1NPING(1)                     Nping Reference Guide                    NPING(1)
2
3
4

NAME

6       nping - Network packet generation tool / ping utility
7

SYNOPSIS

9       nping [Options] {targets}
10

DESCRIPTION

12       Nping is an open-source tool for network packet generation, response
13       analysis and response time measurement. Nping allows users to generate
14       network packets of a wide range of protocols, letting them tune
15       virtually any field of the protocol headers. While Nping can be used as
16       a simple ping utility to detect active hosts, it can also be used as a
17       raw packet generator for network stack stress tests, ARP poisoning,
18       Denial of Service attacks, route tracing, and other purposes.
19
20       Additionally, Nping offers a special mode of operation called the "Echo
21       Mode", that lets users see how the generated probes change in transit,
22       revealing the differences between the transmitted packets and the
23       packets received at the other end. See section "Echo Mode" for details.
24
25       The output from Nping is a list of the packets that are being sent and
26       received. The level of detail depends on the options used.
27
28       A typical Nping execution is shown in Example 1. The only Nping
29       arguments used in this example are -c, to specify the number of times
30       to target each host, --tcp to specify TCP Probe Mode, -p 80,433 to
31       specify the target ports; and then the two target hostnames.
32
33       Example 1. A representative Nping execution
34
35           # nping -c 1 --tcp -p 80,433 scanme.nmap.org google.com
36
37           Starting Nping ( http://nmap.org/nping )
38           SENT (0.0120s) TCP 96.16.226.135:50091 > 64.13.134.52:80 S ttl=64 id=52072 iplen=40  seq=1077657388 win=1480
39           RCVD (0.1810s) TCP 64.13.134.52:80 > 96.16.226.135:50091 SA ttl=53 id=0 iplen=44  seq=4158134847 win=5840 <mss 1460>
40           SENT (1.0140s) TCP 96.16.226.135:50091 > 74.125.45.100:80 S ttl=64 id=13932 iplen=40  seq=1077657388 win=1480
41           RCVD (1.1370s) TCP 74.125.45.100:80 > 96.16.226.135:50091 SA ttl=52 id=52913 iplen=44  seq=2650443864 win=5720 <mss 1430>
42           SENT (2.0140s) TCP 96.16.226.135:50091 > 64.13.134.52:433 S ttl=64 id=8373 iplen=40  seq=1077657388 win=1480
43           SENT (3.0140s) TCP 96.16.226.135:50091 > 74.125.45.100:433 S ttl=64 id=23624 iplen=40  seq=1077657388 win=1480
44
45           Statistics for host scanme.nmap.org (64.13.134.52):
46            |  Probes Sent: 2 | Rcvd: 1 | Lost: 1  (50.00%)
47            |_ Max rtt: 169.720ms | Min rtt: 169.720ms | Avg rtt: 169.720ms
48           Statistics for host google.com (74.125.45.100):
49            |  Probes Sent: 2 | Rcvd: 1 | Lost: 1  (50.00%)
50            |_ Max rtt: 122.686ms | Min rtt: 122.686ms | Avg rtt: 122.686ms
51           Raw packets sent: 4 (160B) | Rcvd: 2 (92B) | Lost: 2 (50.00%)
52           Tx time: 3.00296s | Tx bytes/s: 53.28 | Tx pkts/s: 1.33
53           Rx time: 3.00296s | Rx bytes/s: 30.64 | Rx pkts/s: 0.67
54           Nping done: 2 IP addresses pinged in 4.01 seconds
55

OPTIONS SUMMARY

57       This options summary is printed when Nping is run with no arguments. It
58       helps people remember the most common options, but is no substitute for
59       the in-depth documentation in the rest of this manual. Some obscure
60       options aren´t even included here.
61
62           Nping 0.5.36TEST2 ( http://nmap.org/nping )
63           Usage: nping [Probe mode] [Options] {target specification}
64
65           TARGET SPECIFICATION:
66             Targets may be specified as hostnames, IP addresses, networks, etc.
67             Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
68           PROBE MODES:
69             --tcp-connect                    : Unprivileged TCP connect probe mode.
70             --tcp                            : TCP probe mode.
71             --udp                            : UDP probe mode.
72             --icmp                           : ICMP probe mode.
73             --arp                            : ARP/RARP probe mode.
74             --tr, --traceroute               : Traceroute mode (can only be used with
75                                                TCP/UDP/ICMP modes).
76           TCP CONNECT MODE:
77              -p, --dest-port <port spec>     : Set destination port(s).
78              -g, --source-port <portnumber>  : Try to use a custom source port.
79           TCP PROBE MODE:
80              -g, --source-port <portnumber>  : Set source port.
81              -p, --dest-port <port spec>     : Set destination port(s).
82              --seq <seqnumber>               : Set sequence number.
83              --flags <flag list>             : Set TCP flags (ACK,PSH,RST,SYN,FIN...)
84              --ack <acknumber>               : Set ACK number.
85              --win <size>                    : Set window size.
86              --badsum                        : Use a random invalid checksum.
87           UDP PROBE MODE:
88              -g, --source-port <portnumber>  : Set source port.
89              -p, --dest-port <port spec>     : Set destination port(s).
90              --badsum                        : Use a random invalid checksum.
91           ICMP PROBE MODE:
92             --icmp-type <type>               : ICMP type.
93             --icmp-code <code>               : ICMP code.
94             --icmp-id <id>                   : Set identifier.
95             --icmp-seq <n>                   : Set sequence number.
96             --icmp-redirect-addr <addr>      : Set redirect address.
97             --icmp-param-pointer <pnt>       : Set parameter problem pointer.
98             --icmp-advert-lifetime <time>    : Set router advertisement lifetime.
99             --icmp-advert-entry <IP,pref>    : Add router advertisement entry.
100             --icmp-orig-time  <timestamp>    : Set originate timestamp.
101             --icmp-recv-time  <timestamp>    : Set receive timestamp.
102             --icmp-trans-time <timestamp>    : Set transmit timestamp.
103           ARP/RARP PROBE MODE:
104             --arp-type <type>                : Type: ARP, ARP-reply, RARP, RARP-reply.
105             --arp-sender-mac <mac>           : Set sender MAC address.
106             --arp-sender-ip  <addr>          : Set sender IP address.
107             --arp-target-mac <mac>           : Set target MAC address.
108             --arp-target-ip  <addr>          : Set target IP address.
109           IPv4 OPTIONS:
110             -S, --source-ip                  : Set source IP address.
111             --dest-ip <addr>                 : Set destination IP address (used as an
112                                                alternative to {target specification} ).
113             --tos <tos>                      : Set type of service field (8bits).
114             --id  <id>                       : Set identification field (16 bits).
115             --df                             : Set Don´t Fragment flag.
116             --mf                             : Set More Fragments flag.
117             --ttl <hops>                     : Set time to live [0-255].
118             --badsum-ip                      : Use a random invalid checksum.
119             --ip-options <S|R [route]|L [route]|T|U ...> : Set IP options
120             --ip-options <hex string>                    : Set IP options
121             --mtu <size>                     : Set MTU. Packets get fragmented if MTU is
122                                                small enough.
123           IPv6 OPTIONS:
124             -6, --IPv6                       : Use IP version 6.
125             --dest-ip                        : Set destination IP address (used as an
126                                                alternative to {target specification}).
127             --hop-limit                      : Set hop limit (same as IPv4 TTL).
128             --traffic-class <class> :        : Set traffic class.
129             --flow <label>                   : Set flow label.
130           ETHERNET OPTIONS:
131             --dest-mac <mac>                 : Set destination mac address. (Disables
132                                                ARP resolution)
133             --source-mac <mac>               : Set source MAC address.
134             --ether-type <type>              : Set EtherType value.
135           PAYLOAD OPTIONS:
136             --data <hex string>              : Include a custom payload.
137             --data-string <text>             : Include a custom ASCII text.
138             --data-length <len>              : Include len random bytes as payload.
139           ECHO CLIENT/SERVER:
140             --echo-client <passphrase>       : Run Nping in client mode.
141             --echo-client <passphrase>       : Run Nping in server mode.
142             --echo-port <port>               : Use custom <port> to listen or connect.
143             --no-crypto                      : Disable encryption and authentication.
144             --once                           : Stop the server after one connection.
145           TIMING AND PERFORMANCE:
146             Options which take <time> are in seconds, or append ´ms´ (milliseconds),
147             ´s´ (seconds), ´m´ (minutes), or ´h´ (hours) to the value (e.g. 30m, 0.25h).
148             --delay <time>                   : Adjust delay between probes.
149             --rate  <rate>                   : Send num packets per second.
150           MISC:
151             -h, --help                       : Display help information.
152             -V, --version                    : Display current version number.
153             -c, --count <n>                  : Stop after <n> rounds.
154             -e, --interface <name>           : Use supplied network interface.
155             -H, --hide-sent                  : Do not display sent packets.
156             -N, --no-capture                 : Do not try to capture replies.
157             --privileged                     : Assume user is fully privileged.
158             --unprivileged                   : Assume user lacks raw socket privileges.
159             --send-eth                       : Send packets at the raw ethernet layer.
160             --send-ip                        : Send packets using raw IP sockets.
161             --bpf-filter <filter spec>       : Specify custom BPF filter.
162           OUTPUT:
163             -v                               : Increment verbosity level by one.
164             -v[level]                        : Set verbosity level. E.g: -v4
165             -d                               : Increment debugging level by one.
166             -d[level]                        : Set debugging level. E.g: -d3
167             -q                               : Decrease verbosity level by one.
168             -q[N]                            : Decrease verbosity level N times
169             --quiet                          : Set verbosity and debug level to minimum.
170             --debug                          : Set verbosity and debug to the max level.
171           EXAMPLES:
172             nping scanme.nmap.org
173             nping --tcp -p 80 --flags rst --ttl 2 192.168.1.1
174             nping --icmp --icmp-type time --delay 500ms 192.168.254.254
175             nping --echo-server "public" -e wlan0 -vvv
176             nping --echo-client "public" echo.nmap.org --tcp -p1-1024 --flags ack
177
178           SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES
179
180

