1NPING(1) Nping Reference Guide NPING(1)
2
6 nping - Network packet generation tool / ping utility
7
9 nping [Options] {targets}
10
12 Nping is an open-source tool for network packet generation, response
13 analysis and response time measurement. Nping allows users to generate
14 network packets of a wide range of protocols, letting them tune
15 virtually any field of the protocol headers. While Nping can be used as
16 a simple ping utility to detect active hosts, it can also be used as a
17 raw packet generator for network stack stress tests, ARP poisoning,
18 Denial of Service attacks, route tracing, and other purposes.
19 Additionally, Nping offers a special mode of operation called the "Echo
21 Mode", that lets users see how the generated probes change in transit,
22 revealing the differences between the transmitted packets and the
23 packets received at the other end. See section "Echo Mode" for details.
24 The output from Nping is a list of the packets that are being sent and
26 received. The level of detail depends on the options used.
27 A typical Nping execution is shown in Example 1. The only Nping
29 arguments used in this example are -c, to specify the number of times
30 to target each host, --tcp to specify TCP Probe Mode, -p 80,433 to
31 specify the target ports; and then the two target hostnames.
32 Example 1. A representative Nping execution
34 # nping -c 1 --tcp -p 80,433 scanme.nmap.org google.com
36 Starting Nping ( https://nmap.org/nping )
38 SENT (0.0120s) TCP 96.16.226.135:50091 > 64.13.134.52:80 S ttl=64 id=52072 iplen=40 seq=1077657388 win=1480
39 RCVD (0.1810s) TCP 64.13.134.52:80 > 96.16.226.135:50091 SA ttl=53 id=0 iplen=44 seq=4158134847 win=5840 <mss 1460>
40 SENT (1.0140s) TCP 96.16.226.135:50091 > 74.125.45.100:80 S ttl=64 id=13932 iplen=40 seq=1077657388 win=1480
41 RCVD (1.1370s) TCP 74.125.45.100:80 > 96.16.226.135:50091 SA ttl=52 id=52913 iplen=44 seq=2650443864 win=5720 <mss 1430>
42 SENT (2.0140s) TCP 96.16.226.135:50091 > 64.13.134.52:433 S ttl=64 id=8373 iplen=40 seq=1077657388 win=1480
43 SENT (3.0140s) TCP 96.16.226.135:50091 > 74.125.45.100:433 S ttl=64 id=23624 iplen=40 seq=1077657388 win=1480
44 Statistics for host scanme.nmap.org (64.13.134.52):
46 | Probes Sent: 2 | Rcvd: 1 | Lost: 1 (50.00%)
47 |_ Max rtt: 169.720ms | Min rtt: 169.720ms | Avg rtt: 169.720ms
48 Statistics for host google.com (74.125.45.100):
49 | Probes Sent: 2 | Rcvd: 1 | Lost: 1 (50.00%)
50 |_ Max rtt: 122.686ms | Min rtt: 122.686ms | Avg rtt: 122.686ms
51 Raw packets sent: 4 (160B) | Rcvd: 2 (92B) | Lost: 2 (50.00%)
52 Tx time: 3.00296s | Tx bytes/s: 53.28 | Tx pkts/s: 1.33
53 Rx time: 3.00296s | Rx bytes/s: 30.64 | Rx pkts/s: 0.67
54 Nping done: 2 IP addresses pinged in 4.01 seconds
55 The newest version of Nping can be obtained with Nmap at
57 https://nmap.org. The newest version of this man page is available at
58 https://nmap.org/book/nping-man.html.
59 -->
61 .SH "OPTIONS SUMMARY"
62 This options summary is printed when Nping is run with no arguments. It
64 helps people remember the most common options, but is no substitute for
65 the in-depth documentation in the rest of this manual. Some obscure
66 options aren't even included here.
67 Nping 0.7.92SVN ( https://nmap.org/nping )
69 Usage: nping [Probe mode] [Options] {target specification}
70 TARGET SPECIFICATION:
72 Targets may be specified as hostnames, IP addresses, networks, etc.
73 Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.*.1-24
74 PROBE MODES:
75 --tcp-connect : Unprivileged TCP connect probe mode.
76 --tcp : TCP probe mode.
77 --udp : UDP probe mode.
78 --icmp : ICMP probe mode.
79 --arp : ARP/RARP probe mode.
80 --tr, --traceroute : Traceroute mode (can only be used with
81 TCP/UDP/ICMP modes).
82 TCP CONNECT MODE:
83 -p, --dest-port <port spec> : Set destination port(s).
84 -g, --source-port <portnumber> : Try to use a custom source port.
85 TCP PROBE MODE:
86 -g, --source-port <portnumber> : Set source port.
87 -p, --dest-port <port spec> : Set destination port(s).
88 --seq <seqnumber> : Set sequence number.
89 --flags <flag list> : Set TCP flags (ACK,PSH,RST,SYN,FIN...)
90 --ack <acknumber> : Set ACK number.
91 --win <size> : Set window size.
92 --badsum : Use a random invalid checksum.
93 UDP PROBE MODE:
94 -g, --source-port <portnumber> : Set source port.
95 -p, --dest-port <port spec> : Set destination port(s).
96 --badsum : Use a random invalid checksum.
97 ICMP PROBE MODE:
98 --icmp-type <type> : ICMP type.
99 --icmp-code <code> : ICMP code.
100 --icmp-id <id> : Set identifier.
101 --icmp-seq <n> : Set sequence number.
102 --icmp-redirect-addr <addr> : Set redirect address.
103 --icmp-param-pointer <pnt> : Set parameter problem pointer.
104 --icmp-advert-lifetime <time> : Set router advertisement lifetime.
105 --icmp-advert-entry <IP,pref> : Add router advertisement entry.
106 --icmp-orig-time <timestamp> : Set originate timestamp.
107 --icmp-recv-time <timestamp> : Set receive timestamp.
108 --icmp-trans-time <timestamp> : Set transmit timestamp.
109 ARP/RARP PROBE MODE:
110 --arp-type <type> : Type: ARP, ARP-reply, RARP, RARP-reply.
111 --arp-sender-mac <mac> : Set sender MAC address.
112 --arp-sender-ip <addr> : Set sender IP address.
113 --arp-target-mac <mac> : Set target MAC address.
114 --arp-target-ip <addr> : Set target IP address.
115 IPv4 OPTIONS:
116 -S, --source-ip : Set source IP address.
117 --dest-ip <addr> : Set destination IP address (used as an
118 alternative to {target specification} ).
119 --tos <tos> : Set type of service field (8bits).
120 --id <id> : Set identification field (16 bits).
121 --df : Set Don't Fragment flag.
122 --mf : Set More Fragments flag.
123 --evil : Set Reserved / Evil flag.
124 --ttl <hops> : Set time to live [0-255].
125 --badsum-ip : Use a random invalid checksum.
126 --ip-options <S|R [route]|L [route]|T|U ...> : Set IP options
127 --ip-options <hex string> : Set IP options
128 --mtu <size> : Set MTU. Packets get fragmented if MTU is
129 small enough.
130 IPv6 OPTIONS:
131 -6, --IPv6 : Use IP version 6.
132 --dest-ip : Set destination IP address (used as an
133 alternative to {target specification}).
134 --hop-limit : Set hop limit (same as IPv4 TTL).
135 --traffic-class <class> : : Set traffic class.
136 --flow <label> : Set flow label.
137 ETHERNET OPTIONS:
138 --dest-mac <mac> : Set destination mac address. (Disables
139 ARP resolution)
140 --source-mac <mac> : Set source MAC address.
141 --ether-type <type> : Set EtherType value.
142 PAYLOAD OPTIONS:
143 --data <hex string> : Include a custom payload.
144 --data-string <text> : Include a custom ASCII text.
145 --data-length <len> : Include len random bytes as payload.
146 ECHO CLIENT/SERVER:
147 --echo-client <passphrase> : Run Nping in client mode.
148 --echo-server <passphrase> : Run Nping in server mode.
149 --echo-port <port> : Use custom <port> to listen or connect.
150 --no-crypto : Disable encryption and authentication.
151 --once : Stop the server after one connection.
152 --safe-payloads : Erase application data in echoed packets.
153 TIMING AND PERFORMANCE:
154 Options which take <time> are in seconds, or append 'ms' (milliseconds),
155 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m, 0.25h).
156 --delay <time> : Adjust delay between probes.
157 --rate <rate> : Send num packets per second.
158 MISC:
159 -h, --help : Display help information.
160 -V, --version : Display current version number.
161 -c, --count <n> : Stop after <n> rounds.
162 -e, --interface <name> : Use supplied network interface.
163 -H, --hide-sent : Do not display sent packets.
164 -N, --no-capture : Do not try to capture replies.
165 --privileged : Assume user is fully privileged.
166 --unprivileged : Assume user lacks raw socket privileges.
167 --send-eth : Send packets at the raw Ethernet layer.
168 --send-ip : Send packets using raw IP sockets.
169 --bpf-filter <filter spec> : Specify custom BPF filter.
170 OUTPUT:
171 -v : Increment verbosity level by one.
172 -v[level] : Set verbosity level. E.g: -v4
173 -d : Increment debugging level by one.
174 -d[level] : Set debugging level. E.g: -d3
175 -q : Decrease verbosity level by one.
176 -q[N] : Decrease verbosity level N times
177 --quiet : Set verbosity and debug level to minimum.
178 --debug : Set verbosity and debug to the max level.
