1HPING3(8)                   System Manager's Manual                  HPING3(8)
2
3
4

NAME

6       hping3 - send (almost) arbitrary TCP/IP packets to network hosts
7

SYNOPSIS

9       hping3  [ -hvnqVDzZ012WrfxykQbFSRPAUXYjJBuTG ] [ -c count ] [ -i wait ]
10       [ --fast ] [ -I interface ] [ -9 signature ] [ -a host ] [ -t ttl  ]  [
11       -N ip id ] [ -H ip protocol ] [ -g fragoff ] [ -m mtu ] [ -o tos ] [ -C
12       icmp type ] [ -K icmp code ] [ -s source port ] [ -p[+][+] dest port  ]
13       [ -w tcp window ] [ -O tcp offset ] [ -M tcp sequence number ] [ -L tcp
14       ack ] [ -d data size ] [ -E filename ] [ -e signature ] [  --icmp-ipver
15       version   ]  [  --icmp-iphlen  length  ]  [  --icmp-iplen  length  ]  [
16       --icmp-ipid id ] [ --icmp-ipproto protocol ] [ --icmp-cksum checksum  ]
17       [  --icmp-ts  ] [ --icmp-addr ] [ --tcpexitcode ] [ --tcp-timestamp ] [
18       --tr-stop ] [ --tr-keep-ttl ] [ --tr-no-rtt ] [ --rand-dest ] [ --rand-
19       source ] [ --beep ] hostname
20

DESCRIPTION

22       hping3 is a network tool able to send custom TCP/IP packets and to dis‐
23       play target replies like ping program does with  ICMP  replies.  hping3
24       handle  fragmentation,  arbitrary packets body and size and can be used
25       in order to transfer  files  encapsulated  under  supported  protocols.
26       Using hping3 you are able to perform at least the following stuff:
27
28        - Test firewall rules
29        - Advanced port scanning
30        - Test net performance using different protocols,
31          packet size, TOS (type of service) and fragmentation.
32        - Path MTU discovery
33        - Transferring files between even really fascist firewall
34          rules.
35        - Traceroute-like under different protocols.
36        - Firewalk-like usage.
37        - Remote OS fingerprinting.
38        - TCP/IP stack auditing.
39        - A lot of others.
40
41       It's  also  a  good didactic tool to learn TCP/IP.  hping3 is developed
42       and maintained by antirez@invece.org and is licensed under GPL  version
43       2.  Development  is  open  so  you  can send me patches, suggestion and
44       affronts without inhibitions.
45

HPING SITE

47       primary site at http://www.hping.org.  You can found  both  the  stable
48       release  and  the  instruction  to  download  the latest source code at
49       http://www.hping.org/download.html
50