TARGET SPECIFICATION

182       Everything on the Nping command line that isn´t an option or an option
183       argument is treated as a target host specification. Nping uses the same
184       syntax for target specifications that Nmap does. The simplest case is a
185       single target given by IP address or hostname.
186
187       Nping supports CIDR-style.  addressing. You can append /numbits to an
188       IPv4 address or hostname and Nping will send probes to every IP address
189       for which the first numbits are the same as for the reference IP or
190       hostname given. For example, 192.168.10.0/24 would send probes to the
191       256 hosts between 192.168.10.0 (binary: 11000000 10101000 00001010
192       00000000) and 192.168.10.255 (binary: 11000000 10101000 00001010
193       11111111), inclusive.  192.168.10.40/24 would ping exactly the same
194       targets. Given that the host scanme.nmap.org.  is at the IP address
195       64.13.134.52, the specification scanme.nmap.org/16 would send probes to
196       the 65,536 IP addresses between 64.13.0.0 and 64.13.255.255. The
197       smallest allowed value is /0, which targets the whole Internet. The
198       largest value is /32, which targets just the named host or IP address
199       because all address bits are fixed.
200
201       CIDR notation is short but not always flexible enough. For example, you
202       might want to send probes to 192.168.0.0/16 but skip any IPs ending
203       with .0 or .255 because they may be used as subnet network and
204       broadcast addresses. Nping supports this through octet range
205       addressing. Rather than specify a normal IP address, you can specify a
206       comma-separated list of numbers or ranges for each octet. For example,
207       192.168.0-255.1-254 will skip all addresses in the range that end in .0
208       or .255, and 192.168.3-5,7.1 will target the four addresses
209       192.168.3.1, 192.168.4.1, 192.168.5.1, and 192.168.7.1. Either side of
210       a range may be omitted; the default values are 0 on the left and 255 on
211       the right. Using - by itself is the same as 0-255, but remember to use
212       0- in the first octet so the target specification doesn´t look like a
213       command-line option. Ranges need not be limited to the final octets:
214       the specifier 0-.-.13.37 will send probes to all IP addresses on the
215       Internet ending in .13.37. This sort of broad sampling can be useful
216       for Internet surveys and research.
217
218       IPv6 addresses can only be specified by their fully qualified IPv6
219       address or hostname. CIDR and octet ranges aren´t supported for IPv6
220       because they are rarely useful.
221
222       Nping accepts multiple host specifications on the command line, and
223       they don´t need to be the same type. The command nping scanme.nmap.org
224       192.168.0.0/8 10.0.0,1,3-7.- does what you would expect.
225

OPTION SPECIFICATION

227       Nping is designed to be very flexible and fit a wide variety of needs.
228       As with most command-line tools, its behavior can be adjusted using
229       command-line options. These general principles apply to option
230       arguments, unless stated otherwise.
231
232       Options that take integer numbers can accept values specified in
233       decimal, octal or hexadecimal base. When a number starts with 0x, it
234       will be treated as hexadecimal; when it simply starts with 0, it will
235       be treated as octal. Otherwise, Nping will assume the number has been
236       specified in base 10. Virtually all numbers that can be supplied from
237       the command line are unsigned so, as a general rule, the minimum value
238       is zero. Users may also specify the word random or rand to make Nping
239       generate a random value within the expected range.
240
241       IP addresses may be given as IPv4 addresses (e.g.  192.168.1.1), IPv6
242       addresses (e.g.  2001:db8:85a3::8e4c:760:7146), or hostnames, which
243       will be resolved using the default DNS server configured in the host
244       system.
245
246       Options that take MAC addresses accept the usual colon-separated 6 hex
247       byte format (e.g.  00:50:56:d4:01:98). Hyphens may also be used instead
248       of colons (e.g.  00-50-56-c0-00-08). The special word random or rand
249       sets a random address and the word broadcast or bcast sets
250       ff:ff:ff:ff:ff:ff.
251

GENERAL OPERATION

253       Unlike other ping and packet generation tools, Nping supports multiple
254       target host and port specifications. While this provides great
255       flexibility, it is not obvious how Nping handles situations where there
256       is more than one host and/or more than one port to send probes to. This
257       section explains how Nping behaves in these cases.
258
259       When multiple target hosts are specified, Nping rotates among them in
260       round-robin fashion. This gives slow hosts more time to send their
261       responses before another probe is sent to them. Ports are also
262       scheduled using round robin. So, unless only one port is specified,
263       Nping never sends two probes to the same target host and port
264       consecutively.
265
266       The loop around targets is the “inner loop” and the loop around ports
267       is the “outer loop”. All targets will be sent a probe for a given port
268       before moving on to the next port. Between probes, Nping waits a
269       configurable amount of time called the “inter-probe delay”, which is
270       controlled by the --delay option. These examples show how it works.
271
272               # nping --tcp -c 2 1.1.1.1 -p 100-102
273
274               Starting Nping ( http://nmap.org/nping )
275               SENT (0.0210s) TCP 192.168.1.77 > 1.1.1.1:100
276               SENT (1.0230s) TCP 192.168.1.77 > 1.1.1.1:101
277               SENT (2.0250s) TCP 192.168.1.77 > 1.1.1.1:102
278               SENT (3.0280s) TCP 192.168.1.77 > 1.1.1.1:100
279               SENT (4.0300s) TCP 192.168.1.77 > 1.1.1.1:101
280               SENT (5.0320s) TCP 192.168.1.77 > 1.1.1.1:102
281
282               # nping --tcp -c 2 1.1.1.1 2.2.2.2 3.3.3.3 -p 8080
283
284               Starting Nping ( http://nmap.org/nping )
285               SENT (0.0230s) TCP 192.168.0.21 > 1.1.1.1:8080
286               SENT (1.0240s) TCP 192.168.0.21 > 2.2.2.2:8080
287               SENT (2.0260s) TCP 192.168.0.21 > 3.3.3.3:8080
288               SENT (3.0270s) TCP 192.168.0.21 > 1.1.1.1:8080
289               SENT (4.0290s) TCP 192.168.0.21 > 2.2.2.2:8080
290               SENT (5.0310s) TCP 192.168.0.21 > 3.3.3.3:8080
291
292               # nping --tcp -c 1 --delay 500ms 1.1.1.1 2.2.2.2 3.3.3.3 -p 137-139
293
294               Starting Nping ( http://nmap.org/nping )
295               SENT (0.0230s) TCP 192.168.0.21 > 1.1.1.1:137
296               SENT (0.5250s) TCP 192.168.0.21 > 2.2.2.2:137
297               SENT (1.0250s) TCP 192.168.0.21 > 3.3.3.3:137
298               SENT (1.5280s) TCP 192.168.0.21 > 1.1.1.1:138
299               SENT (2.0280s) TCP 192.168.0.21 > 2.2.2.2:138
300               SENT (2.5310s) TCP 192.168.0.21 > 3.3.3.3:138
301               SENT (3.0300s) TCP 192.168.0.21 > 1.1.1.1:139
302               SENT (3.5330s) TCP 192.168.0.21 > 2.2.2.2:139
303               SENT (4.0330s) TCP 192.168.0.21 > 3.3.3.3:139
304

PROBE MODES

306       Nping supports a wide variety of protocols. Although in some cases
307       Nping can automatically determine the mode from the options used, it is
308       generally a good idea to specify it explicitly.
309
310       --tcp-connect (TCP Connect mode) .
311           TCP connect mode is the default mode when a user does not have raw
312           packet privileges. Instead of writing raw packets as most other
313           modes do, Nping asks the underlying operating system to establish a
314           connection with the target machine and port by issuing the connect
315           system call. This is the same high-level system call that web
316           browsers, P2P clients, and most other network-enabled applications
317           use to establish a connection. It is part of a programming
318           interface known as the Berkeley Sockets API. Rather than read raw
319           packet responses off the wire, Nping uses this API to obtain status
320           information on each connection attempt. For this reason, you will
321           not be able to see the contents of the packets that are sent or
322           received but only status information about the TCP connection
323           establishment taking place.
324
325       --tcp (TCP mode) .
326           TCP is the mode that lets users create and send any kind of TCP
327           packet. TCP packets are sent embedded in IP packets that can also
328           be tuned. This mode can be used for many different purposes. For
329           example you could try to discover open ports by sending TCP SYN
330           messages without completing the three-way handshake. This technique
331           is often referred to as half-open scanning, because you don´t open
332           a full TCP connection. You send a SYN packet, as if you are going
333           to open a real connection and then wait for a response. A SYN/ACK
334           indicates the port is open, while a RST indicates it´s closed. If
335           no response is received one could assume that some intermediate
336           network device is filtering the responses. Another use could be to
337           see how a remote TCP/IP stack behaves when it receives a
338           non-RFC-compliant packet, like one with both SYN and RST flags set.
339           One could also do some evil by creating custom RST packets using an
340           spoofed IP address with the intent of closing an active TCP
341           connection.
342
343       --udp (UDP mode) .
344           UDP mode can have two different behaviours. Under normal
345           circumstances, it lets users create custom IP/UDP packets. However,
346           if Nping is run by a user without raw packet privileges and no
347           changes to the default protocol headers are requested, then Nping
348           enters the unprivileged UDP mode which basically sends UDP packets
349           to the specified target hosts and ports using the sendto system
350           call. Note that in this unprivileged mode it is not possible to see
351           low-level header information of the packets on the wire but only
352           status information about the amount of bytes that are being
353           transmitted and received. UDP mode can be used to interact with any
354           UDP-based server. Examples are DNS servers, streaming servers,
355           online gaming servers, and port knocking/single-packet.
356           authorization daemons.
357
358       --icmp (ICMP mode) .
359           ICMP mode is the default mode when the user runs Nping with raw
360           packet privileges. Any kind of ICMP message can be created. The
361           default ICMP type is Echo, i.e., ping. ICMP mode can be used for
362           many different purposes, from a simple request for a timestamp or a
363           netmask to the transmission of fake destination unreachable
364           messages, custom redirects, and router advertisements.
365
366       --arp (ARP/RARP mode) .
367           ARP lets you create and send a few different ARP-related packets.
368           These include ARP, RARP, DRARP, and InARP requests and replies.
369           This mode can ban be used to perform low-level host discovery, and
370           conduct ARP-cache poisoning attacks.
371
372       --traceroute (Traceroute mode) .
373           Traceroute is not a mode by itself but a complement to TCP, UDP,
374           and ICMP modes. When this option is specified Nping will set the IP
375           TTL value of the first probe to 1. When the next router receives
376           the packet it will drop it due to the expiration of the TTL and it
377           will generate an ICMP destination unreachable message. The next
378           probe will have a TTL of 2 so now the first router will forward the
379           packet while the second router will be the one that drops the
380           packet and generates the ICMP message. The third probe will have a
381           TTL value of 3 and so on. By examining the source addresses of all
382           those ICMP Destination Unreachable messages it is possible to
383           determine the path that the probes take until they reach their
384           final destination.
385