179 EXAMPLES:
180 nping scanme.nmap.org
181 nping --tcp -p 80 --flags rst --ttl 2 192.168.1.1
182 nping --icmp --icmp-type time --delay 500ms 192.168.254.254
183 nping --echo-server "public" -e wlan0 -vvv
184 nping --echo-client "public" echo.nmap.org --tcp -p1-1024 --flags ack
185 SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES
187
190 Everything on the Nping command line that isn't an option or an option
191 argument is treated as a target host specification. Nping uses the same
192 syntax for target specifications that Nmap does. The simplest case is a
193 single target given by IP address or hostname.
194 Nping supports CIDR-style addressing. You can append /numbits to an
196 IPv4 address or hostname and Nping will send probes to every IP address
197 for which the first numbits are the same as for the reference IP or
198 hostname given. For example, 192.168.10.0/24 would send probes to the
199 256 hosts between 192.168.10.0 (binary: 11000000 10101000 00001010
200 00000000) and 192.168.10.255 (binary: 11000000 10101000 00001010
201 11111111), inclusive. 192.168.10.40/24 would ping exactly the same
202 targets. Given that the host scanme.nmap.org is at the IP address
203 64.13.134.52, the specification scanme.nmap.org/16 would send probes to
204 the 65,536 IP addresses between 64.13.0.0 and 64.13.255.255. The
205 smallest allowed value is /0, which targets the whole Internet. The
206 largest value is /32, which targets just the named host or IP address
207 because all address bits are fixed.
208 CIDR notation is short but not always flexible enough. For example, you
210 might want to send probes to 192.168.0.0/16 but skip any IPs ending
211 with .0 or .255 because they may be used as subnet network and
212 broadcast addresses. Nping supports this through octet range
213 addressing. Rather than specify a normal IP address, you can specify a
214 comma-separated list of numbers or ranges for each octet. For example,
215 192.168.0-255.1-254 will skip all addresses in the range that end in .0
216 or .255, and 192.168.3-5,7.1 will target the four addresses
217 192.168.3.1, 192.168.4.1, 192.168.5.1, and 192.168.7.1. Either side of
218 a range may be omitted; the default values are 0 on the left and 255 on
219 the right. Using - by itself is the same as 0-255, but remember to use
220 0- in the first octet so the target specification doesn't look like a
221 command-line option. Ranges need not be limited to the final octets:
222 the specifier 0-.-.13.37 will send probes to all IP addresses on the
223 Internet ending in .13.37. This sort of broad sampling can be useful
224 for Internet surveys and research.
225 IPv6 addresses can only be specified by their fully qualified IPv6
227 address or hostname. CIDR and octet ranges aren't supported for IPv6
228 because they are rarely useful.
229 Nping accepts multiple host specifications on the command line, and
231 they don't need to be the same type. The command nping scanme.nmap.org
232 192.168.0.0/8 10.0.0,1,3-7.- does what you would expect.
233
235 Nping is designed to be very flexible and fit a wide variety of needs.
236 As with most command-line tools, its behavior can be adjusted using
237 command-line options. These general principles apply to option
238 arguments, unless stated otherwise.
239 Options that take integer numbers can accept values specified in
241 decimal, octal or hexadecimal base. When a number starts with 0x, it
242 will be treated as hexadecimal; when it simply starts with 0, it will
243 be treated as octal. Otherwise, Nping will assume the number has been
244 specified in base 10. Virtually all numbers that can be supplied from
245 the command line are unsigned so, as a general rule, the minimum value
246 is zero. Users may also specify the word random or rand to make Nping
247 generate a random value within the expected range.
248 IP addresses may be given as IPv4 addresses (e.g. 192.168.1.1), IPv6
250 addresses (e.g. 2001:db8:85a3::8e4c:760:7146), or hostnames, which
251 will be resolved using the default DNS server configured in the host
252 system.
253 Options that take MAC addresses accept the usual colon-separated 6 hex
255 byte format (e.g. 00:50:56:d4:01:98). Hyphens may also be used instead
256 of colons (e.g. 00-50-56-c0-00-08). The special word random or rand
257 sets a random address and the word broadcast or bcast sets
258 ff:ff:ff:ff:ff:ff.
259
261 Unlike other ping and packet generation tools, Nping supports multiple
262 target host and port specifications. While this provides great
263 flexibility, it is not obvious how Nping handles situations where there
264 is more than one host and/or more than one port to send probes to. This
265 section explains how Nping behaves in these cases.
266 When multiple target hosts are specified, Nping rotates among them in
268 round-robin fashion. This gives slow hosts more time to send their
269 responses before another probe is sent to them. Ports are also
270 scheduled using round robin. So, unless only one port is specified,
271 Nping never sends two probes to the same target host and port
272 consecutively.
273 The loop around targets is the “inner loop” and the loop around ports
275 is the “outer loop”. All targets will be sent a probe for a given port
276 before moving on to the next port. Between probes, Nping waits a
277 configurable amount of time called the “inter-probe delay”, which is
278 controlled by the --delay option. These examples show how it works.
279 # nping --tcp -c 2 1.1.1.1 -p 100-102
281 Starting Nping ( https://nmap.org/nping )
283 SENT (0.0210s) TCP 192.168.1.77 > 1.1.1.1:100
284 SENT (1.0230s) TCP 192.168.1.77 > 1.1.1.1:101
285 SENT (2.0250s) TCP 192.168.1.77 > 1.1.1.1:102
286 SENT (3.0280s) TCP 192.168.1.77 > 1.1.1.1:100
287 SENT (4.0300s) TCP 192.168.1.77 > 1.1.1.1:101
288 SENT (5.0320s) TCP 192.168.1.77 > 1.1.1.1:102
289 # nping --tcp -c 2 1.1.1.1 2.2.2.2 3.3.3.3 -p 8080
291 Starting Nping ( https://nmap.org/nping )
293 SENT (0.0230s) TCP 192.168.0.21 > 1.1.1.1:8080
294 SENT (1.0240s) TCP 192.168.0.21 > 2.2.2.2:8080
295 SENT (2.0260s) TCP 192.168.0.21 > 3.3.3.3:8080
296 SENT (3.0270s) TCP 192.168.0.21 > 1.1.1.1:8080
297 SENT (4.0290s) TCP 192.168.0.21 > 2.2.2.2:8080
298 SENT (5.0310s) TCP 192.168.0.21 > 3.3.3.3:8080
299 # nping --tcp -c 1 --delay 500ms 1.1.1.1 2.2.2.2 3.3.3.3 -p 137-139
301 Starting Nping ( https://nmap.org/nping )
303 SENT (0.0230s) TCP 192.168.0.21 > 1.1.1.1:137
304 SENT (0.5250s) TCP 192.168.0.21 > 2.2.2.2:137
305 SENT (1.0250s) TCP 192.168.0.21 > 3.3.3.3:137
306 SENT (1.5280s) TCP 192.168.0.21 > 1.1.1.1:138
307 SENT (2.0280s) TCP 192.168.0.21 > 2.2.2.2:138
308 SENT (2.5310s) TCP 192.168.0.21 > 3.3.3.3:138
309 SENT (3.0300s) TCP 192.168.0.21 > 1.1.1.1:139
310 SENT (3.5330s) TCP 192.168.0.21 > 2.2.2.2:139
311 SENT (4.0330s) TCP 192.168.0.21 > 3.3.3.3:139
312
314 Nping supports a wide variety of protocols. Although in some cases
315 Nping can automatically determine the mode from the options used, it is
316 generally a good idea to specify it explicitly.
317 --tcp-connect (TCP Connect mode)
319 TCP connect mode is the default mode when a user does not have raw
320 packet privileges. Instead of writing raw packets as most other
321 modes do, Nping asks the underlying operating system to establish a
322 connection with the target machine and port by issuing the connect
323 system call. This is the same high-level system call that web
324 browsers, P2P clients, and most other network-enabled applications
325 use to establish a connection. It is part of a programming
326 interface known as the Berkeley Sockets API. Rather than read raw
327 packet responses off the wire, Nping uses this API to obtain status
328 information on each connection attempt. For this reason, you will
329 not be able to see the contents of the packets that are sent or
330 received but only status information about the TCP connection
331 establishment taking place.
332 --tcp (TCP mode)
334 TCP is the mode that lets users create and send any kind of TCP
335 packet. TCP packets are sent embedded in IP packets that can also
336 be tuned. This mode can be used for many different purposes. For
337 example you could try to discover open ports by sending TCP SYN
338 messages without completing the three-way handshake. This technique
339 is often referred to as half-open scanning, because you don't open
340 a full TCP connection. You send a SYN packet, as if you are going
341 to open a real connection and then wait for a response. A SYN/ACK
342 indicates the port is open, while a RST indicates it's closed. If
343 no response is received one could assume that some intermediate
344 network device is filtering the responses. Another use could be to
345 see how a remote TCP/IP stack behaves when it receives a
346 non-RFC-compliant packet, like one with both SYN and RST flags set.
347 One could also do some evil by creating custom RST packets using an
348 spoofed IP address with the intent of closing an active TCP
349 connection.
350 --udp (UDP mode)
352 UDP mode can have two different behaviours. Under normal
353 circumstances, it lets users create custom IP/UDP packets. However,
354 if Nping is run by a user without raw packet privileges and no
355 changes to the default protocol headers are requested, then Nping
356 enters the unprivileged UDP mode which basically sends UDP packets
357 to the specified target hosts and ports using the sendto system
358 call. Note that in this unprivileged mode it is not possible to see
359 low-level header information of the packets on the wire but only
360 status information about the amount of bytes that are being
361 transmitted and received. UDP mode can be used to interact with any
362 UDP-based server. Examples are DNS servers, streaming servers,
363 online gaming servers, and port knocking/single-packet
364 authorization daemons.