BASE OPTIONS

52       -h --help
53              Show an help screen on standard output, so you can pipe to less.
54
55       -v --version
56              Show version information and API used to  access  to  data  link
57              layer, linux sock packet or libpcap.
58
59       -c --count count
60              Stop after sending (and receiving) count response packets. After
61              last packet was send hping3  wait  COUNTREACHED_TIMEOUT  seconds
62              target  host  replies. You are able to tune COUNTREACHED_TIMEOUT
63              editing hping3.h
64
65       -i --interval
66              Wait the specified number of seconds or  micro  seconds  between
67              sending  each  packet.   --interval  X  set  wait  to X seconds,
68              --interval uX set wait to X micro seconds.  The  default  is  to
69              wait  one  second  between each packet. Using hping3 to transfer
70              files tune this option is really important in order to  increase
71              transfer  rate. Even using hping3 to perform idle/spoofing scan‐
72              ning you should tune this  option,  see  HPING3-HOWTO  for  more
73              information.
74
75       --fast Alias for -i u10000. Hping will send 10 packets for second.
76
77       --faster
78              Alias  for -i u1. Faster then --fast ;) (but not as fast as your
79              computer can send packets due to the signal-driven design).
80
81       --flood
82              Sent packets as fast as possible, without taking  care  to  show
83              incoming replies.  This is ways faster than to specify the -i u0
84              option.
85
86       -n --numeric
87              Numeric output only, No attempt will be made to lookup  symbolic
88              names for host addresses.
89
90       -q --quiet
91              Quiet  output.  Nothing is displayed except the summary lines at
92              startup time and when finished.
93
94       -I --interface interface name
95              By default on linux and BSD systems hping3 uses default  routing
96              interface.   In  other systems or when there is no default route
97              hping3 uses the first non-loopback interface.  However  you  are
98              able  to  force  hping3 to use the interface you need using this
99              option. Note: you don't need to  specify  the  whole  name,  for
100              example  -I  et will match eth0 ethernet0 myet1 et cetera. If no
101              interfaces match hping3 will try to use lo.
102
103       -V --verbose
104              Enable verbose output. TCP replies will be shown as follows:
105
106              len=46 ip=192.168.1.1  flags=RA  DF  seq=0  ttl=255  id=0  win=0
107              rtt=0.4 ms tos=0 iplen=40 seq=0 ack=1380893504 sum=2010 urp=0
108
109       -D --debug
110              Enable  debug mode, it's useful when you experience some problem
111              with hping3. When debug mode is enabled you will get more infor‐
112              mation about interface detection, data link layer access, inter‐
113              face settings, options parsing, fragmentation, HCMP protocol and
114              other stuff.
115
116       -z --bind
117              Bind  CTRL+Z  to  time  to live (TTL) so you will able to incre‐
118              ment/decrement ttl of outgoing packets pressing CTRL+Z  once  or
119              twice.
120
121       -Z --unbind
122              Unbind CTRL+Z so you will able to stop hping3.
123
124       --beep Beep  for  every  matching  received  packet  (but  not for ICMP
125              errors).
126