TCP CONNECT MODE

387       -p port_spec, --dest-port port_spec (Target ports) .
388           This option specifies which ports you want to try to connect to. It
389           can be a single port, a comma-separated list of ports (e.g.
390           80,443,8080), a range (e.g.  1-1023), and any combination of those
391           (e.g.  21-25,80,443,1024-2048). The beginning and/or end values of
392           a range may be omitted, causing Nping to use 1 and 65535,
393           respectively. So you can specify -p- to target ports from 1 through
394           65535. Using port zero is allowed if you specify it explicitly.
395
396       -g portnumber, --source-port portnumber (Spoof source port) .
397           This option asks Nping to use the specified port as source port for
398           the TCP connections. Note that this might not work on all systems
399           or may require root privileges. Specified value must be an integer
400           in the range [0–65535].
401

TCP MODE

403       -p port_spec, --dest-port port_spec (Target ports)
404           This option specifies which destination ports you want to send
405           probes to. It can be a single port, a comma-separated list of ports
406           (e.g.  80,443,8080), a range (e.g.  1-1023), and any combination of
407           those (e.g.  21-25,80,443,1024-2048). The beginning and/or end
408           values of a range may be omitted, causing Nping to use 1 and 65535,
409           respectively. So you can specify -p- to target ports from 1 through
410           65535. Using port zero is allowed if you specify it explicitly.
411
412       -g portnumber, --source-port portnumber (Spoof source port)
413           This option asks Nping to use the specified port as source port for
414           the TCP connections. Note that this might not work on all systems
415           or may require root privileges. Specified value must be an integer
416           in the range [0–65535].
417
418       --seq seqnumber (Sequence Number) .
419           Specifies the TCP sequence number. In SYN packets this is the
420           initial sequence number (ISN). In a normal transmission this
421           corresponds to the sequence number of the first byte of data in the
422           segment.  seqnumber must be a number in the range [0–4294967295].
423
424       --flags flags (TCP Flags) .
425           This option specifies which flags should be set in the TCP packet.
426           flags may be specified in three different ways:
427
428            1. As a comma-separated list of flags, e.g.  --flags syn,ack,rst
429
430            2. As a list of one-character flag initials, e.g.  --flags SAR
431               tells Nping to set flags SYN, ACK, and RST.
432
433            3. As an 8-bit hexadecimal number, where the supplied number is
434               the exact value that will be placed in the flags field of the
435               TCP header. The number should start with the prefix 0x and
436               should be in the range [0x00–0xFF], e.g.  --flags 0x20 sets the
437               URG flag as 0x20 corresponds to binary 00100000 and the URG
438               flag is represented by the third bit.
439               There are 8 possible flags to set: CWR, ECN, URG, ACK, PSH,
440               RST, SYN, and FIN. The special value ALL means to set all
441               flags.  NONE means to set no flags. It is important that if you
442               don´t want any flag to be set, you request it explicitly
443               because in some cases the SYN flag may be set by default. Here
444               is a brief description of the meaning of each flag:
445
446               CWR (Congestion Window Reduced) .
447                   Set by an ECN-Capable sender when it reduces its congestion
448                   window (due to a retransmit timeout, a fast retransmit or
449                   in response to an ECN notification.
450
451               ECN (Explicit Congestion Notification) .
452                   During the three-way handshake it indicates that sender is
453                   capable of performing explicit congestion notification.
454                   Normally it means that a packet with the IP Congestion
455                   Experienced flag set was received during normal
456                   transmission. See RFC 3168.  for more information.
457
458               URG (Urgent) .
459                   Segment is urgent and the urgent pointer field carries
460                   valid information.
461
462               ACK (Acknowledgement) .
463                   The segment carries an acknowledgement and the value of the
464                   acknowledgement number field is valid and contains the next
465                   sequence number that is expected from the receiver.
466
467               PSH (Push) .
468                   The data in this segment should be immediately pushed to
469                   the application layer on arrival.
470
471               RST (Reset) .
472                   There was some problem and the sender wants to abort the
473                   connection.
474
475               SYN (Synchronize) .
476                   The segment is a request to synchronize sequence numbers
477                   and establish a connection. The sequence number field
478                   contains the sender´s initial sequence number.
479
480               FIN (Finish) .
481                   The sender wants to close the connection.
482
483           --win size (Window Size) .
484               Specifies the TCP window size, this is, the number of octets
485               the sender of the segment is willing to accept from the
486               receiver at one time. This is usually the size of the reception
487               buffer that the OS allocates for a given connection.  size must
488               be a number in the range [0–65535].
489
490           --badsum (Invalid Checksum) .
491               Asks Nping to use an invalid TCP checksum for the packets sent
492               to target hosts. Since virtually all host IP stacks properly
493               drop these packets, any responses received are likely coming
494               from a firewall or an IDS that didn´t bother to verify the
495               checksum. For more details on this technique, see
496               http://nmap.org/p60-12.html.
497

UDP MODE

499       -p port_spec, --dest-port port_spec (Target ports) .
500           This option specifies which ports you want UDP datagrams to be sent
501           to. It can be a single port, a comma-separated list of ports (e.g.
502           80,443,8080), a range (e.g.  1-1023), and any combination of those
503           (e.g.  21-25,80,443,1024-2048). The beginning and/or end values of
504           a range may be omitted, causing Nping to use 1 and 65535,
505           respectively. So you can specify -p- to target ports from 1 through
506           65535. Using port zero is allowed if you specify it explicitly.
507
508       -g portnumber, --source-port portnumber (Spoof source port) .
509           This option asks Nping to use the specified port as source port for
510           the transmitted datagrams. Note that this might not work on all
511           systems or may require root privileges. Specified value must be an
512           integer in the range [0–65535].
513
514       --badsum (Invalid Checksum)
515           Asks Nping to use an invalid UDP checksum for the packets sent to
516           target hosts. Since virtually all host IP stacks properly drop
517           these packets, any responses received are likely coming from a
518           firewall or an IDS that didn´t bother to verify the checksum. For
519           more details on this technique, see http://nmap.org/p60-12.html.
520