365 --icmp (ICMP mode)
367 ICMP mode is the default mode when the user runs Nping with raw
368 packet privileges. Any kind of ICMP message can be created. The
369 default ICMP type is Echo, i.e., ping. ICMP mode can be used for
370 many different purposes, from a simple request for a timestamp or a
371 netmask to the transmission of fake destination unreachable
372 messages, custom redirects, and router advertisements.
373 --arp (ARP/RARP mode)
375 ARP lets you create and send a few different ARP-related packets.
376 These include ARP, RARP, DRARP, and InARP requests and replies.
377 This mode can ban be used to perform low-level host discovery, and
378 conduct ARP-cache poisoning attacks.
379 --traceroute (Traceroute mode)
381 Traceroute is not a mode by itself but a complement to TCP, UDP,
382 and ICMP modes. When this option is specified Nping will set the IP
383 TTL value of the first probe to 1. When the next router receives
384 the packet it will drop it due to the expiration of the TTL and it
385 will generate an ICMP destination unreachable message. The next
386 probe will have a TTL of 2 so now the first router will forward the
387 packet while the second router will be the one that drops the
388 packet and generates the ICMP message. The third probe will have a
389 TTL value of 3 and so on. By examining the source addresses of all
390 those ICMP Destination Unreachable messages it is possible to
391 determine the path that the probes take until they reach their
392 final destination.
393
395 -p port_spec, --dest-port port_spec (Target ports)
396 This option specifies which ports you want to try to connect to. It
397 can be a single port, a comma-separated list of ports (e.g.
398 80,443,8080), a range (e.g. 1-1023), and any combination of those
399 (e.g. 21-25,80,443,1024-2048). The beginning and/or end values of
400 a range may be omitted, causing Nping to use 1 and 65535,
401 respectively. So you can specify -p- to target ports from 1 through
402 65535. Using port zero is allowed if you specify it explicitly.
403 -g portnumber, --source-port portnumber (Spoof source port)
405 This option asks Nping to use the specified port as source port for
406 the TCP connections. Note that this might not work on all systems
407 or may require root privileges. Specified value must be an integer
408 in the range [0–65535].
409
411 -p port_spec, --dest-port port_spec (Target ports)
412 This option specifies which destination ports you want to send
413 probes to. It can be a single port, a comma-separated list of ports
414 (e.g. 80,443,8080), a range (e.g. 1-1023), and any combination of
415 those (e.g. 21-25,80,443,1024-2048). The beginning and/or end
416 values of a range may be omitted, causing Nping to use 1 and 65535,
417 respectively. So you can specify -p- to target ports from 1 through
418 65535. Using port zero is allowed if you specify it explicitly.
419 -g portnumber, --source-port portnumber (Spoof source port)
421 This option asks Nping to use the specified port as source port for
422 the TCP connections. Note that this might not work on all systems
423 or may require root privileges. Specified value must be an integer
424 in the range [0–65535].
425 --seq seqnumber (Sequence Number)
427 Specifies the TCP sequence number. In SYN packets this is the
428 initial sequence number (ISN). In a normal transmission this
429 corresponds to the sequence number of the first byte of data in the
430 segment. seqnumber must be a number in the range [0–4294967295].
431 --flags flags (TCP Flags)
433 This option specifies which flags should be set in the TCP packet.
434 flags may be specified in three different ways:
435 1. As a comma-separated list of flags, e.g. --flags syn,ack,rst
437 2. As a list of one-character flag initials, e.g. --flags SAR
439 tells Nping to set flags SYN, ACK, and RST.
440 3. As an 8-bit hexadecimal number, where the supplied number is
442 the exact value that will be placed in the flags field of the
443 TCP header. The number should start with the prefix 0x and
444 should be in the range [0x00–0xFF], e.g. --flags 0x20 sets the
445 URG flag as 0x20 corresponds to binary 00100000 and the URG
446 flag is represented by the third bit.
447 There are 8 possible flags to set: CWR, ECN, URG, ACK, PSH, RST,
449 SYN, and FIN. The special value ALL means to set all flags. NONE
450 means to set no flags. It is important that if you don't want any
451 flag to be set, you request it explicitly because in some cases the
452 SYN flag may be set by default. Here is a brief description of the
453 meaning of each flag:
454 CWR (Congestion Window Reduced)
456 Set by an ECN-Capable sender when it reduces its congestion
457 window (due to a retransmit timeout, a fast retransmit or in
458 response to an ECN notification.
459 ECN (Explicit Congestion Notification)
461 During the three-way handshake it indicates that sender is
462 capable of performing explicit congestion notification.
463 Normally it means that a packet with the IP Congestion
464 Experienced flag set was received during normal transmission.
465 See RFC 3168 for more information.
466 URG (Urgent)
468 Segment is urgent and the urgent pointer field carries valid
469 information.
470 ACK (Acknowledgement)
472 The segment carries an acknowledgement and the value of the
473 acknowledgement number field is valid and contains the next
474 sequence number that is expected from the receiver.
475 PSH (Push)
477 The data in this segment should be immediately pushed to the
478 application layer on arrival.
479 RST (Reset)
481 There was some problem and the sender wants to abort the
482 connection.
483 SYN (Synchronize)
485 The segment is a request to synchronize sequence numbers and
486 establish a connection. The sequence number field contains the
487 sender's initial sequence number.
488 FIN (Finish)
490 The sender wants to close the connection.
491 --win size (Window Size)
493 Specifies the TCP window size, this is, the number of octets the
494 sender of the segment is willing to accept from the receiver at one
495 time. This is usually the size of the reception buffer that the OS
496 allocates for a given connection. size must be a number in the
497 range [0–65535].
498 --badsum (Invalid Checksum)
500 Asks Nping to use an invalid TCP checksum for the packets sent to
501 target hosts. Since virtually all host IP stacks properly drop
502 these packets, any responses received are likely coming from a
503 firewall or an IDS that didn't bother to verify the checksum. For
504 more details on this technique, see https://nmap.org/p60-12.html.
505
507 -p port_spec, --dest-port port_spec (Target ports)
508 This option specifies which ports you want UDP datagrams to be sent
509 to. It can be a single port, a comma-separated list of ports (e.g.
510 80,443,8080), a range (e.g. 1-1023), and any combination of those
511 (e.g. 21-25,80,443,1024-2048). The beginning and/or end values of
512 a range may be omitted, causing Nping to use 1 and 65535,
513 respectively. So you can specify -p- to target ports from 1 through
514 65535. Using port zero is allowed if you specify it explicitly.
515 -g portnumber, --source-port portnumber (Spoof source port)
517 This option asks Nping to use the specified port as source port for
518 the transmitted datagrams. Note that this might not work on all
519 systems or may require root privileges. Specified value must be an
520 integer in the range [0–65535].
521 --badsum (Invalid Checksum)
523 Asks Nping to use an invalid UDP checksum for the packets sent to
524 target hosts. Since virtually all host IP stacks properly drop
525 these packets, any responses received are likely coming from a
526 firewall or an IDS that didn't bother to verify the checksum. For
527 more details on this technique, see https://nmap.org/p60-12.html.
528
530 --icmp-type type (ICMP type)
531 This option specifies which type of ICMP messages should be
532 generated. type can be supplied in two different ways. You can use
533 the official type numbers assigned by IANA[1] (e.g. --icmp-type 8
534 for ICMP Echo Request), or you can use any of the mnemonics listed
535 in the section called “ICMP Types”.
536 --icmp-code code (ICMP code)
538 This option specifies which ICMP code should be included in the
539 generated ICMP messages. code can be supplied in two different
540 ways. You can use the official code numbers assigned by IANA[1]
541 (e.g. --icmp-code 1 for Fragment Reassembly Time Exceeded), or you
542 can use any of the mnemonics listed in the section called “ICMP
543 Codes”.
544 --icmp-id id (ICMP identifier)
546 This option specifies the value of the identifier used in some of
547 the ICMP messages. In general it is used to match request and reply
548 messages. id must be a number in the range [0–65535].
549 --icmp-seq seq (ICMP sequence)
551 This option specifies the value of the sequence number field used
552 in some ICMP messages. In general it is used to match request and
553 reply messages. id must be a number in the range [0–65535].
554 --icmp-redirect-addr addr (ICMP Redirect address)
556 This option sets the address field in ICMP Redirect messages. In
557 other words, it sets the IP address of the router that should be
558 used when sending IP datagrams to the original destination. addr
559 can be either an IPv4 address or a hostname.
560 --icmp-param-pointer pointer (ICMP Parameter Problem pointer)
562 This option specifies the pointer that indicates the location of
563 the problem in ICMP Parameter Problem messages. pointer should be
564 a number in the range [0–255]. Normally this option is only used
565 when ICMP code is set to 0 ("Pointer indicates the error").
566 --icmp-advert-lifetime ttl (ICMP Router Advertisement Lifetime)
568 This option specifies the router advertisement lifetime, this is,
569 the number of seconds the information carried in an ICMP Router
570 Advertisement can be considered valid for. ttl must be a positive
571 integer in the range [0–65535].