PROTOCOL SELECTION

128       Default protocol is TCP, by default hping3 will  send  tcp  headers  to
129       target  host's  port  0  with  a winsize of 64 without any tcp flag on.
130       Often this is the best way to do an 'hide ping', useful when target  is
131       behind  a  firewall  that drop ICMP. Moreover a tcp null-flag to port 0
132       has a good probability of not being logged.
133
134       -0 --rawip
135              RAW IP mode, in this mode hping3 will send IP header  with  data
136              appended with --signature and/or --file, see also --ipproto that
137              allows you to set the ip protocol field.
138
139       -1 --icmp
140              ICMP mode, by default hping3 will send  ICMP  echo-request,  you
141              can   set  other  ICMP  type/code  using  --icmptype  --icmpcode
142              options.
143
144       -2 --udp
145              UDP mode, by default hping3 will send udp to target host's  port
146              0.   UDP  header  tunable options are the following: --baseport,
147              --destport, --keep.
148
149       -8 --scan
150              Scan mode, the option expects an argument that describes  groups
151              of  ports  to  scan.  port  groups are comma separated: a number
152              describes just a single port, so 1,2,3 means port 1,  2  and  3.
153              ranges  are  specified  using a start-end notation, like 1-1000,
154              that tell hping to scan ports between 1 and 1000 (included). the
155              special word all is an alias for 0-65535, while the special word
156              known includes all the ports listed in /etc/services.
157              Groups can be combined, so the following command line will  scan
158              ports  between  1  and  1000  AND  port 8888 AND ports listed in
159              /etc/services: hping --scan 1-1000,8888,known -S target.host.com
160              Groups can be negated (subtracted) using a ! character  as  pre‐
161              fix,  so  the following command line will scan all the ports NOT
162              listed in  /etc/services  in  the  range  1-1024:  hping  --scan
163              '1-1024,!known' -S target.host.com
164              Keep  in mind that while hping seems much more like a port scan‐
165              ner in this mode, most of the hping switches are still  honored,
166              so  for example to perform a SYN scan you need to specify the -S
167              option, you can change the TCP windows size, TTL, control the IP
168              fragmentation as usually, and so on. The only real difference is
169              that the standard hping behaviors are encapsulated into a  scan‐
170              ning algorithm.
171              Tech  note:  The  scan  mode  uses  a two-processes design, with
172              shared memory for synchronization.  The  scanning  algorithm  is
173              still not optimal, but already quite fast.
174              Hint:  unlike  most  scanners, hping shows some interesting info
175              about received packets, the IP ID, TCP  win,  TTL,  and  so  on,
176              don't  forget  to  look  at this additional information when you
177              perform a scan! Sometimes they shows interesting details.
178
179       -9 --listen signature
180              HPING3 listen mode, using this option hping3  waits  for  packet
181              that  contain  signature and dump from signature end to packet's
182              end. For example if hping3 --listen TEST  reads  a  packet  that
183              contain    234-09sdflkjs45-TESThello_world   it   will   display
184              hello_world.
185
187       -a --spoof hostname
188              Use this option in order to set a fake IP source  address,  this
189              option ensures that target will not gain your real address. How‐
190              ever replies will be sent to spoofed address, so you will  can't
191              see  them.  In  order  to  see  how  it's  possible  to  perform
192              spoofed/idle scanning see the HPING3-HOWTO.
193
194       --rand-source
195              This option enables the random source  mode.   hping  will  send
196              packets  with  random  source  address. It is interesting to use
197              this option to stress firewall state tables,  and  other  per-ip
198              basis dynamic tables inside the TCP/IP stacks and firewall soft‐
199              ware.
200
201       --rand-dest
202              This option enables the random  destination  mode.   hping  will
203              send the packets to random addresses obtained following the rule
204              you specify as the target host. You need to specify a  numerical
205              IP address as target host like 10.0.0.x.  All the occurrences of
206              x will be replaced with a random number in the range  0-255.  So
207              to  obtain  Internet  IP  addresses  in the whole IPv4 space use
208              something like hping x.x.x.x --rand-dest.  If you are  not  sure
209              about  what kind of addresses your rule is generating try to use
210              the --debug switch to display every new destination address gen‐
211              erated.  When this option is turned on, matching packets will be
212              accept from all the destinations.
213              Warning: when this option is  enabled  hping  can't  detect  the
214              right  outgoing interface for the packets, so you should use the
215              --interface option to select the desired outgoing interface.
216
217       -t --ttl time to live
218              Using this option you can set TTL (time  to  live)  of  outgoing
219              packets, it's likely that you will use this with --traceroute or
220              --bind options. If in  doubt  try  `hping3  some.host.com  -t  1
221              --traceroute'.
222
223       -N --id
224              Set  ip->id  field. Default id is random but if fragmentation is
225              turned on and id isn't specified it will be getpid() & 0xFF,  to
226              implement a better solution is in TODO list.
227
228       -H --ipproto
229              Set the ip protocol in RAW IP mode.
230
231       -W --winid
232              id  from Windows* systems before Win2k has different byte order‐
233              ing, if this option is enable hping3 will  properly  display  id
234              replies from those Windows.
235
236       -r --rel
237              Display  id  increments  instead of id. See the HPING3-HOWTO for