ICMP MODE

522       --icmp-type type (ICMP type) .
523           This option specifies which type of ICMP messages should be
524           generated.  type can be supplied in two different ways. You can use
525           the official type numbers assigned by IANA[1] (e.g.  --icmp-type 8
526           for ICMP Echo Request), or you can use any of the mnemonics listed
527           in the section called “ICMP Types”.
528
529       --icmp-code code (ICMP code) .
530           This option specifies which ICMP code should be included in the
531           generated ICMP messages.  code can be supplied in two different
532           ways. You can use the official code numbers assigned by IANA[1]
533           (e.g.  --icmp-code 1 for Fragment Reassembly Time Exceeded), or you
534           can use any of the mnemonics listed in the section called “ICMP
535           Codes”.
536
537       --icmp-id id (ICMP identifier) .
538           This option specifies the value of the identifier used in some of
539           the ICMP messages. In general it is used to match request and reply
540           messages.  id must be a number in the range [0–65535].
541
542       --icmp-seq seq (ICMP sequence) .
543           This option specifies the value of the sequence number field used
544           in some ICMP messages. In general it is used to match request and
545           reply messages.  id must be a number in the range [0–65535].
546
547       --icmp-redirect-addr addr (ICMP Redirect address) .
548           This option sets the address field in ICMP Redirect messages. In
549           other words, it sets the IP address of the router that should be
550           used when sending IP datagrams to the original destination.  addr
551           can be either an IPv4 address or a hostname.
552
553       --icmp-param-pointer pointer (ICMP Parameter Problem pointer) .
554           This option specifies the pointer that indicates the location of
555           the problem in ICMP Parameter Problem messages.  pointer should be
556           a number in the range [0–255]. Normally this option is only used
557           when ICMP code is set to 0 ("Pointer indicates the error").
558
559       --icmp-advert-lifetime ttl (ICMP Router Advertisement Lifetime) .
560           This option specifies the router advertisement lifetime, this is,
561           the number of seconds the information carried in an ICMP Router
562           Advertisement can be considered valid for.  ttl must be a positive
563           integer in the range [0–65535].
564
565       --icmp-advert-entry addr,pref (ICMP Router Advertisement Entry) .
566           This option adds a Router Advertisement entry to an ICMP Router
567           Advertisement message. The parameter must be two values separated
568           by a comma.  addr is the router´s IP and can be specified either as
569           an IP address in dot-decimal notation or as a hostname.  pref is
570           the preference level for the specified IP. It must be a number in
571           the range [0–4294967295]. An example is --icmp-advert-entry
572           192.168.128.1,3.
573
574       --icmp-orig-time timestamp (ICMP Originate Timestamp) .
575           This option sets the Originate Timestamp in ICMP Timestamp
576           messages. The Originate Timestamp is expressed as the number of
577           milliseconds since midnight UTC and it corresponds to the time the
578           sender last touched the Timestamp message before its transmission.
579           timestamp can be specified as a regular time (e.g.  10s, 3h,
580           1000ms), or the special string now. You can add or subtract values
581           from now, for example --icmp-orig-time now-2s, --icmp-orig-time
582           now+1h, --icmp-orig-time now+200ms.
583
584       --icmp-recv-time timestamp (ICMP Receive Timestamp) .
585           This option sets the Receive Timestamp in ICMP Timestamp messages.
586           The Receive Timestamp is expressed as the number of milliseconds
587           since midnight UTC and it corresponds to the time the echoer first
588           touched the Timestamp message on receipt.  timestamp is as with
589           --icmp-orig-time.
590
591       --icmp-trans-time timestamp (ICMP Transmit Timestamp) .
592           This option sets the Transmit Timestamp in ICMP Timestamp messages.
593           The Transmit Timestamp is expressed as the number of milliseconds
594           since midnight UTC and it corresponds to the time the echoer last
595           touched the Timestamp message before its transmission.  timestamp
596           is as with --icmp-orig-time.
597
598   ICMP Types
599       These identifiers may be used as mnemonics for the ICMP type numbers
600       given to the --icmp-type.  option. In general there are three forms of
601       each identifier: the full name (e.g.  destination-unreachable), the
602       short name (e.g.  dest-unr), or the initials (e.g.  du). In ICMP types
603       that request something, the word "request" is omitted.
604
605       echo-reply, echo-rep, er
606           Echo Reply (type 0). This message is sent in response to an Echo
607           Request message.
608
609       destination-unreachable, dest-unr, du
610           Destination Unreachable (type 3). This message indicates that a
611           datagram could not be delivered to its destination.
612
613       source-quench, sour-que, sq
614           Source Quench (type 4). This message is used by a congested IP
615           device to tell other device that is sending packets too fast and
616           that it should slow down.
617
618       redirect, redi, r
619           Redirect (type 5). This message is normally used by routers to
620           inform a host that there is a better route to use for sending
621           datagrams. See also the --icmp-redirect-addr option.
622
623       echo-request, echo, e
624           Echo Request (type 8). This message is used to test the
625           connectivity of another device on a network.
626
627       router-advertisement, rout-adv, ra
628           Router Advertisement (type 9). This message is used by routers to
629           let hosts know of their existence and capabilities. See also the
630           --icmp-advert-lifetime option.
631
632       router-solicitation, rout-sol, rs
633           Router Solicitation (type 10). This message is used by hosts to
634           request Router Advertisement messages from any listening routers.
635
636       time-exceeded, time-exc, te
637           Time Exceeded (type 11). This message is generated by some
638           intermediate device (normally a router) to indicate that a datagram
639           has been discarded before reaching its destination because the IP
640           TTL expired.
641
642       parameter-problem, member-pro, pp
643           Parameter Problem (type 12). This message is used when a device
644           finds a problem with a parameter in an IP header and it cannot
645           continue processing it. See also the --icmp-param-pointer option.
646
647       timestamp, time, tm
648           Timestamp Request (type 13). This message is used to request a
649           device to send a timestamp value for propagation time calculation
650           and clock synchronization. See also the --icmp-orig-time,
651           --icmp-recv-time, and --icmp-trans-time.
652
653       timestamp-reply, time-rep, tr
654           Timestamp Reply (type 14). This message is sent in response to a
655           Timestamp Request message.
656
657       information, info, i
658           Information Request (type 15). This message is now obsolete but it
659           was originally used to request configuration information from
660           another device.
661
662       information-reply, info-rep, ir
663           Information Reply (type 16). This message is now obsolete but it
664           was originally sent in response to an Information Request message
665           to provide configuration information.
666
667       mask-request, mask, m
668           Address Mask Request (type 17). This message is used to ask a
669           device to send its subnet mask.
670
671       mask-reply, mask-rep, mr
672           Address Mask Reply (type 18). This message contains a subnet mask
673           and is sent in response to a Address Mask Request message.
674
675       traceroute, trace, tc
676           Traceroute (type 30). This message is normally sent by an
677           intermediate device when it receives an IP datagram with a
678           traceroute option. ICMP Traceroute messages are still experimental,
679           see RFC 1393.  for more information.
680
681   ICMP Codes
682       These identifiers may be used as mnemonics for the ICMP code numbers
683       given to the --icmp-code.  option. They are listed by the ICMP type
684       they correspond to.
685
686       Destination Unreachable
687           network-unreachable, netw-unr, net
688               Code 0. Datagram could not be delivered to its destination
689               network (probably due to some routing problem).
690
691           host-unreachable, host-unr, host
692               Code 1. Datagram was delivered to the destination network but
693               it was impossible to reach the specified host (probably due to
694               some routing problem).
695
696           protocol-unreachable, prot-unr, proto
697               Code 2. The protocol specified in the Protocol field of the IP
698               datagram is not supported by the host to which the datagram was
699               delivered.
700
701           port-unreachable, port-unr, port
702               Code 3. The TCP/UDP destination port was invalid.
703
704           needs-fragmentation, need-fra, frag
705               Code 4. Datagram had the DF bit set but it was too large for
706               the MTU of the next physical network so it had to be dropped.
707
708           source-route-failed, sour-rou, routefail
709               Code 5. IP datagram had a Source Route option but a router
710               couldn´t pass it to the next hop.
711
712           network-unknown, netw-unk, net?
713               Code 6. Destination network is unknown. This code is never
714               used. Instead, Network Unreachable is used.
715
716           host-unknown, host-unk, host?
717               Code 7. Specified host is unknown. Usually generated by a
718               router local to the destination host to inform of a bad
719               address.
720
721           host-isolated, host-iso, isolated
722               Code 8. Source Host Isolated. Not used.
723
724           network-prohibited, netw-pro, !net
725               Code 9. Communication with destination network is
726               administratively prohibited (source device is not allowed to
727               send packets to the destination network).
728
729           host-prohibited, host-pro, !host
730               Code 10. Communication with destination host is
731               administratively prohibited. (The source device is allowed to
732               send packets to the destination network but not to the
733               destination device.)
734
735           network-tos, unreachable-network-tos, netw-tos, tosnet
736               Code 11. Destination network unreachable because it cannot
737               provide the type of service specified in the IP TOS field.
738
739           host-tos, unreachable-host-tos, toshost
740               Code 12. Destination host unreachable because it cannot provide
741               the type of service specified in the IP TOS field.
742
743           communication-prohibited, comm-pro, !comm
744               Code 13. Datagram could not be forwarded due to filtering that
745               blocks the message based on its contents.
746
747           host-precedence-violation, precedence-violation, prec-vio,
748           violation
749               Code 14. Precedence value in the IP TOS field is not permitted.
750
751           precedence-cutoff, prec-cut, cutoff
752               Code 15. Precedence value in the IP TOS field is lower than the
753               minimum allowed for the network.
754
755       Redirect
756           redirect-network, redi-net, net
757               Code 0. Redirect all future datagrams with the same destination
758               network as the original datagram, to the router specified in
759               the Address field. The use of this code is prohibited by RFC
760               1812..
761
762           redirect-host, redi-host, host
763               Code 1. Redirect all future datagrams with the same destination
764               host as the original datagram, to the router specified in the
765               Address field.
766
767           redirect-network-tos, redi-ntos, redir-ntos
768               Code 2. Redirect all future datagrams with the same destination
769               network and IP TOS value as the original datagram, to the
770               router specified in the Address field. The use of this code is
771               prohibited by RFC 1812.
772
773           redirect-host-tos, redi-htos, redir-htos
774               Code 3. Redirect all future datagrams with the same destination
775               host and IP TOS value as the original datagram, to the router
776               specified in the Address field.
777
778       Router Advertisement
779           normal-advertisement, norm-adv, normal, zero, default, def
780               Code 0. Normal router advertisement. In Mobile IP: Mobility
781               agent can act as a router for IP datagrams not related to
782               mobile nodes.
783
784           not-route-common-traffic, not-rou, mobile-ip, !route,
785           !commontraffic
786               Code 16. Used for Mobile IP. The mobility agent does not route
787               common traffic. All foreign agents must forward to a default
788               router any datagrams received from a registered mobile node
789
790       Time Exceeded
791           ttl-exceeded-in-transit, ttl-exc, ttl-transit
792               Code 0. IP Time To Live expired during transit.
793
794           fragment-reassembly-time-exceeded, frag-exc, frag-time
795               Code 1. Fragment reassembly time has been exceeded.
796
797       Parameter Problem
798           pointer-indicates-error, poin-ind, pointer
799               Code 0. The pointer field indicates the location of the
800               problem. See the --icmp-param-pointer option.
801
802           missing-required-option, miss-option, option-missing
803               Code 1. IP datagram was expected to have an option that is not
804               present.
805
806           bad-length, bad-len, badlen
807               Code 2. The length of the IP datagram is incorrect.
808