572 --icmp-advert-entry addr,pref (ICMP Router Advertisement Entry)
574 This option adds a Router Advertisement entry to an ICMP Router
575 Advertisement message. The parameter must be two values separated
576 by a comma. addr is the router's IP and can be specified either as
577 an IP address in dot-decimal notation or as a hostname. pref is
578 the preference level for the specified IP. It must be a number in
579 the range [0–4294967295]. An example is --icmp-advert-entry
580 192.168.128.1,3.
581 --icmp-orig-time timestamp (ICMP Originate Timestamp)
583 This option sets the Originate Timestamp in ICMP Timestamp
584 messages. The Originate Timestamp is expressed as the number of
585 milliseconds since midnight UTC and it corresponds to the time the
586 sender last touched the Timestamp message before its transmission.
587 timestamp can be specified as a regular time (e.g. 10s, 3h,
588 1000ms), or the special string now. You can add or subtract values
589 from now, for example --icmp-orig-time now-2s, --icmp-orig-time
590 now+1h, --icmp-orig-time now+200ms.
591 --icmp-recv-time timestamp (ICMP Receive Timestamp)
593 This option sets the Receive Timestamp in ICMP Timestamp messages.
594 The Receive Timestamp is expressed as the number of milliseconds
595 since midnight UTC and it corresponds to the time the echoer first
596 touched the Timestamp message on receipt. timestamp is as with
597 --icmp-orig-time.
598 --icmp-trans-time timestamp (ICMP Transmit Timestamp)
600 This option sets the Transmit Timestamp in ICMP Timestamp messages.
601 The Transmit Timestamp is expressed as the number of milliseconds
602 since midnight UTC and it corresponds to the time the echoer last
603 touched the Timestamp message before its transmission. timestamp
604 is as with --icmp-orig-time.
605 ICMP Types
607 These identifiers may be used as mnemonics for the ICMP type numbers
608 given to the --icmp-type option. In general there are three forms of
609 each identifier: the full name (e.g. destination-unreachable), the
610 short name (e.g. dest-unr), or the initials (e.g. du). In ICMP types
611 that request something, the word "request" is omitted.
612 echo-reply, echo-rep, er
614 Echo Reply (type 0). This message is sent in response to an Echo
615 Request message.
616 destination-unreachable, dest-unr, du
618 Destination Unreachable (type 3). This message indicates that a
619 datagram could not be delivered to its destination.
620 source-quench, sour-que, sq
622 Source Quench (type 4). This message is used by a congested IP
623 device to tell other device that is sending packets too fast and
624 that it should slow down.
625 redirect, redi, r
627 Redirect (type 5). This message is normally used by routers to
628 inform a host that there is a better route to use for sending
629 datagrams. See also the --icmp-redirect-addr option.
630 echo-request, echo, e
632 Echo Request (type 8). This message is used to test the
633 connectivity of another device on a network.
634 router-advertisement, rout-adv, ra
636 Router Advertisement (type 9). This message is used by routers to
637 let hosts know of their existence and capabilities. See also the
638 --icmp-advert-lifetime option.
639 router-solicitation, rout-sol, rs
641 Router Solicitation (type 10). This message is used by hosts to
642 request Router Advertisement messages from any listening routers.
643 time-exceeded, time-exc, te
645 Time Exceeded (type 11). This message is generated by some
646 intermediate device (normally a router) to indicate that a datagram
647 has been discarded before reaching its destination because the IP
648 TTL expired.
649 parameter-problem, member-pro, pp
651 Parameter Problem (type 12). This message is used when a device
652 finds a problem with a parameter in an IP header and it cannot
653 continue processing it. See also the --icmp-param-pointer option.
654 timestamp, time, tm
656 Timestamp Request (type 13). This message is used to request a
657 device to send a timestamp value for propagation time calculation
658 and clock synchronization. See also the --icmp-orig-time,
659 --icmp-recv-time, and --icmp-trans-time.
660 timestamp-reply, time-rep, tr
662 Timestamp Reply (type 14). This message is sent in response to a
663 Timestamp Request message.
664 information, info, i
666 Information Request (type 15). This message is now obsolete but it
667 was originally used to request configuration information from
668 another device.
669 information-reply, info-rep, ir
671 Information Reply (type 16). This message is now obsolete but it
672 was originally sent in response to an Information Request message
673 to provide configuration information.
674 mask-request, mask, m
676 Address Mask Request (type 17). This message is used to ask a
677 device to send its subnet mask.
678 mask-reply, mask-rep, mr
680 Address Mask Reply (type 18). This message contains a subnet mask
681 and is sent in response to a Address Mask Request message.
682 traceroute, trace, tc
684 Traceroute (type 30). This message is normally sent by an
685 intermediate device when it receives an IP datagram with a
686 traceroute option. ICMP Traceroute messages are still experimental,
687 see RFC 1393 for more information.
688 ICMP Codes
690 These identifiers may be used as mnemonics for the ICMP code numbers
691 given to the --icmp-code option. They are listed by the ICMP type they
692 correspond to.
693 Destination Unreachable
695 network-unreachable, netw-unr, net
696 Code 0. Datagram could not be delivered to its destination
697 network (probably due to some routing problem).
698 host-unreachable, host-unr, host
700 Code 1. Datagram was delivered to the destination network but
701 it was impossible to reach the specified host (probably due to
702 some routing problem).
703 protocol-unreachable, prot-unr, proto
705 Code 2. The protocol specified in the Protocol field of the IP
706 datagram is not supported by the host to which the datagram was
707 delivered.
708 port-unreachable, port-unr, port
710 Code 3. The TCP/UDP destination port was invalid.
711 needs-fragmentation, need-fra, frag
713 Code 4. Datagram had the DF bit set but it was too large for
714 the MTU of the next physical network so it had to be dropped.
715 source-route-failed, sour-rou, routefail
717 Code 5. IP datagram had a Source Route option but a router
718 couldn't pass it to the next hop.
719 network-unknown, netw-unk, net?
721 Code 6. Destination network is unknown. This code is never
722 used. Instead, Network Unreachable is used.
723 host-unknown, host-unk, host?
725 Code 7. Specified host is unknown. Usually generated by a
726 router local to the destination host to inform of a bad
727 address.
728 host-isolated, host-iso, isolated
730 Code 8. Source Host Isolated. Not used.
731 network-prohibited, netw-pro, !net
733 Code 9. Communication with destination network is
734 administratively prohibited (source device is not allowed to
735 send packets to the destination network).
736 host-prohibited, host-pro, !host
738 Code 10. Communication with destination host is
739 administratively prohibited. (The source device is allowed to
740 send packets to the destination network but not to the
741 destination device.)
742 network-tos, unreachable-network-tos, netw-tos, tosnet
744 Code 11. Destination network unreachable because it cannot
745 provide the type of service specified in the IP TOS field.
746 host-tos, unreachable-host-tos, toshost
748 Code 12. Destination host unreachable because it cannot provide
749 the type of service specified in the IP TOS field.
750 communication-prohibited, comm-pro, !comm
752 Code 13. Datagram could not be forwarded due to filtering that
753 blocks the message based on its contents.
754 host-precedence-violation, precedence-violation, prec-vio,
756 violation
757 Code 14. Precedence value in the IP TOS field is not permitted.
758 precedence-cutoff, prec-cut, cutoff
760 Code 15. Precedence value in the IP TOS field is lower than the
761 minimum allowed for the network.
762 Redirect
764 redirect-network, redi-net, net
765 Code 0. Redirect all future datagrams with the same destination
766 network as the original datagram, to the router specified in
767 the Address field. The use of this code is prohibited by RFC
768 1812.
769 redirect-host, redi-host, host
771 Code 1. Redirect all future datagrams with the same destination
772 host as the original datagram, to the router specified in the
773 Address field.
774 redirect-network-tos, redi-ntos, redir-ntos
776 Code 2. Redirect all future datagrams with the same destination
777 network and IP TOS value as the original datagram, to the
778 router specified in the Address field. The use of this code is
779 prohibited by RFC 1812.
780 redirect-host-tos, redi-htos, redir-htos
782 Code 3. Redirect all future datagrams with the same destination
783 host and IP TOS value as the original datagram, to the router
784 specified in the Address field.
785 Router Advertisement
787 normal-advertisement, norm-adv, normal, zero, default, def
788 Code 0. Normal router advertisement. In Mobile IP: Mobility
789 agent can act as a router for IP datagrams not related to
790 mobile nodes.
791 not-route-common-traffic, not-rou, mobile-ip, !route,
793 !commontraffic
794 Code 16. Used for Mobile IP. The mobility agent does not route
795 common traffic. All foreign agents must forward to a default
796 router any datagrams received from a registered mobile node
797 Time Exceeded
799 ttl-exceeded-in-transit, ttl-exc, ttl-transit
800 Code 0. IP Time To Live expired during transit.
801 fragment-reassembly-time-exceeded, frag-exc, frag-time
803 Code 1. Fragment reassembly time has been exceeded.
804 Parameter Problem
806 pointer-indicates-error, poin-ind, pointer
807 Code 0. The pointer field indicates the location of the
808 problem. See the --icmp-param-pointer option.
809 missing-required-option, miss-option, option-missing
811 Code 1. IP datagram was expected to have an option that is not
812 present.
813 bad-length, bad-len, badlen
815 Code 2. The length of the IP datagram is incorrect.
816
818 --arp-type type (ICMP Type)
819 This option specifies which type of ARP messages should be
820 generated. type can be supplied in two different ways. You can use
821 the official numbers assigned by IANA[2] (e.g. --arp-type 1 for
822 ARP Request), or you can use one of the mnemonics from the section
823 called “ARP Types”.
