IP (network) layer. By default, Nping
1469           chooses the one which is generally best for the platform it is
1470           running on. Raw sockets (IP layer) are generally most efficient for
1471           Unix machines, while ethernet frames are required for Windows
1472           operation since Microsoft disabled raw socket support. Nping still
1473           uses raw IP packets despite this option when there is no other
1474           choice (such as non-ethernet connections).
1475
1476       --send-ip (Send at raw IP level)
1477           Asks Nping to send packets via raw IP sockets rather than sending
1478           lower level ethernet frames. It is the complement to the --send-eth
1479           option.
1480
1481       --bpf-filter filter spec --filter filter spec (Set custom BPF filter)
1482           This option lets you use a custom BPF filter. By default Nping
1483           chooses a filter that is intended to capture most common responses
1484           to the particular probes that are sent. For example, when sending
1485           TCP packets, the filter is set to capture packets whose destination
1486           port matches the probe's source port or ICMP error messages that
1487           may be generated by the target or any intermediate device as a
1488           result of the probe. If for some reason you expect strange packets
1489           in response to sent probes or you just want to sniff a particular
1490           kind of traffic, you can specify a custom filter using the BPF
1491           syntax used by tools like tcpdump.  See the documentation at
1492           http://www.tcpdump.org/ for more information.
1493
1494       -H, --hide-sent (Do not display sent packets)
1495           This option tells Nping not to print information about sent
1496           packets. This can be useful when using very short inter-probe
1497           delays (i.e., when flooding), because printing information to the
1498           standard output has a computational cost and disabling it can
1499           probably speed things up a bit. Also, it may be useful when using
1500           Nping to detect active hosts or open ports (e.g. sending probes to
1501           all TCP ports in a /24 subnet). In that case, users may not want to
1502           see thousands of sent probes but just the replies generated by
1503           active hosts.
1504
1505       -N, --no-capture (Do not attempt to capture replies)
1506           This option tells Nping to skip packet capture. This means that
1507           packets in response to sent probes will not be processed or
1508           displayed. This can be useful when doing flooding and network stack
1509           stress tests. Note that when this option is specified, most of the
1510           statistics shown at the end of the execution will be useless. This
1511           option does not work with TCP Connect mode.
1512