ARP MODE

810       --arp-type type (ICMP Type) .
811           This option specifies which type of ARP messages should be
812           generated.  type can be supplied in two different ways. You can use
813           the official numbers assigned by IANA[2] (e.g.  --arp-type 1 for
814           ARP Request), or you can use one of the mnemonics from the section
815           called “ARP Types”.
816
817       --arp-sender-mac mac (Sender MAC address) .
818           This option sets the Sender Hardware Address field of the ARP
819           header. Although ARP supports many types of link layer addresses,
820           currently Nping only supports MAC addresses.  mac must be specified
821           using the traditional MAC notation (e.g.  00:0a:8a:32:f4:ae). You
822           can also use hyphens as separators (e.g.  00-0a-8a-32-f4-ae).
823
824       --arp-sender-ip addr (Sender IP address) .
825           This option sets the Sender IP field of the ARP header.  addr can
826           be given as an IPv4 address or a hostname.
827
828       --arp-target-mac mac (target MAC address) .
829           This option sets the Target Hardware Address field of the ARP
830           header.
831
832       --arp-target-ip addr (target ip address) .
833           This option sets the Target IP field of the ARP header.
834
835   ARP Types
836       These identifiers may be used as mnemonics for the ARP type numbers
837       given to the --arp-type.  option.
838
839       arp-request, arp, a
840           ARP Request (type 1). ARP requests are used to translate network
841           layer addresses (normally IP addresses) to link layer addresses
842           (usually MAC addresses). Basically, and ARP request is a
843           broadcasted message that asks the host in the same network segment
844           that has a given IP address to provide its MAC address.
845
846       arp-reply, arp-rep, ar
847           ARP Reply (type 2). An ARP reply is a message that a host sends in
848           response to an ARP request to provide its link layer address.
849
850       rarp-request, rarp, r
851           RARP Requests (type 3). RARP requests are used to translate a link
852           layer address (normally a MAC address) to a network layer address
853           (usually an IP address). Basically a RARP request is a broadcasted
854           message sent by a host that wants to know his own IP address
855           because it doesn´t have any. It was the first protocol designed to
856           solve the bootstrapping problem. However, RARP is now obsolete and
857           DHCP is used instead. For more information about RARP see RFC 903..
858
859       rarp-reply, rarp-rep, rr
860           RARP Reply (type 4). A RARP reply is a message sent in response to
861           a RARP request to provide an IP address to the host that sent the
862           RARP request in the first place.
863
864       drarp-request, drarp, d
865           Dynamic RARP Request (type 5). Dynamic RARP is an extension to RARP
866           used to obtain or assign a network layer address from a fixed link
867           layer address. DRARP was used mainly in Sun Microsystems platforms
868           in the late 90´s but now it´s no longer used. See RFC 1931.  for
869           more information.
870
871       drarp-reply, drarp-rep, dr
872           Dynamic RARP Reply (type 6). A DRARP reply is a message sent in
873           response to a RARP request to provide network layer address.
874
875       drarp-error, drarp-err, de
876           DRARP Error (type 7). DRARP Error messages are usually sent in
877           response to DRARP requests to inform of some error. In DRARP Error
878           messages, the Target Protocol Address field is used to carry an
879           error code (usually in the first byte). The error code is intended
880           to tell why no target protocol address is being returned. For more
881           information see RFC 1931.
882
883       inarp-request, inarp, i
884           Inverse ARP Request (type 8). InARP requests are used to translate
885           a link layer address to a network layer address. It is similar to
886           RARP request but in this case, the sender of the InARP request
887           wants to know the network layer address of another node, not its
888           own address. InARP is mainly used in Frame Relay and ATM networks.
889           For more information see RFC 2390..
890
891       inarp-reply, inarp-rep, ir
892           Inverse ARP Reply (type 9). InARP reply messages are sent in
893           response to InARP requests to provide the network layer address
894           associated with the host that has a given link layer address.
895
896       arp-nak, an
897           ARP NAK (type 10). ARP NAK messages are an extension to the ATMARP
898           protocol and they are used to improve the robustness of the ATMARP
899           server mechanism. With ARP NAK, a client can determine the
900           difference between a catastrophic server failure and an ATMARP
901           table lookup failure. See RFC 1577.  for more information.
902

IPV4 OPTIONS

904       -S addr, --source-ip addr (Source IP Address) .
905           Sets the source IP address. This option lets you specify a custom
906           IP address to be used as source IP address in sent packets. This
907           allows spoofing the sender of the packets.  addr can be an IPv4
908           address or a hostname.
909
910       --dest-ip addr (Destination IP Address) .
911           Adds a target to Nping´s target list. This option is provided for
912           consistency but its use is deprecated in favor of plain target
913           specifications. See the section called “TARGET SPECIFICATION”.
914
915       --tos tos (Type of Service) .
916           Sets the IP TOS field. The TOS field is used to carry information
917           to provide quality of service features. It is normally used to
918           support a technique called Differentiated Services. See RFC 2474.
919           for more information.  tos must be a number in the range [0–255].
920
921       --id id (Identification) .
922           Sets the IPv4 Identification field. The Identification field is a
923           16-bit value that is common to all fragments belonging to a
924           particular message. The value is used by the receiver to reassemble
925           the original message from the fragments received.  id must be a
926           number in the range [0–65535].
927
928       --df (Don´t Fragment) .
929           Sets the Don´t Fragment bit in sent packets. When an IP datagram
930           has its DF flag set, intermediate devices are not allowed to
931           fragment it so if it needs to travel across a network with a MTU
932           smaller that datagram length the datagram will have to be dropped.
933           Normally an ICMP Destination Unreachable message is generated and
934           sent back to the sender.
935
936       --mf (More Fragments) .
937           Sets the More Fragments bit in sent packets. The MF flag is set to
938           indicate the receiver that the current datagram is a fragment of
939           some larger datagram. When set to zero it indicates that the
940           current datagram is either the last fragment in the set or that it
941           is the only fragment.
942
943       --ttl hops (Time To Live) .
944           Sets the IPv4 Time-To-Live (TTL) field in sent packets to the given
945           value. The TTL field specifies how long the datagram is allowed to
946           exist on the network. It was originally intended to represent a
947           number of seconds but it actually represents the number of hops a
948           packet can traverse before being dropped. The TTL tries to avoid a
949           situation in which undeliverable datagrams keep being forwarded
950           from one router to another endlessly.  hops must be a number in the
951           range [0–255].
952
953       --badsum-ip (Invalid IP checksum) .
954           Asks Nping to use an invalid IP checksum for packets sent to target
955           hosts. Note that some systems (like most Linux kernels), may fix
956           the checksum before placing the packet on the wire, so even if
957           Nping shows the incorrect checksum in its output, the packets may
958           be transparently corrected by the kernel.
959
960       --ip-options S|R [route]|L [route]|T|U ..., --ip-options hex string (IP
961       Options) .
962           The IP protocol offers several options which may be placed in
963           packet headers. Unlike the ubiquitous TCP options, IP options are
964           rarely seen due to practicality and security concerns. In fact,
965           many Internet routers block the most dangerous options such as
966           source routing. Yet options can still be useful in some cases for
967           determining and manipulating the network route to target machines.
968           For example, you may be able to use the record route option to
969           determine a path to a target even when more traditional
970           traceroute-style approaches fail. Or if your packets are being
971           dropped by a certain firewall, you may be able to specify a
972           different route with the strict or loose source routing options.
973
974           The most powerful way to specify IP options is to simply pass in
975           hexadecimal data as the argument to --ip-options. Precede each hex
976           byte value with \x. You may repeat certain characters by following
977           them with an asterisk and then the number of times you wish them to
978           repeat. For example, \x01\x07\x04\x00*4 is the same as
979           \x01\x07\x04\x00\x00\x00\x00.
980
981           Note that if you specify a number of bytes that is not a multiple
982           of four, an incorrect IP header length will be set in the IP
983           packet. The reason for this is that the IP header length field can
984           only express multiples of four. In those cases, the length is
985           computed by dividing the header length by 4 and rounding down. This
986           will affect the way the header that follows the IP header is
987           interpreted, showing bogus information in Nping or in the output of
988           any sniffer. Although this kind of situation might be useful for
989           some stack stress tests, users would normally want to specify
990           explicit padding, so the correct header length is set.
991
992           Nping also offers a shortcut mechanism for specifying options.
993           Simply pass the letter R, T, or U to request record-route,
994           record-timestamp, or both options together, respectively. Loose or
995           strict source routing may be specified with an L or S followed by a
996           space and then a space-separated list of IP addresses.
997
998           For more information and examples of using IP options with Nping,
999           see the mailing list post at
1000           http://seclists.org/nmap-dev/2006/q3/0052.html.
1001
1002       --mtu size (Maximum Transmission Unit) .
1003           This option sets a fictional MTU in Nping so IP datagrams larger
1004           than size are fragmented before transmission.  size must be
1005           specified in bytes and corresponds to the number of octets that can
1006           be carried on a single link-layer frame.
1007