824 --arp-sender-mac mac (Sender MAC address)
826 This option sets the Sender Hardware Address field of the ARP
827 header. Although ARP supports many types of link layer addresses,
828 currently Nping only supports MAC addresses. mac must be specified
829 using the traditional MAC notation (e.g. 00:0a:8a:32:f4:ae). You
830 can also use hyphens as separators (e.g. 00-0a-8a-32-f4-ae).
831 --arp-sender-ip addr (Sender IP address)
833 This option sets the Sender IP field of the ARP header. addr can
834 be given as an IPv4 address or a hostname.
835 --arp-target-mac mac (target MAC address)
837 This option sets the Target Hardware Address field of the ARP
838 header.
839 --arp-target-ip addr (target ip address)
841 This option sets the Target IP field of the ARP header.
842 ARP Types
844 These identifiers may be used as mnemonics for the ARP type numbers
845 given to the --arp-type option.
846 arp-request, arp, a
848 ARP Request (type 1). ARP requests are used to translate network
849 layer addresses (normally IP addresses) to link layer addresses
850 (usually MAC addresses). Basically, and ARP request is a
851 broadcasted message that asks the host in the same network segment
852 that has a given IP address to provide its MAC address.
853 arp-reply, arp-rep, ar
855 ARP Reply (type 2). An ARP reply is a message that a host sends in
856 response to an ARP request to provide its link layer address.
857 rarp-request, rarp, r
859 RARP Requests (type 3). RARP requests are used to translate a link
860 layer address (normally a MAC address) to a network layer address
861 (usually an IP address). Basically a RARP request is a broadcasted
862 message sent by a host that wants to know his own IP address
863 because it doesn't have any. It was the first protocol designed to
864 solve the bootstrapping problem. However, RARP is now obsolete and
865 DHCP is used instead. For more information about RARP see RFC 903.
866 rarp-reply, rarp-rep, rr
868 RARP Reply (type 4). A RARP reply is a message sent in response to
869 a RARP request to provide an IP address to the host that sent the
870 RARP request in the first place.
871 drarp-request, drarp, d
873 Dynamic RARP Request (type 5). Dynamic RARP is an extension to RARP
874 used to obtain or assign a network layer address from a fixed link
875 layer address. DRARP was used mainly in Sun Microsystems platforms
876 in the late 90's but now it's no longer used. See RFC 1931 for more
877 information.
878 drarp-reply, drarp-rep, dr
880 Dynamic RARP Reply (type 6). A DRARP reply is a message sent in
881 response to a RARP request to provide network layer address.
882 drarp-error, drarp-err, de
884 DRARP Error (type 7). DRARP Error messages are usually sent in
885 response to DRARP requests to inform of some error. In DRARP Error
886 messages, the Target Protocol Address field is used to carry an
887 error code (usually in the first byte). The error code is intended
888 to tell why no target protocol address is being returned. For more
889 information see RFC 1931.
890 inarp-request, inarp, i
892 Inverse ARP Request (type 8). InARP requests are used to translate
893 a link layer address to a network layer address. It is similar to
894 RARP request but in this case, the sender of the InARP request
895 wants to know the network layer address of another node, not its
896 own address. InARP is mainly used in Frame Relay and ATM networks.
897 For more information see RFC 2390.
898 inarp-reply, inarp-rep, ir
900 Inverse ARP Reply (type 9). InARP reply messages are sent in
901 response to InARP requests to provide the network layer address
902 associated with the host that has a given link layer address.
903 arp-nak, an
905 ARP NAK (type 10). ARP NAK messages are an extension to the ATMARP
906 protocol and they are used to improve the robustness of the ATMARP
907 server mechanism. With ARP NAK, a client can determine the
908 difference between a catastrophic server failure and an ATMARP
909 table lookup failure. See RFC 1577 for more information.
910
912 -S addr, --source-ip addr (Source IP Address)
913 Sets the source IP address. This option lets you specify a custom
914 IP address to be used as source IP address in sent packets. This
915 allows spoofing the sender of the packets. addr can be an IPv4
916 address or a hostname.
917 --dest-ip addr (Destination IP Address)
919 Adds a target to Nping's target list. This option is provided for
920 consistency but its use is deprecated in favor of plain target
921 specifications. See the section called “TARGET SPECIFICATION”.
922 --tos tos (Type of Service)
924 Sets the IP TOS field. The TOS field is used to carry information
925 to provide quality of service features. It is normally used to
926 support a technique called Differentiated Services. See RFC 2474
927 for more information. tos must be a number in the range [0–255].
928 --id id (Identification)
930 Sets the IPv4 Identification field. The Identification field is a
931 16-bit value that is common to all fragments belonging to a
932 particular message. The value is used by the receiver to reassemble
933 the original message from the fragments received. id must be a
934 number in the range [0–65535].
935 --df (Don't Fragment)
937 Sets the Don't Fragment bit in sent packets. When an IP datagram
938 has its DF flag set, intermediate devices are not allowed to
939 fragment it so if it needs to travel across a network with a MTU
940 smaller that datagram length the datagram will have to be dropped.
941 Normally an ICMP Destination Unreachable message is generated and
942 sent back to the sender.
943 --mf (More Fragments)
945 Sets the More Fragments bit in sent packets. The MF flag is set to
946 indicate the receiver that the current datagram is a fragment of
947 some larger datagram. When set to zero it indicates that the
948 current datagram is either the last fragment in the set or that it
949 is the only fragment.
950 --evil (Reserved / Evil)
952 Sets the Reserved / Evil bit in sent packets. The Evil flag helps
953 firewalls and other network security systems to distinguish between
954 datagrams that have malicious intent and those that are merely
955 unusual. When set, it indicates that the datagram has evil intent,
956 instructing insecure systems to succumb. Setting it to zero
957 indicates no evil intent. The option is implied if environmental
958 variable SCRIPT_KIDDIE is set to a non-zero value.
959 --ttl hops (Time To Live)
961 Sets the IPv4 Time-To-Live (TTL) field in sent packets to the given
962 value. The TTL field specifies how long the datagram is allowed to
963 exist on the network. It was originally intended to represent a
964 number of seconds but it actually represents the number of hops a
965 packet can traverse before being dropped. The TTL tries to avoid a
966 situation in which undeliverable datagrams keep being forwarded
967 from one router to another endlessly. hops must be a number in the
968 range [0–255].
969 --badsum-ip (Invalid IP checksum)
971 Asks Nping to use an invalid IP checksum for packets sent to target
972 hosts. Note that some systems (like most Linux kernels), may fix
973 the checksum before placing the packet on the wire, so even if
974 Nping shows the incorrect checksum in its output, the packets may
975 be transparently corrected by the kernel.
976 --ip-options S|R [route]|L [route]|T|U ..., --ip-options hex string (IP
978 Options)
979 The IP protocol offers several options which may be placed in
980 packet headers. Unlike the ubiquitous TCP options, IP options are
981 rarely seen due to practicality and security concerns. In fact,
982 many Internet routers block the most dangerous options such as
983 source routing. Yet options can still be useful in some cases for
984 determining and manipulating the network route to target machines.
985 For example, you may be able to use the record route option to
986 determine a path to a target even when more traditional
987 traceroute-style approaches fail. Or if your packets are being
988 dropped by a certain firewall, you may be able to specify a
989 different route with the strict or loose source routing options.
990 The most powerful way to specify IP options is to simply pass in
992 hexadecimal data as the argument to --ip-options. Precede each hex
993 byte value with \x. You may repeat certain characters by following
994 them with an asterisk and then the number of times you wish them to
995 repeat. For example, \x01\x07\x04\x00*4 is the same as
996 \x01\x07\x04\x00\x00\x00\x00.
997 Note that if you specify a number of bytes that is not a multiple
999 of four, an incorrect IP header length will be set in the IP
1000 packet. The reason for this is that the IP header length field can
1001 only express multiples of four. In those cases, the length is
1002 computed by dividing the header length by 4 and rounding down. This
1003 will affect the way the header that follows the IP header is
1004 interpreted, showing bogus information in Nping or in the output of
1005 any sniffer. Although this kind of situation might be useful for
1006 some stack stress tests, users would normally want to specify
1007 explicit padding, so the correct header length is set.
1008 Nping also offers a shortcut mechanism for specifying options.
1010 Simply pass the letter R, T, or U to request record-route,
1011 record-timestamp, or both options together, respectively. Loose or
1012 strict source routing may be specified with an L or S followed by a
1013 space and then a space-separated list of IP addresses.
1014 For more information and examples of using IP options with Nping,
1016 see the mailing list post at
1017 https://seclists.org/nmap-dev/2006/q3/0052.html.
1018 --mtu size (Maximum Transmission Unit)
1020 This option sets a fictional MTU in Nping so IP datagrams larger
1021 than size are fragmented before transmission. size must be
1022 specified in bytes and corresponds to the number of octets that can
1023 be carried on a single link-layer frame.
1024
1026 -6, --ipv6 (Use IPv6)
1027 Tells Nping to use IP version 6 instead of the default IPv4. It is
1028 generally a good idea to specify this option as early as possible
1029 in the command line so Nping can parse it soon and know in advance
1030 that the rest of the parameters refer to IPv6. The command syntax
1031 is the same as usual except that you also add the -6 option. Of
1032 course, you must use IPv6 syntax if you specify an address rather
1033 than a hostname. An address might look like
1034 3ffe:7501:4819:2000:210:f3ff:fe03:14d0, so hostnames are
1035 recommended.