238              more information. Increments aren't  computed  as  id[N]-id[N-1]
239              but  using packet loss compensation. See relid.c for more infor‐
240              mation.
241
242       -f --frag
243              Split packets in more fragments, this may be useful in order  to
244              test  IP  stacks  fragmentation  performance and to test if some
245              packet filter is so weak that can be passed using tiny fragments
246              (anachronistic).  Default  'virtual  mtu'  is 16 bytes. see also
247              --mtu option.
248
249       -x --morefrag
250              Set more fragments IP flag, use this option  if  you  want  that
251              target host send an ICMP time-exceeded during reassembly.
252
253       -y --dontfrag
254              Set don't fragment IP flag, this can be used to perform MTU path
255              discovery.
256
257       -g --fragoff fragment offset value
258              Set the fragment offset.
259
260       -m --mtu mtu value
261              Set different  'virtual  mtu'  than  16  when  fragmentation  is
262              enabled.  If packets size is greater that 'virtual mtu' fragmen‐
263              tation is automatically turned on.
264
265       -o --tos hex_tos
266              Set Type Of Service (TOS), for more information try --tos help.
267
268       -G --rroute
269              Record route. Includes the RECORD_ROUTE option  in  each  packet
270              sent  and  displays  the  route buffer of returned packets. Note
271              that the IP header is only large enough for  nine  such  routes.
272              Many  hosts  ignore or discard this option. Also note that using
273              hping you are able to use record route even if target host  fil‐
274              ter  ICMP.  Record route is an IP option, not an ICMP option, so
275              you can use record route option even in TCP and UDP mode.
276
278       -C --icmptype type
279              Set icmp type, default is ICMP echo request (implies --icmp).
280
281       -K --icmpcode code
282              Set icmp code, default is 0 (implies --icmp).
283
284       --icmp-ipver
285              Set IP version of IP header contained into ICMP data, default is
286              4.
287
288       --icmp-iphlen
289              Set  IP  header  length  of  IP header contained into ICMP data,
290              default is 5 (5 words of 32 bits).
291
292       --icmp-iplen
293              Set IP packet length of IP  header  contained  into  ICMP  data,
294              default is the real length.
295
296       --icmp-ipid
297              Set IP id of IP header contained into ICMP data, default is ran‐
298              dom.
299
300       --icmp-ipproto
301              Set IP protocol of IP header contained into ICMP  data,  default
302              is TCP.
303
304       --icmp-cksum
305              Set ICMP checksum, for default is the valid checksum.
306
307       --icmp-ts
308              Alias for --icmptype 13 (to send ICMP timestamp requests).
309
310       --icmp-addr
311              Alias for --icmptype 17 (to send ICMP address mask requests).
312
314       -s --baseport source port
315              hping3  uses source port in order to guess replies sequence num‐
316              ber. It starts with a base source port number, and increase this
317              number  for  each  packet sent. When packet is received sequence
318              number can be computed as replies.dest.port -  base.source.port.
319              Default  base  source  port is random, using this option you are
320              able to set different number. If you need that source  port  not
321              be increased for each sent packet use the -k --keep option.
322
323       -p --destport [+][+]dest port
324              Set  destination  port,  default is 0. If '+' character precedes
325              dest port number (i.e. +1024) destination port will be increased
326              for each reply received. If double '+' precedes dest port number
327              (i.e. ++1024), destination  port  will  be  increased  for  each
328              packet sent.  By default destination port can be modified inter‐
329              actively using CTRL+z.
330
331       --keep keep still source port, see --baseport for more information.
332
333       -w --win
334              Set TCP window size. Default is 64.
335
336       -O --tcpoff
337              Set fake tcp data offset. Normal data offset is tcphdrlen / 4.
338
339       -M --setseq
340              Set the TCP sequence number.
341
342       -L --setack
343              Set the TCP ack.
344
345       -Q --seqnum
346              This option can be used in order  to  collect  sequence  numbers
347              generated  by  target  host. This can be useful when you need to
348              analyze whether TCP sequence number is predictable. Output exam‐
349              ple:
350
351              #hping3 win98 --seqnum -p 139 -S -i u1 -I eth0
352              HPING uaz (eth0 192.168.4.41): S set, 40 headers + 0 data bytes
353              2361294848 +2361294848
354              2411626496 +50331648
355              2545844224 +134217728
356              2713616384 +167772160
357              2881388544 +167772160
358              3049160704 +167772160
359              3216932864 +167772160
360              3384705024 +167772160
361              3552477184 +167772160
362              3720249344 +167772160
363              3888021504 +167772160
364              4055793664 +167772160
365              4223565824 +167772160
366
367              The first column reports the sequence number, the second differ‐
368              ence between current and last sequence number. As  you  can  see
369              target host's sequence numbers are predictable.
370
371       -b --badcksum
372              Send packets with a bad UDP/TCP checksum.
373
374       --tcp-timestamp
375              Enable  the TCP timestamp option, and try to guess the timestamp
376              update frequency and the remote system uptime.
377
378       -F --fin
379              Set FIN tcp flag.
380
381       -S --syn
382              Set SYN tcp flag.
383
384       -R --rst
385              Set RST tcp flag.
386
387       -P --push
388              Set PUSH tcp flag.
389
390       -A --ack
391              Set ACK tcp flag.
392
393       -U --urg
394              Set URG tcp flag.
395
396       -X --xmas
397              Set Xmas tcp flag.
398
399       -Y --ymas
400              Set Ymas tcp flag.
401