IPV6 OPTIONS

1009       -6, --ipv6 (Use IPv6) .
1010           Tells Nping to use IP version 6 instead of the default IPv4. It is
1011           generally a good idea to specify this option as early as possible
1012           in the command line so Nping can parse it soon and know in advance
1013           that the rest of the parameters refer to IPv6. The command syntax
1014           is the same as usual except that you also add the -6 option. Of
1015           course, you must use IPv6 syntax if you specify an address rather
1016           than a hostname. An address might look like
1017           3ffe:7501:4819:2000:210:f3ff:fe03:14d0, so hostnames are
1018           recommended.
1019
1020           While IPv6 hasn´t exactly taken the world by storm, it gets
1021           significant use in some (usually Asian) countries and most modern
1022           operating systems support it. To use Nping with IPv6, both the
1023           source and target of your packets must be configured for IPv6. If
1024           your ISP (like most of them) does not allocate IPv6 addresses to
1025           you, free tunnel brokers are widely available and work fine with
1026           Nping. You can use the free IPv6 tunnel broker service at
1027           http://www.tunnelbroker.net.
1028
1029           Please note that IPv6 support is still highly experimental and many
1030           modes and options may not work with it.
1031
1032       -S addr, --source-ip addr (Source IP Address) .
1033           Sets the source IP address. This option lets you specify a custom
1034           IP address to be used as source IP address in sent packets. This
1035           allows spoofing the sender of the packets.  addr can be an IPv6
1036           address or a hostname.
1037
1038       --dest-ip addr (Destination IP Address) .
1039           Adds a target to Nping´s target list. This option is provided for
1040           consistency but its use is deprecated in favor of plain target
1041           specifications. See the section called “TARGET SPECIFICATION”.
1042
1043       --flow label (Flow Label) .
1044           Sets the IPv6 Flow Label. The Flow Label field is 20 bits long and
1045           is intended to provide certain quality-of-service properties for
1046           real-time datagram delivery. However, it has not been widely
1047           adopted, and not all routers or endpoints support it. Check RFC
1048           2460.  for more information.  label must be an integer in the range
1049           [0–1048575].
1050
1051       --traffic-class class (Traffic Class) .
1052           Sets the IPv6 Traffic Class. This field is similar to the TOS field
1053           in IPv4, and is intended to provide the Differentiated Services
1054           method, enabling scalable service discrimination in the Internet
1055           without the need for per-flow state and signaling at every hop.
1056           Check RFC 2474.  for more information.  class must be an integer in
1057           the range [0–255].
1058
1059       --hop-limit hops (Hop Limit) .
1060           Sets the IPv6 Hop Limit field in sent packets to the given value.
1061           The Hop Limit field specifies how long the datagram is allowed to
1062           exist on the network. It represents the number of hops a packet can
1063           traverse before being dropped. As with the TTL in IPv4, IPv6 Hop
1064           Limit tries to avoid a situation in which undeliverable datagrams
1065           keep being forwarded from one router to another endlessly.  hops
1066           must be a number in the range [0–255].
1067

ETHERNET OPTIONS

1069       In most cases Nping sends packets at the raw IP level. This means that
1070       Nping creates its own IP packets and transmits them through a raw
1071       socket. However, in some cases it may be necessary to send packets at
1072       the raw Ethernet level. This happens, for example, when Nping is run
1073       under Windows (as Microsoft has disabled raw socket support since
1074       Windows XP SP2), or when Nping is asked to send ARP packets. Since in
1075       some cases it is necessary to construct ethernet frames, Nping offers
1076       some options to manipulate the different fields.
1077
1078       --dest-mac mac (Ethernet Destination MAC Address) .
1079           This option sets the destination MAC address that should be set in
1080           outgoing Ethernet frames. This is useful in case Nping can´t
1081           determine the next hop´s MAC address or when you want to route
1082           probes through a router other than the configured default gateway.
1083           The MAC address should have the usual format of six colon-separated
1084           bytes, e.g.  00:50:56:d4:01:98. Alternatively, hyphens may be used
1085           instead of colons. Use the word random or rand to generate a random
1086           address, and broadcast or bcast to use ff:ff:ff:ff:ff:ff. If you
1087           set up a bogus destination MAC address your probes may not reach
1088           the intended targets.
1089
1090       --source-mac mac (Ethernet Source MAC Address) .
1091           This option sets the source MAC address that should be set in
1092           outgoing Ethernet frames. This is useful in case Nping can´t
1093           determine your network interface MAC address or when you want to
1094           inject traffic into the network while hiding your network card´s
1095           real address. The syntax is the same as for --dest-mac. If you set
1096           up a bogus source MAC address you may not receive probe replies.
1097
1098       --ether-type type (Ethertype) .
1099           This option sets the Ethertype field of the ethernet frame. The
1100           Ethertype is used to indicate which protocol is encapsulated in the
1101           payload.  type can be supplied in two different ways. You can use
1102           the official numbers listed by the IEEE[3] (e.g.  --ether-type
1103           0x0800 for IP version 4), or one of the mnemonics from the section
1104           called “Ethernet Types”.
1105
1106   Ethernet Types
1107       These identifiers may be used as mnemonics for the Ethertype numbers
1108       given to the --arp-type.  option.
1109
1110       ipv4, ip, 4
1111           Internet Protocol version 4 (type 0x0800).
1112
1113       ipv6, 6
1114           Internet Protocol version 6 (type 0x86DD).
1115
1116       arp
1117           Address Resolution Protocol (type 0x0806).
1118
1119       rarp
1120           Reverse Address Resolution Protocol (type 0x8035).
1121
1122       frame-relay, frelay, fr
1123           Frame Relay (type 0x0808).
1124
1125       ppp
1126           Point-to-Point Protocol (type 0x880B).
1127
1128       gsmp
1129           General Switch Management Protocol (type 0x880C).
1130
1131       mpls
1132           Multiprotocol Label Switching (type 0x8847).
1133
1134       mps-ual, mps
1135           Multiprotocol Label Switching with Upstream-assigned Label (type
1136           0x8848).
1137
1138       mcap
1139           Multicast Channel Allocation Protocol (type 0x8861).
1140
1141       pppoe-discovery, pppoe-d
1142           PPP over Ethernet Discovery Stage (type 0x8863).
1143
1144       pppoe-session, pppoe-s
1145           PPP over Ethernet Session Stage (type 0x8864).
1146
1147       ctag
1148           Customer VLAN Tag Type (type 0x8100).
1149
1150       epon
1151           Ethernet Passive Optical Network (type 0x8808).
1152
1153       pbnac
1154           Port-based network access control (type 0x888E).
1155
1156       stag
1157           Service VLAN tag identifier (type 0x88A8).
1158
1159       ethexp1
1160           Local Experimental Ethertype 1 (type 0x88B5).
1161
1162       ethexp2
1163           Local Experimental Ethertype 2 (type 0x88B6).
1164
1165       ethoui
1166           OUI Extended Ethertype (type 0x88B7).
1167
1168       preauth
1169           Pre-Authentication (type 0x88C7).
1170
1171       lldp
1172           Link Layer Discovery Protocol (type 0x88CC).
1173
1174       mac-security, mac-sec, macsec
1175           Media Access Control Security (type 0x88E5).
1176
1177       mvrp
1178           Multiple VLAN Registration Protocol (type 0x88F5).
1179
1180       mmrp
1181           Multiple Multicast Registration Protocol (type 0x88F6).
1182
1183       frrr
1184           Fast Roaming Remote Request (type 0x890D).
1185

PAYLOAD OPTIONS

1187       --data hex string (Append custom binary data to sent packets) .
1188           This option lets you include binary data as payload in sent
1189           packets.  hex string may be specified in any of the following
1190           formats: 0xAABBCCDDEEFF..., AABBCCDDEEFF...  or
1191           \xAA\xBB\xCC\xDD\xEE\xFF.... Examples of use are --data 0xdeadbeef
1192           and --data \xCA\xFE\x09. Note that if you specify a number like
1193           0x00ff no byte-order conversion is performed. Make sure you specify
1194           the information in the byte order expected by the receiver.
1195
1196       --data-string string (Append custom string to sent packets) .
1197           This option lets you include a regular string as payload in sent
1198           packets.  string can contain any string. However, note that some
1199           characters may depend on your system´s locale and the receiver may
1200           not see the same information. Also, make sure you enclose the
1201           string in double quotes and escape any special characters from the
1202           shell. Example: --data-string "Jimmy Jazz...".
1203
1204       --data-length len (Append random data to sent packets) .
1205           This option lets you include len random bytes of data as payload in
1206           sent packets.  len must be an integer in the range [0–65400].
1207           However, values higher than 1400 are not recommended because it may
1208           not be possible to transmit packets due to network MTU limitations.
1209