1036 While IPv6 hasn't exactly taken the world by storm, it gets
1038 significant use in some (usually Asian) countries and most modern
1039 operating systems support it. To use Nping with IPv6, both the
1040 source and target of your packets must be configured for IPv6. If
1041 your ISP (like most of them) does not allocate IPv6 addresses to
1042 you, free tunnel brokers are widely available and work fine with
1043 Nping. You can use the free IPv6 tunnel broker service at
1044 http://www.tunnelbroker.net.
1045 Please note that IPv6 support is still highly experimental and many
1047 modes and options may not work with it.
1048 -S addr, --source-ip addr (Source IP Address)
1050 Sets the source IP address. This option lets you specify a custom
1051 IP address to be used as source IP address in sent packets. This
1052 allows spoofing the sender of the packets. addr can be an IPv6
1053 address or a hostname.
1054 --dest-ip addr (Destination IP Address)
1056 Adds a target to Nping's target list. This option is provided for
1057 consistency but its use is deprecated in favor of plain target
1058 specifications. See the section called “TARGET SPECIFICATION”.
1059 --flow label (Flow Label)
1061 Sets the IPv6 Flow Label. The Flow Label field is 20 bits long and
1062 is intended to provide certain quality-of-service properties for
1063 real-time datagram delivery. However, it has not been widely
1064 adopted, and not all routers or endpoints support it. Check RFC
1065 2460 for more information. label must be an integer in the range
1066 [0–1048575].
1067 --traffic-class class (Traffic Class)
1069 Sets the IPv6 Traffic Class. This field is similar to the TOS field
1070 in IPv4, and is intended to provide the Differentiated Services
1071 method, enabling scalable service discrimination in the Internet
1072 without the need for per-flow state and signaling at every hop.
1073 Check RFC 2474 for more information. class must be an integer in
1074 the range [0–255].
1075 --hop-limit hops (Hop Limit)
1077 Sets the IPv6 Hop Limit field in sent packets to the given value.
1079 The Hop Limit field specifies how long the datagram is allowed to
1080 exist on the network. It represents the number of hops a packet can
1081 traverse before being dropped. As with the TTL in IPv4, IPv6 Hop
1082 Limit tries to avoid a situation in which undeliverable datagrams
1083 keep being forwarded from one router to another endlessly. hops
1084 must be a number in the range [0–255].
1085
1087 In most cases Nping sends packets at the raw IP level. This means that
1088 Nping creates its own IP packets and transmits them through a raw
1089 socket. However, in some cases it may be necessary to send packets at
1090 the raw Ethernet level. This happens, for example, when Nping is run
1091 under Windows (as Microsoft has disabled raw socket support since
1092 Windows XP SP2), or when Nping is asked to send ARP packets. Since in
1093 some cases it is necessary to construct ethernet frames, Nping offers
1094 some options to manipulate the different fields.
1095 --dest-mac mac (Ethernet Destination MAC Address)
1097 This option sets the destination MAC address that should be set in
1098 outgoing Ethernet frames. This is useful in case Nping can't
1099 determine the next hop's MAC address or when you want to route
1100 probes through a router other than the configured default gateway.
1101 The MAC address should have the usual format of six colon-separated
1102 bytes, e.g. 00:50:56:d4:01:98. Alternatively, hyphens may be used
1103 instead of colons. Use the word random or rand to generate a random
1104 address, and broadcast or bcast to use ff:ff:ff:ff:ff:ff. If you
1105 set up a bogus destination MAC address your probes may not reach
1106 the intended targets.
1107 --source-mac mac (Ethernet Source MAC Address)
1109 This option sets the source MAC address that should be set in
1110 outgoing Ethernet frames. This is useful in case Nping can't
1111 determine your network interface MAC address or when you want to
1112 inject traffic into the network while hiding your network card's
1113 real address. The syntax is the same as for --dest-mac. If you set
1114 up a bogus source MAC address you may not receive probe replies.
1115 --ether-type type (Ethertype)
1117 This option sets the Ethertype field of the ethernet frame. The
1118 Ethertype is used to indicate which protocol is encapsulated in the
1119 payload. type can be supplied in two different ways. You can use
1120 the official numbers listed by the IEEE[3] (e.g. --ether-type
1121 0x0800 for IP version 4), or one of the mnemonics from the section
1122 called “Ethernet Types”.
1123 Ethernet Types
1125 These identifiers may be used as mnemonics for the Ethertype numbers
1126 given to the --arp-type option.
1127 ipv4, ip, 4
1129 Internet Protocol version 4 (type 0x0800).
1130 ipv6, 6
1132 Internet Protocol version 6 (type 0x86DD).
1133 arp
1135 Address Resolution Protocol (type 0x0806).
1136 rarp
1138 Reverse Address Resolution Protocol (type 0x8035).
1139 frame-relay, frelay, fr
1141 Frame Relay (type 0x0808).
1142 ppp
1144 Point-to-Point Protocol (type 0x880B).
1145 gsmp
1147 General Switch Management Protocol (type 0x880C).
1148 mpls
1150 Multiprotocol Label Switching (type 0x8847).
1151 mps-ual, mps
1153 Multiprotocol Label Switching with Upstream-assigned Label (type
1154 0x8848).
1155 mcap
1157 Multicast Channel Allocation Protocol (type 0x8861).
1158 pppoe-discovery, pppoe-d
1160 PPP over Ethernet Discovery Stage (type 0x8863).
1161 pppoe-session, pppoe-s
1163 PPP over Ethernet Session Stage (type 0x8864).
1164 ctag
1166 Customer VLAN Tag Type (type 0x8100).
1167 epon
1169 Ethernet Passive Optical Network (type 0x8808).
1170 pbnac
1172 Port-based network access control (type 0x888E).
1173 stag
1175 Service VLAN tag identifier (type 0x88A8).
1176 ethexp1
1178 Local Experimental Ethertype 1 (type 0x88B5).
1179 ethexp2
1181 Local Experimental Ethertype 2 (type 0x88B6).
1182 ethoui
1184 OUI Extended Ethertype (type 0x88B7).
1185 preauth
1187 Pre-Authentication (type 0x88C7).
1188 lldp
1190 Link Layer Discovery Protocol (type 0x88CC).
1191 mac-security, mac-sec, macsec
1193 Media Access Control Security (type 0x88E5).
1194 mvrp
1196 Multiple VLAN Registration Protocol (type 0x88F5).
1197 mmrp
1199 Multiple Multicast Registration Protocol (type 0x88F6).
1200 frrr
1202 Fast Roaming Remote Request (type 0x890D).
1203
1205 --data hex string (Append custom binary data to sent packets)
1206 This option lets you include binary data as payload in sent
1207 packets. hex string may be specified in any of the following
1208 formats: 0xAABBCCDDEEFF..., AABBCCDDEEFF... or
1209 \xAA\xBB\xCC\xDD\xEE\xFF.... Examples of use are --data 0xdeadbeef
1210 and --data \xCA\xFE\x09. Note that if you specify a number like
1211 0x00ff no byte-order conversion is performed. Make sure you specify
1212 the information in the byte order expected by the receiver.
1213 --data-string string (Append custom string to sent packets)
1215 This option lets you include a regular string as payload in sent
1216 packets. string can contain any string. However, note that some
1217 characters may depend on your system's locale and the receiver may
1218 not see the same information. Also, make sure you enclose the
1219 string in double quotes and escape any special characters from the
1220 shell. Example: --data-string "Jimmy Jazz...".
1221 --data-length len (Append random data to sent packets)
1223 This option lets you include len random bytes of data as payload in
1224 sent packets. len must be an integer in the range [0–65400].
1225 However, values higher than 1400 are not recommended because it may
1226 not be possible to transmit packets due to network MTU limitations.
1227
1229 The "Echo Mode" is a novel technique implemented by Nping which lets
1230 users see how network packets change in transit, from the host where
1231 they originated to the target machine. Basically, the Echo mode turns
1232 Nping into two different pieces: the Echo server and the Echo client.
1233 The Echo server is a network service that has the ability to capture
1234 packets from the network and send a copy ("echo them") to the
1235 originating client through a side TCP channel. The Echo client is the
1236 part that generates such network packets, transmits them to the server,
1237 and receives their echoed version through a side TCP channel that it
1238 has previously established with the Echo server.
1239 This scheme lets the client see the differences between the packets
1241 that it sends and what is actually received by the server. By having
1242 the server send back copies of the received packets through the side
1243 channel, things like NAT devices become immediately apparent to the
1244 client because it notices the changes in the source IP address (and
1245 maybe even source port). Other devices like those that perform traffic
1246 shaping, changing TCP window sizes or adding TCP options transparently
1247 between hosts, turn up too.
1248 The Echo mode is also useful for troubleshooting routing and firewall
1250 issues. Among other things, it can be used to determine if the traffic
1251 generated by the Nping client is being dropped in transit and never
1252 gets to its destination or if the responses are the ones that don't get
1253 back to it.