OUTPUT OPTIONS

1514       -v[level], --verbose [level] (Increase or set verbosity level)
1515           Increases the verbosity level, causing Nping to print more
1516           information during its execution. There are 9 levels of verbosity
1517           (-4 to 4). Every instance of -v increments the verbosity level by
1518           one (from its default value, level 0). Every instance of option -q
1519           decrements the verbosity level by one. Alternatively you can
1520           specify the level directly, as in -v3 or -v-1. These are the
1521           available levels:
1522
1523           Level -4
1524               No output at all. In some circumstances you may not want Nping
1525               to produce any output (like when one of your work mates is
1526               watching over your shoulder). In that case level -4 can be
1527               useful because although you won't see any response packets,
1528               probes will still be sent.
1529
1530           Level -3
1531               Like level -4 but displays fatal error messages so you can
1532               actually see if Nping is running or it failed due to some
1533               error.
1534
1535           Level -2
1536               Like level -3 but also displays warnings and recoverable
1537               errors.
1538
1539           Level -1
1540               Displays traditional run-time information (version, start time,
1541               statistics, etc.) but does not display sent or received
1542               packets.
1543
1544           Level 0
1545               This is the default verbosity level. It behaves like level -1
1546               but also displays sent and received packets and some other
1547               important information.
1548
1549           Level 1
1550               Like level 0 but it displays detailed information about timing,
1551               flags, protocol details, etc.
1552
1553           Level 2
1554               Like level 1 but displays very detailed information about sent
1555               and received packets and other interesting information.
1556
1557           Level 3
1558               Like level 2 but also displays the raw hexadecimal dump of sent
1559               and received packets.
1560
1561           Level 4 and higher
1562               Same as level 3.
1563
1564       -q[level], --reduce-verbosity [level] (Decrease verbosity level)
1565           Decreases the verbosity level, causing Nping to print less
1566           information during its execution.
1567
1568       -d[level] (Increase or set debugging level)
1569           When even verbose mode doesn't provide sufficient data for you,
1570           debugging is available to flood you with much more! As with the -v,
1571           debugging is enabled with a command-line flag -d and the debug
1572           level can be increased by specifying it multiple times. There are 7
1573           debugging levels (0 to 6). Every instance of -d increments
1574           debugging level by one. Provide an argument to -d to set the level
1575           directly; for example -d4.
1576
1577           Debugging output is useful when you suspect a bug in Nping, or if
1578           you are simply confused as to what Nping is doing and why. As this
1579           feature is mostly intended for developers, debug lines aren't
1580           always self-explanatory. You may get something like
1581
1582
1583               NSOCK (1.0000s) Callback: TIMER SUCCESS for EID 12; tcpconnect_event_handler(): Received callback of type TIMER with status SUCCESS
1584
1585           If you don't understand a line, your only recourses are to ignore
1586           it, look it up in the source code, or request help from the
1587           development list (nmap-dev). Some lines are self-explanatory, but
1588           the messages become more obscure as the debug level is increased.
1589           These are the available levels:
1590
1591           Level 0
1592               Level 0. No debug information at all. This is the default
1593               level.
1594
1595           Level 1
1596               In this level, only very important or high-level debug
1597               information will be printed.
1598
1599           Level 2
1600               Like level 1 but also displays important or medium-level debug
1601               information
1602
1603           Level 3
1604               Like level 2 but also displays regular and low-level debug
1605               information.
1606
1607           Level 4
1608               Like level 3 but also displays messages only a real Nping freak
1609               would want to see.
1610
1611           Level 5
1612               Like level 4 but it enables basic debug information related to
1613               external libraries like Nsock.
1614
1615           Level 6
1616               Like level 5 but it enables full, very detailed, debug
1617               information related to external libraries like Nsock.
1618

BUGS

1620       Like its authors, Nping isn't perfect. But you can help make it better
1621       by sending bug reports or even writing patches. If Nping doesn't behave
1622       the way you expect, first upgrade to the latest version available from
1623       https://nmap.org. If the problem persists, do some research to
1624       determine whether it has already been discovered and addressed. Try
1625       searching for the problem or error message on Google since that
1626       aggregates so many forums. If nothing comes of this, create an Issue on
1627       our tracker (http://issues.nmap.org) and/or mail a bug report to
1628       <dev@nmap.org>. If you subscribe to the nmap-dev list before posting,
1629       your message will bypass moderation and get through more quickly.
1630       Subscribe at https://nmap.org/mailman/listinfo/dev. Please include
1631       everything you have learned about the problem, as well as what version
1632       of Nping you are using and what operating system version it is running
1633       on. Other suggestions for improving Nping may be sent to the Nmap dev
1634       mailing list as well.
1635
1636       If you are able to write a patch improving Nping or fixing a bug, that
1637       is even better! Instructions for submitting patches or git pull
1638       requests are available from
1639       https://github.com/nmap/nmap/blob/master/CONTRIBUTING.md
1640
1641       Particularly sensitive issues such as a security reports may be sent
1642       directly to Fyodor directly at <fyodor@nmap.org>. All other reports and
1643       comments should use the dev list or issue tracker instead because more
1644       people read, follow, and respond to those.
1645

AUTHORS

1647       Luis MartinGarcia <luis.mgarc@gmail.com> (http://www.luismg.com)
1648
1649       Fyodor <fyodor@nmap.org> (http://insecure.org)
1650

NOTES

1652        1. official type numbers assigned by IANA
1653           http://www.iana.org/assignments/icmp-parameters
1654
1655        2. official numbers assigned by IANA
1656           http://www.iana.org/assignments/arp-parameters/
1657
1658        3. official numbers listed by the IEEE
1659           http://standards.ieee.org/regauth/ethertype/eth.txt
1660
1661
1662
1663Nping                             09/28/2018                          NPING(1)
Impressum