ECHO MODE

1211       The "Echo Mode" is a novel technique implemented by Nping which lets
1212       users see how network packets change in transit, from the host where
1213       they originated to the target machine. Basically, the Echo mode turns
1214       Nping into two different pieces: the Echo server and the Echo client.
1215       The Echo server is a network service that has the ability to capture
1216       packets from the network and send a copy ("echo them") to the
1217       originating client through a side TCP channel. The Echo client is the
1218       part that generates such network packets, transmits them to the server,
1219       and receives their echoed version through a side TCP channel that it
1220       has previously established with the Echo server.
1221
1222       This scheme lets the client see the differences between the packets
1223       that it sends and what is actually received by the server. By having
1224       the server send back copies of the received packets through the side
1225       channel, things like NAT devices become immediately apparent to the
1226       client because it notices the changes in the source IP address (and
1227       maybe even source port). Other devices like those that perform traffic
1228       shaping, changing TCP window sizes or adding TCP options transparently
1229       between hosts, turn up too.
1230
1231       The Echo mode is also useful for troubleshooting routing and firewall
1232       issues. Among other things, it can be used to determine if the traffic
1233       generated by the Nping client is being dropped in transit and never
1234       gets to its destination or if the responses are the ones that don´t get
1235       back to it.
1236
1237       Internally, client and server communicate over an encrypted and
1238       authenticated channel, using the Nping Echo Protocol (NEP), whose
1239       technical specification can be found in
1240       http://nmap.org/svn/nping/docs/EchoProtoRFC.txt
1241
1242       The following paragraphs describe the different options available in
1243       Nping´s Echo mode.
1244
1245       --ec passphrase, --echo-client passphrase (Run Echo client) .
1246           This option tells Nping to run as an Echo client.  passphrase is a
1247           sequence of ASCII characters that is used used to generate the
1248           cryptographic keys needed for encryption and authentication in a
1249           given session. The passphrase should be a secret that is also known
1250           by the server, and it may contain any number of printable ASCII
1251           characters. Passphrases that contain whitespace or special
1252           characters must be enclosed in double quotes.
1253
1254           When running Nping as an Echo client, most options from the regular
1255           raw probe modes apply. The client may be configured to send
1256           specific probes using flags like --tcp, --icmp or --udp. Protocol
1257           header fields may be manipulated normally using the appropriate
1258           options (e.g.  --ttl, --seq, --icmp-type, etc.). The only
1259           exceptions are ARP-related flags, which are not supported in Echo
1260           mode, as protocols like ARP are closely related to the data link
1261           layer and its probes can´t pass through different network segments.
1262
1263       --es passphrase, --echo-server passphrase (Run Echo server) .
1264           This option tells Nping to run as an Echo server.  passphrase is a
1265           sequence of ASCII characters that is used used to generate the
1266           cryptographic keys needed for encryption and authentication in a
1267           given session. The passphrase should be a secret that is also known
1268           by the clients, and it may contain any number of printable ASCII
1269           characters. Passphrases that contain whitespace or special
1270           characters must be enclosed in double quotes. Note that although it
1271           is not recommended, it is possible to use empty passphrases,
1272           supplying --echo-server "". However, if what you want is to set up
1273           an open Echo server, it is better to use option --no-crypto. See
1274           below for details.
1275
1276       --ep port, --echo-port port (Set Echo TCP port number) .
1277           This option asks Nping to use the specified TCP port number for the
1278           Echo side channel connection. If this option is used with
1279           --echo-server, it specifies the port on which the server listens
1280           for connections. If it is used with --echo-client, it specifies the
1281           port to connect to on the remote host. By default, port number 9929
1282           is used.
1283
1284       --nc, --no-crypto (Disable encryption and authentication) .
1285           This option asks Nping not to use any cryptographic operations
1286           during an Echo session. In practical terms, this means that the
1287           Echo side channel session data will be transmitted in the clear,
1288           and no authentication will be performed by the server or client
1289           during the session establishment phase. When --no-crypto is used,
1290           the passphrase supplied with --echo-server or --echo-client is
1291           ignored.
1292
1293           This option must be specified if Nping was compiled without openSSL
1294           support. Note that, for technical reasons, a passphrase still needs
1295           to be supplied after the --echo-client or --echo-server flags, even
1296           though it will be ignored.
1297
1298           The --no-crypto flag might be useful when setting up a public Echo
1299           server, because it allows users to connect to the Echo server
1300           without the need for any passphrase or shared secret. However, it
1301           is strongly recommended to not use --no-crypto unless absolutely
1302           necessary. Public Echo servers should be configured to use the
1303           passphrase "public" or the empty passphrase (--echo-server "") as
1304           the use of cryptography does not only provide confidentiality and
1305           authentication but also message integrity.
1306
1307       --once (Serve one client and quit) .
1308           This option asks the Echo server to quit after serving one client.
1309           This is useful when only a single Echo session wants to be
1310           established as it eliminates the need to access the remote host to
1311           shutdown the server.
1312
1313       The following examples illustrate how Nping´s Echo mode can be used to
1314       discover intermediate devices.
1315
1316       Example 2. Discovering NAT devices
1317
1318               # nping --echo-client "public" echo.nmap.org --udp
1319
1320               Starting Nping ( http://nmap.org/nping )
1321               SENT (1.0970s) UDP 10.1.20.128:53 > 178.79.165.17:40125 ttl=64 id=32523 iplen=28
1322               CAPT (1.1270s) UDP 80.38.10.21:45657 > 178.79.165.17:40125 ttl=54 id=32523 iplen=28
1323               RCVD (1.1570s) ICMP 178.79.165.17 > 10.1.20.128 Port unreachable (type=3/code=3) ttl=49 id=16619 iplen=56
1324               [...]
1325               SENT (5.1020s) UDP 10.1.20.128:53 > 178.79.165.17:40125 ttl=64 id=32523 iplen=28
1326               CAPT (5.1335s) UDP 80.38.10.21:45657 > 178.79.165.17:40125 ttl=54 id=32523 iplen=28
1327               RCVD (5.1600s) ICMP 178.79.165.17 > 10.1.20.128 Port unreachable (type=3/code=3) ttl=49 id=16623 iplen=56
1328
1329               Max rtt: 60.628ms | Min rtt: 58.378ms | Avg rtt: 59.389ms
1330               Raw packets sent: 5 (140B) | Rcvd: 5 (280B) | Lost: 0 (0.00%)| Echoed: 5 (140B)
1331               Tx time: 4.00459s | Tx bytes/s: 34.96 | Tx pkts/s: 1.25
1332               Rx time: 5.00629s | Rx bytes/s: 55.93 | Rx pkts/s: 1.00
1333               Nping done: 1 IP address pinged in 6.18 seconds
1334
1335
1336       The output clearly shows the presence of a NAT device in the client´s
1337       local network. Note how the captured packet (CAPT) differs from the
1338       SENT packet: the source address for the original packets is in the
1339       reserved 10.0.0.0/8 range, while the address seen by the server is
1340       80.38.10.21, the Internet side address of the NAT device. The source
1341       port was also modified by the device. The line starting with RCVD
1342       corresponds to the responses generated by the TCP/IP stack of the
1343       machine where the Echo server is run.
1344
1345       Example 3. Discovering a transparent proxy
1346
1347               # nping --echo-client "public" echo.nmap.org --tcp -p80
1348
1349               Starting Nping ( http://nmap.org/nping )
1350               SENT (1.2160s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40  seq=567704200 win=1480
1351               RCVD (1.2180s) TCP 178.79.165.17:80 > 10.0.1.77:41659 SA ttl=128 id=13177 iplen=44  seq=3647106954 win=16384 <mss 1460>
1352               SENT (2.2150s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40  seq=567704200 win=1480
1353               SENT (3.2180s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40  seq=567704200 win=1480
1354               SENT (4.2190s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40  seq=567704200 win=1480
1355               SENT (5.2200s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40  seq=567704200 win=1480
1356
1357               Max rtt: 2.062ms | Min rtt: 2.062ms | Avg rtt: 2.062ms
1358               Raw packets sent: 5 (200B) | Rcvd: 1 (46B) | Lost: 4 (80.00%)| Echoed: 0 (0B)
1359               Tx time: 4.00504s | Tx bytes/s: 49.94 | Tx pkts/s: 1.25
1360               Rx time: 5.00618s | Rx bytes/s: 9.19 | Rx pkts/s: 0.20
1361               Nping done: 1 IP address pinged in 6.39 seconds
1362
1363
1364       In this example, the output is a bit more tricky. The absence of error
1365       messages shows that the Echo client has successfully established an
1366       Echo session with the server. However, no CAPT packets can be seen in
1367       the output. This means that none of the transmitted packets reached the
1368       server. Interestingly, a TCP SYN-ACK packet was received in response to
1369       the first TCP-SYN packet (and also, it is known that the target host
1370       does not have port 80 open). This behavior reveals the presence of a
1371       transparent web proxy cache server (which in this case is an old MS ISA
1372       server).
1373

TIMING AND PERFORMANCE OPTIONS

1375       --delay time (Delay between probes) .
1376           This option lets you control for how long will Nping wait before
1377           sending the next probe. Like in many other ping tools, the default
1378           delay is one second.  time must be a positive integer or floating
1379           point number. By default it is specified in seconds, however you
1380           can give an explicit unit by appending ms for milliseconds, s for
1381           seconds, m for minutes, or h for hours (e.g.  2.5s, 45m, 2h).
1382
1383       --rate rate (Send probes at a given rate) .
1384           This option specifies the number of probes that Nping should send
1385           per second. This option and --delay are inverses; --rate 20 is the
1386           same as --delay 0.05. If both options are used, only the last one
1387           in the parameter list counts.
1388