1254 Internally, client and server communicate over an encrypted and
1256 authenticated channel, using the Nping Echo Protocol (NEP), whose
1257 technical specification can be found in
1258 https://nmap.org/svn/nping/docs/EchoProtoRFC.txt
1259 The following paragraphs describe the different options available in
1261 Nping's Echo mode.
1262 --ec passphrase, --echo-client passphrase (Run Echo client)
1264 This option tells Nping to run as an Echo client. passphrase is a
1265 sequence of ASCII characters that is used used to generate the
1266 cryptographic keys needed for encryption and authentication in a
1267 given session. The passphrase should be a secret that is also known
1268 by the server, and it may contain any number of printable ASCII
1269 characters. Passphrases that contain whitespace or special
1270 characters must be enclosed in double quotes.
1271 When running Nping as an Echo client, most options from the regular
1273 raw probe modes apply. The client may be configured to send
1274 specific probes using flags like --tcp, --icmp or --udp. Protocol
1275 header fields may be manipulated normally using the appropriate
1276 options (e.g. --ttl, --seq, --icmp-type, etc.). The only
1277 exceptions are ARP-related flags, which are not supported in Echo
1278 mode, as protocols like ARP are closely related to the data link
1279 layer and its probes can't pass through different network segments.
1280 --es passphrase, --echo-server passphrase (Run Echo server)
1282 This option tells Nping to run as an Echo server. passphrase is a
1283 sequence of ASCII characters that is used used to generate the
1284 cryptographic keys needed for encryption and authentication in a
1285 given session. The passphrase should be a secret that is also known
1286 by the clients, and it may contain any number of printable ASCII
1287 characters. Passphrases that contain whitespace or special
1288 characters must be enclosed in double quotes. Note that although it
1289 is not recommended, it is possible to use empty passphrases,
1290 supplying --echo-server "". However, if what you want is to set up
1291 an open Echo server, it is better to use option --no-crypto. See
1292 below for details.
1293 --ep port, --echo-port port (Set Echo TCP port number)
1295 This option asks Nping to use the specified TCP port number for the
1296 Echo side channel connection. If this option is used with
1297 --echo-server, it specifies the port on which the server listens
1298 for connections. If it is used with --echo-client, it specifies the
1299 port to connect to on the remote host. By default, port number 9929
1300 is used.
1301 --nc, --no-crypto (Disable encryption and authentication)
1303 This option asks Nping not to use any cryptographic operations
1304 during an Echo session. In practical terms, this means that the
1305 Echo side channel session data will be transmitted in the clear,
1306 and no authentication will be performed by the server or client
1307 during the session establishment phase. When --no-crypto is used,
1308 the passphrase supplied with --echo-server or --echo-client is
1309 ignored.
1310 This option must be specified if Nping was compiled without openSSL
1312 support. Note that, for technical reasons, a passphrase still needs
1313 to be supplied after the --echo-client or --echo-server flags, even
1314 though it will be ignored.
1315 The --no-crypto flag might be useful when setting up a public Echo
1317 server, because it allows users to connect to the Echo server
1318 without the need for any passphrase or shared secret. However, it
1319 is strongly recommended to not use --no-crypto unless absolutely
1320 necessary. Public Echo servers should be configured to use the
1321 passphrase "public" or the empty passphrase (--echo-server "") as
1322 the use of cryptography does not only provide confidentiality and
1323 authentication but also message integrity.
1324 --once (Serve one client and quit)
1326 This option asks the Echo server to quit after serving one client.
1327 This is useful when only a single Echo session wants to be
1328 established as it eliminates the need to access the remote host to
1329 shutdown the server.
1330 --safe-payloads (Zero application data before echoing a packet)
1332 This option asks the Echo server to erase any application layer
1333 data found in client packets before echoing them. When the option
1334 is enabled, the Echo server parses the packets received from Echo
1335 clients and tries to determine if they contain data beyond the
1336 transport layer. If such data is found, it is overwritten with
1337 zeroes before transmitting the packets to the appropriate Echo
1338 client.
1339 Echo servers can handle multiple simultaneous clients running
1341 multiple echo sessions in parallel. In order to determine which
1342 packet needs to be echoed to which client and through which
1343 session, the Echo server uses an heuristic algorithm. Although we
1344 have taken every security measure that we could think of to prevent
1345 that a client receives an echoed packet that it did not generate,
1346 there is always a risk that our algorithm makes a mistake and
1347 delivers a packet to the wrong client. The --safe-payloads option
1348 is useful for public echo servers or critical deployments where
1349 that kind of mistake cannot be afforded.
1350 The following examples illustrate how Nping's Echo mode can be used to
1352 discover intermediate devices.
1353 Example 2. Discovering NAT devices
1355 # nping --echo-client "public" echo.nmap.org --udp
1357 Starting Nping ( https://nmap.org/nping )
1359 SENT (1.0970s) UDP 10.1.20.128:53 > 178.79.165.17:40125 ttl=64 id=32523 iplen=28
1360 CAPT (1.1270s) UDP 80.38.10.21:45657 > 178.79.165.17:40125 ttl=54 id=32523 iplen=28
1361 RCVD (1.1570s) ICMP 178.79.165.17 > 10.1.20.128 Port unreachable (type=3/code=3) ttl=49 id=16619 iplen=56
1362 [...]
1363 SENT (5.1020s) UDP 10.1.20.128:53 > 178.79.165.17:40125 ttl=64 id=32523 iplen=28
1364 CAPT (5.1335s) UDP 80.38.10.21:45657 > 178.79.165.17:40125 ttl=54 id=32523 iplen=28
1365 RCVD (5.1600s) ICMP 178.79.165.17 > 10.1.20.128 Port unreachable (type=3/code=3) ttl=49 id=16623 iplen=56
1366 Max rtt: 60.628ms | Min rtt: 58.378ms | Avg rtt: 59.389ms
1368 Raw packets sent: 5 (140B) | Rcvd: 5 (280B) | Lost: 0 (0.00%)| Echoed: 5 (140B)
1369 Tx time: 4.00459s | Tx bytes/s: 34.96 | Tx pkts/s: 1.25
1370 Rx time: 5.00629s | Rx bytes/s: 55.93 | Rx pkts/s: 1.00
1371 Nping done: 1 IP address pinged in 6.18 seconds
1372 The output clearly shows the presence of a NAT device in the client's
1375 local network. Note how the captured packet (CAPT) differs from the
1376 SENT packet: the source address for the original packets is in the
1377 reserved 10.0.0.0/8 range, while the address seen by the server is
1378 80.38.10.21, the Internet side address of the NAT device. The source
1379 port was also modified by the device. The line starting with RCVD
1380 corresponds to the responses generated by the TCP/IP stack of the
1381 machine where the Echo server is run.
1382 Example 3. Discovering a transparent proxy
1384 # nping --echo-client "public" echo.nmap.org --tcp -p80
1386 Starting Nping ( https://nmap.org/nping )
1388 SENT (1.2160s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40 seq=567704200 win=1480
1389 RCVD (1.2180s) TCP 178.79.165.17:80 > 10.0.1.77:41659 SA ttl=128 id=13177 iplen=44 seq=3647106954 win=16384 <mss 1460>
1390 SENT (2.2150s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40 seq=567704200 win=1480
1391 SENT (3.2180s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40 seq=567704200 win=1480
1392 SENT (4.2190s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40 seq=567704200 win=1480
1393 SENT (5.2200s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40 seq=567704200 win=1480
1394 Max rtt: 2.062ms | Min rtt: 2.062ms | Avg rtt: 2.062ms
1396 Raw packets sent: 5 (200B) | Rcvd: 1 (46B) | Lost: 4 (80.00%)| Echoed: 0 (0B)
1397 Tx time: 4.00504s | Tx bytes/s: 49.94 | Tx pkts/s: 1.25
1398 Rx time: 5.00618s | Rx bytes/s: 9.19 | Rx pkts/s: 0.20
1399 Nping done: 1 IP address pinged in 6.39 seconds
1400 In this example, the output is a bit more tricky. The absence of error
1403 messages shows that the Echo client has successfully established an
1404 Echo session with the server. However, no CAPT packets can be seen in
1405 the output. This means that none of the transmitted packets reached the
1406 server. Interestingly, a TCP SYN-ACK packet was received in response to
1407 the first TCP-SYN packet (and also, it is known that the target host
1408 does not have port 80 open). This behavior reveals the presence of a
1409 transparent web proxy cache server (which in this case is an old MS ISA
1410 server).
1411
1413 --delay time (Delay between probes)
1414 This option lets you control for how long will Nping wait before
1415 sending the next probe. Like in many other ping tools, the default
1416 delay is one second. time must be a positive integer or floating
1417 point number. By default it is specified in seconds, however you
1418 can give an explicit unit by appending ms for milliseconds, s for
1419 seconds, m for minutes, or h for hours (e.g. 2.5s, 45m, 2h).
1420 --rate rate (Send probes at a given rate)
1422 This option specifies the number of probes that Nping should send
1423 per second. This option and --delay are inverses; --rate 20 is the
1424 same as --delay 0.05. If both options are used, only the last one
1425 in the parameter list counts.
1426
1428 -h, --help (Display help)
1429 Displays help information and exits.
1430 -V, --version (Display version)
1432 Displays the program's version number and quits.
1433 -c rounds, --count rounds (Stop after a given number of rounds)
1435 This option lets you specify the number of times that Nping should
1436 loop over target hosts (and in some cases target ports). Nping
1437 calls these “rounds”. In a basic execution with only one target
1438 (and only one target port in TCP/UDP modes), the number of rounds
1439 matches the number of probes sent to the target host. However, in
1440 more complex executions where Nping is run against multiple targets
1441 and multiple ports, the number of rounds is the number of times
1442 that Nping sends a complete set of probes that covers all target
1443 IPs and all target ports. For example, if Nping is asked to send
1444 TCP SYN packets to hosts 192.168.1.0-255 and ports 80 and 433, then
1445 256 × 2 = 512 packets are sent in one round. So if you specify -c
1446 100, Nping will loop over the different target hosts and ports 100
1447 times, sending a total of 256 × 2 × 100 = 51200 packets. By default
1448 Nping runs for 5 rounds. If a value of 0 is specified, Nping will
1449 run continuously.