MISCELLANEOUS OPTIONS

1390       -h, --help (Display help) .
1391           Displays help information and exits.
1392
1393       -V, --version (Display version) .
1394           Displays the program´s version number and quits.
1395
1396       -c rounds, --count rounds (Stop after a given number of rounds) .
1397           This option lets you specify the number of times that Nping should
1398           loop over target hosts (and in some cases target ports). Nping
1399           calls these “rounds”. In a basic execution with only one target
1400           (and only one target port in TCP/UDP modes), the number of rounds
1401           matches the number of probes sent to the target host. However, in
1402           more complex executions where Nping is run against multiple targets
1403           and multiple ports, the number of rounds is the number of times
1404           that Nping sends a complete set of probes that covers all target
1405           IPs and all target ports. For example, if Nping is asked to send
1406           TCP SYN packets to hosts 192.168.1.0-255 and ports 80 and 433, then
1407           256 × 2 = 512 packets are sent in one round. So if you specify -c
1408           100, Nping will loop over the different target hosts and ports 100
1409           times, sending a total of 256 × 2 × 100 = 51200 packets. By default
1410           Nping runs for 5 rounds. If a value of 0 is specified, Nping will
1411           run for 232 rounds.
1412
1413       -e name, --interface name (Set the network interface to be used) .
1414           This option tells Nping what interface should be used to send and
1415           receive packets. Nping should be able to detect this automatically,
1416           but it will tell you if it cannot.  name must be the name of an
1417           existing network interface with an assigned IP address.
1418
1419       --privileged (Assume that the user is fully privileged) .
1420           Tells Nping to simply assume that it is privileged enough to
1421           perform raw socket sends, packet sniffing, and similar operations
1422           that usually require special privileges. By default Nping quits if
1423           such operations are requested by a user that has no root or
1424           administrator privileges. This option may be useful on Linux, BSD
1425           or similar systems that can be configured to allow unprivileged
1426           users to perform raw-packet transmissions. The NPING_PRIVILEGED.
1427           environment variable may be set as an alternative to using
1428           --privileged.
1429
1430       --unprivileged (Assume that the user lacks raw socket privileges) .
1431           This option is the opposite of --privileged. It tells Nping to
1432           treat the user as lacking network raw socket and sniffing
1433           privileges. This is useful for testing, debugging, or when the raw
1434           network functionality of your operating system is somehow broken.
1435           The NPING_UNPRIVILEGED.  environment variable may be set as an
1436           alternative to using --unprivileged.
1437
1438       --send-eth (Use raw ethernet sending) .
1439           Asks Nping to send packets at the raw ethernet (data link) layer
1440           rather than the higher IP (network) layer. By default, Nping
1441           chooses the one which is generally best for the platform it is
1442           running on. Raw sockets (IP layer) are generally most efficient for
1443           Unix machines, while ethernet frames are required for Windows
1444           operation since Microsoft disabled raw socket support. Nping still
1445           uses raw IP packets despite this option when there is no other
1446           choice (such as non-ethernet connections).
1447
1448       --send-ip (Send at raw IP level) .
1449           Asks Nping to send packets via raw IP sockets rather than sending
1450           lower level ethernet frames. It is the complement to the --send-eth
1451           option.
1452
1453       --bpf-filter filter spec --filter filter spec (Set custom BPF filter) .
1454           This option lets you use a custom BPF filter. By default Nping
1455           chooses a filter that is intended to capture most common responses
1456           to the particular probes that are sent. For example, when sending
1457           TCP packets, the filter is set to capture packets whose destination
1458           port matches the probe´s source port or ICMP error messages that
1459           may be generated by the target or any intermediate device as a
1460           result of the probe. If for some reason you expect strange packets
1461           in response to sent probes or you just want to sniff a particular
1462           kind of traffic, you can specify a custom filter using the BPF
1463           syntax used by tools like tcpdump..  See the documentation at
1464           http://www.tcpdump.org/ for more information.
1465
1466       -H, --hide-sent (Do not display sent packets) .
1467           This option tells Nping not to print information about sent
1468           packets. This can be useful when using very short inter-probe
1469           delays (i.e., when flooding), because printing information to the
1470           standard output has a computational cost and disabling it can
1471           probably speed things up a bit. Also, it may be useful when using
1472           Nping to detect active hosts or open ports (e.g. sending probes to
1473           all TCP ports in a /24 subnet). In that case, users may not want to
1474           see thousands of sent probes but just the replies generated by
1475           active hosts.
1476
1477       -N, --no-capture (Do not attempt to capture replies) .
1478           This option tells Nping to skip packet capture. This means that
1479           packets in response to sent probes will not be processed or
1480           displayed. This can be useful when doing flooding and network stack
1481           stress tests. Note that when this option is specified, most of the
1482           statistics shown at the end of the execution will be useless. This
1483           option does not work with TCP Connect mode.
1484

OUTPUT OPTIONS

1486       -v[level], --verbose [level] (Increase or set verbosity level) .
1487           Increases the verbosity level, causing Nping to print more
1488           information during its execution. There are 9 levels of verbosity
1489           (-4 to 4). Every instance of -v increments the verbosity level by
1490           one (from its default value, level 0). Every instance of option -q
1491           decrements the verbosity level by one. Alternatively you can
1492           specify the level directly, as in -v3 or -v-1. These are the
1493           available levels:
1494
1495           Level −4
1496               No output at all. In some circumstances you may not want Nping
1497               to produce any output (like when one of your work mates is
1498               watching over your shoulder). In that case level −4 can be
1499               useful because although you won´t see any response packets,
1500               probes will still be sent.
1501
1502           Level −3
1503               Like level −4 but displays fatal error messages so you can
1504               actually see if Nping is running or it failed due to some
1505               error.
1506
1507           Level −2
1508               Like level −3 but also displays warnings and recoverable
1509               errors.
1510
1511           Level −1
1512               Displays traditional run-time information (version, start time,
1513               statistics, etc.) but does not display sent or received
1514               packets.
1515
1516           Level 0
1517               This is the default verbosity level. It behaves like level −1
1518               but also displays sent and received packets and some other
1519               important information.
1520
1521           Level 1
1522               Like level 0 but it displays detailed information about timing,
1523               flags, protocol details, etc.
1524
1525           Level 2
1526               Like level 1 but displays very detailed information about sent
1527               and received packets and other interesting information.
1528
1529           Level 3
1530               Like level 2 but also displays the raw hexadecimal dump of sent
1531               and received packets.
1532
1533           Level 4
1534               Currently unused.
1535
1536       -q[level], --reduce-verbosity [level] (Decrease verbosity level) .
1537           Decreases the verbosity level, causing Nping to print less
1538           information during its execution.
1539
1540       -d[level] (Increase or set debugging level) .
1541           When even verbose mode doesn´t provide sufficient data for you,
1542           debugging is available to flood you with much more! As with the -v,
1543           debugging is enabled with a command-line flag -d and the debug
1544           level can be increased by specifying it multiple times. There are 7
1545           debugging levels (0 to 6). Every instance of -d increments
1546           debugging level by one. Provide an argument to -d to set the level
1547           directly; for example -d4.
1548
1549           Debugging output is useful when you suspect a bug in Nping, or if
1550           you are simply confused as to what Nping is doing and why. As this
1551           feature is mostly intended for developers, debug lines aren´t
1552           always self-explanatory. You may get something like
1553
1554               NSOCK (1.0000s) Callback: TIMER SUCCESS for EID 12; tcpconnect_event_handler(): Received callback of type TIMER with status SUCCESS
1555
1556           If you don´t understand a line, your only recourses are to ignore
1557           it, look it up in the source code, or request help from the
1558           development list (nmap-dev). Some lines are self-explanatory, but
1559           the messages become more obscure as the debug level is increased.
1560           These are the available levels:
1561
1562           Level 0
1563               Level 0. No debug information at all. This is the default
1564               level.
1565
1566           Level 1
1567               In this level, only very important or high-level debug
1568               information will be printed.
1569
1570           Level 2
1571               Like level 1 but also displays important or medium-level debug
1572               information
1573
1574           Level 3
1575               Like level 2 but also displays regular and low-level debug
1576               information.
1577
1578           Level 4
1579               Like level 3 but also displays messages only a real Nping freak
1580               would want to see.
1581
1582           Level 5
1583               Like level 4 but it enables basic debug information related to
1584               external libraries like Nsock..
1585
1586           Level 6
1587               Like level 5 but it enables full, very detailed, debug
1588               information related to external libraries like Nsock.
1589

BUGS

1591       Like its author, Nping isn´t perfect. But you can help make it better
1592       by sending bug reports or even writing patches. If Nping doesn´t behave
1593       the way you expect, first upgrade to the latest Nmap version available
1594       from http://nmap.org/download.html. If the problem persists, do some
1595       research to determine whether it has already been discovered and
1596       addressed. Try searching for the error message on our search page at
1597       http://insecure.org/search.html or at Google. Also try browsing the
1598       nmap-dev archives at http://seclists.org/.  Read this full manual page
1599       as well. If nothing comes out of this, mail a bug report to
1600       nmap-dev@insecure.org. Please include everything you have learned about
1601       the problem, as well as what version of Nping you are running and what
1602       operating system version it is running on. Problem reports and Nping
1603       usage questions sent to nmap-dev@insecure.org are far more likely to be
1604       answered than those sent to Fyodor directly. If you subscribe to the
1605       nmap-dev list before posting, your message will bypass moderation and
1606       get through more quickly. Subscribe at
1607       http://cgi.insecure.org/mailman/listinfo/nmap-dev.
1608
1609       Code patches to fix bugs are even better than bug reports. Basic
1610       instructions for creating patch files with your changes are available
1611       at http://nmap.org/data/HACKING. Patches may be sent to nmap-dev
1612       (recommended) or to any of the authors listed in the next section
1613       directly.
1614

AUTHORS

1616       Luis MartinGarcia luis.mgarc@gmail.com (http://aldabaknocking.com)
1617
1618       Fyodor fyodor@insecure.org (http://insecure.org)
1619

NOTES

1621        1. official type numbers assigned by IANA
1622           http://www.iana.org/assignments/icmp-parameters
1623
1624        2. official numbers assigned by IANA
1625           http://www.iana.org/assignments/arp-parameters/
1626
1627        3. official numbers listed by the IEEE
1628           http://standards.ieee.org/regauth/ethertype/eth.txt
1629
1630
1631
1632Nping                             02/11/2011                          NPING(1)
Impressum