1450 -e name, --interface name (Set the network interface to be used)
1452 This option tells Nping what interface should be used to send and
1453 receive packets. Nping should be able to detect this automatically,
1454 but it will tell you if it cannot. name must be the name of an
1455 existing network interface with an assigned IP address.
1456 --privileged (Assume that the user is fully privileged)
1458 Tells Nping to simply assume that it is privileged enough to
1459 perform raw socket sends, packet sniffing, and similar operations
1460 that usually require special privileges. By default Nping quits if
1461 such operations are requested by a user that has no root or
1462 administrator privileges. This option may be useful on Linux, BSD
1463 or similar systems that can be configured to allow unprivileged
1464 users to perform raw-packet transmissions. The NPING_PRIVILEGED
1465 environment variable may be set as an alternative to using
1466 --privileged.
1467 --unprivileged (Assume that the user lacks raw socket privileges)
1469 This option is the opposite of --privileged. It tells Nping to
1470 treat the user as lacking network raw socket and sniffing
1471 privileges. This is useful for testing, debugging, or when the raw
1472 network functionality of your operating system is somehow broken.
1473 The NPING_UNPRIVILEGED environment variable may be set as an
1474 alternative to using --unprivileged.
1475 --send-eth (Use raw ethernet sending)
1477 Asks Nping to send packets at the raw ethernet (data link) layer
1478 rather than the higher IP (network) layer. By default, Nping
1479 chooses the one which is generally best for the platform it is
1480 running on. Raw sockets (IP layer) are generally most efficient for
1481 Unix machines, while ethernet frames are required for Windows
1482 operation since Microsoft disabled raw socket support. Nping still
1483 uses raw IP packets despite this option when there is no other
1484 choice (such as non-ethernet connections).
1485 --send-ip (Send at raw IP level)
1487 Asks Nping to send packets via raw IP sockets rather than sending
1488 lower level ethernet frames. It is the complement to the --send-eth
1489 option.
1490 --bpf-filter filter spec --filter filter spec (Set custom BPF filter)
1492 This option lets you use a custom BPF filter. By default Nping
1493 chooses a filter that is intended to capture most common responses
1494 to the particular probes that are sent. For example, when sending
1495 TCP packets, the filter is set to capture packets whose destination
1496 port matches the probe's source port or ICMP error messages that
1497 may be generated by the target or any intermediate device as a
1498 result of the probe. If for some reason you expect strange packets
1499 in response to sent probes or you just want to sniff a particular
1500 kind of traffic, you can specify a custom filter using the BPF
1501 syntax used by tools like tcpdump. See the documentation at
1502 http://www.tcpdump.org/ for more information.
1503 -H, --hide-sent (Do not display sent packets)
1505 This option tells Nping not to print information about sent
1506 packets. This can be useful when using very short inter-probe
1507 delays (i.e., when flooding), because printing information to the
1508 standard output has a computational cost and disabling it can
1509 probably speed things up a bit. Also, it may be useful when using
1510 Nping to detect active hosts or open ports (e.g. sending probes to
1511 all TCP ports in a /24 subnet). In that case, users may not want to
1512 see thousands of sent probes but just the replies generated by
1513 active hosts.
1514 -N, --no-capture (Do not attempt to capture replies)
1516 This option tells Nping to skip packet capture. This means that
1517 packets in response to sent probes will not be processed or
1518 displayed. This can be useful when doing flooding and network stack
1519 stress tests. Note that when this option is specified, most of the
1520 statistics shown at the end of the execution will be useless. This
1521 option does not work with TCP Connect mode.
1522
1524 -v[level], --verbose [level] (Increase or set verbosity level)
1525 Increases the verbosity level, causing Nping to print more
1526 information during its execution. There are 9 levels of verbosity
1527 (-4 to 4). Every instance of -v increments the verbosity level by
1528 one (from its default value, level 0). Every instance of option -q
1529 decrements the verbosity level by one. Alternatively you can
1530 specify the level directly, as in -v3 or -v-1. These are the
1531 available levels:
1532 Level -4
1534 No output at all. In some circumstances you may not want Nping
1535 to produce any output (like when one of your work mates is
1536 watching over your shoulder). In that case level -4 can be
1537 useful because although you won't see any response packets,
1538 probes will still be sent.
1539 Level -3
1541 Like level -4 but displays fatal error messages so you can
1542 actually see if Nping is running or it failed due to some
1543 error.
1544 Level -2
1546 Like level -3 but also displays warnings and recoverable
1547 errors.
1548 Level -1
1550 Displays traditional run-time information (version, start time,
1551 statistics, etc.) but does not display sent or received
1552 packets.
1553 Level 0
1555 This is the default verbosity level. It behaves like level -1
1556 but also displays sent and received packets and some other
1557 important information.
1558 Level 1
1560 Like level 0 but it displays detailed information about timing,
1561 flags, protocol details, etc.
1562 Level 2
1564 Like level 1 but displays very detailed information about sent
1565 and received packets and other interesting information.
1566 Level 3
1568 Like level 2 but also displays the raw hexadecimal dump of sent
1569 and received packets.
1570 Level 4 and higher
1572 Same as level 3.
1573 -q[level], --reduce-verbosity [level] (Decrease verbosity level)
1575 Decreases the verbosity level, causing Nping to print less
1576 information during its execution.
1577 -d[level] (Increase or set debugging level)
1579 When even verbose mode doesn't provide sufficient data for you,
1580 debugging is available to flood you with much more! As with the -v,
1581 debugging is enabled with a command-line flag -d and the debug
1582 level can be increased by specifying it multiple times. There are 7
1583 debugging levels (0 to 6). Every instance of -d increments
1584 debugging level by one. Provide an argument to -d to set the level
1585 directly; for example -d4.
1586 Debugging output is useful when you suspect a bug in Nping, or if
1588 you are simply confused as to what Nping is doing and why. As this
1589 feature is mostly intended for developers, debug lines aren't
1590 always self-explanatory. You may get something like
1591 NSOCK (1.0000s) Callback: TIMER SUCCESS for EID 12; tcpconnect_event_handler(): Received callback of type TIMER with status SUCCESS
1594 If you don't understand a line, your only recourses are to ignore
1596 it, look it up in the source code, or request help from the
1597 development list (nmap-dev). Some lines are self-explanatory, but
1598 the messages become more obscure as the debug level is increased.
1599 These are the available levels:
1600 Level 0
1602 Level 0. No debug information at all. This is the default
1603 level.
1604 Level 1
1606 In this level, only very important or high-level debug
1607 information will be printed.
1608 Level 2
1610 Like level 1 but also displays important or medium-level debug
1611 information
1612 Level 3
1614 Like level 2 but also displays regular and low-level debug
1615 information.
1616 Level 4
1618 Like level 3 but also displays messages only a real Nping freak
1619 would want to see.
1620 Level 5
1622 Like level 4 but it enables basic debug information related to
1623 external libraries like Nsock.
1624 Level 6
1626 Like level 5 but it enables full, very detailed, debug
1627 information related to external libraries like Nsock.
1628
1630 Like its authors, Nping isn't perfect. But you can help make it better
1631 by sending bug reports or even writing patches. If Nping doesn't behave
1632 the way you expect, first upgrade to the latest version available from
1633 https://nmap.org. If the problem persists, do some research to
1634 determine whether it has already been discovered and addressed. Try
1635 searching for the problem or error message on Google since that
1636 aggregates so many forums. If nothing comes of this, create an Issue on
1637 our tracker (http://issues.nmap.org) and/or mail a bug report to
1638 <dev@nmap.org>. If you subscribe to the nmap-dev list before posting,
1639 your message will bypass moderation and get through more quickly.
1640 Subscribe at https://nmap.org/mailman/listinfo/dev. Please include
1641 everything you have learned about the problem, as well as what version
1642 of Nping you are using and what operating system version it is running
1643 on. Other suggestions for improving Nping may be sent to the Nmap dev
1644 mailing list as well.
1645 If you are able to write a patch improving Nping or fixing a bug, that
1647 is even better! Instructions for submitting patches or git pull
1648 requests are available from
1649 https://github.com/nmap/nmap/blob/master/CONTRIBUTING.md
1650 Particularly sensitive issues such as a security reports may be sent
1652 directly to Fyodor directly at <fyodor@nmap.org>. All other reports and
1653 comments should use the dev list or issue tracker instead because more
1654 people read, follow, and respond to those.
1655
1657 Luis MartinGarcia <luis.mgarc@gmail.com> (http://www.luismg.com)
1658 Fyodor <fyodor@nmap.org> (https://insecure.org)
1660
1662 1. official type numbers assigned by IANA
1663 http://www.iana.org/assignments/icmp-parameters
1664 2. official numbers assigned by IANA
1666 http://www.iana.org/assignments/arp-parameters/
1667 3. official numbers listed by the IEEE
1669 http://standards.ieee.org/regauth/ethertype/eth.txt
1670Nping 08/31/2022 NPING(1)