COMMON OPTIONS

403       -d --data data size
404              Set packet body size. Warning, using --data 40 hping3  will  not
405              generate  0  byte  packets  but protocol_header+40 bytes. hping3
406              will display packet size information as first line output,  like
407              this:  HPING  www.yahoo.com  (ppp0  204.71.200.67): NO FLAGS are
408              set, 40 headers + 40 data bytes
409
410       -E --file filename
411              Use filename contents to fill packet's data.
412
413       -e --sign signature
414              Fill first signature length bytes of data  with  signature.   If
415              the  signature  length is bigger than data size an error message
416              will be displayed.  If you don't specify  the  data  size  hping
417              will  use  the  signature size as data size.  This option can be
418              used safely with --file filename option,  remainder  data  space
419              will be filled using filename.
420
421       -j --dump
422              Dump received packets in hex.
423
424       -J --print
425              Dump received packets' printable characters.
426
427       -B --safe
428              Enable  safe  protocol,  using  this option lost packets in file
429              transfers will be resent. For example  in  order  to  send  file
430              /etc/passwd from host A to host B you may use the following:
431              [host_a]
432              # hping3 host_b --udp -p 53 -d 100 --sign signature --safe --file /etc/passwd
433              [host_b]
434              # hping3 host_a --listen signature --safe --icmp
435
436       -u --end
437              If  you  are using --file filename option, tell you when EOF has
438              been reached. Moreover prevent that other end accept more  pack‐
439              ets. Please, for more information see the HPING3-HOWTO.
440
441       -T --traceroute
442              Traceroute  mode. Using this option hping3 will increase ttl for
443              each ICMP time to live 0 during  transit  received.  Try  hping3
444              host  --traceroute.  This option implies --bind and --ttl 1. You
445              can override the ttl of 1 using the --ttl  option.  Since  2.0.0
446              stable it prints RTT information.
447
448       --tr-keep-ttl
449              Keep  the  TTL fixed in traceroute mode, so you can monitor just
450              one hop in the route. For example, to monitor how  the  5th  hop
451              changes or how its RTT changes you can try hping3 host --tracer‐
452              oute --ttl 5 --tr-keep-ttl.
453
454       --tr-stop
455              If this option is specified  hping  will  exit  once  the  first
456              packet that isn't an ICMP time exceeded is received. This better
457              emulates the traceroute behavior.
458
459       --tr-no-rtt
460              Don't show RTT information in traceroute  mode.  The  ICMP  time
461              exceeded  RTT  information aren't even calculated if this option
462              is set.
463
464       --tcpexitcode
465              Exit with last received packet tcp->th_flag as exit code. Useful
466              for  scripts that need, for example, to known if the port 999 of
467              some host reply with SYN/ACK or with RST  in  response  to  SYN,
468              i.e. the service is up or down.
469

TCP OUTPUT FORMAT

471       The standard TCP output format is the following:
472
473       len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms
474
475       len  is  the  size,  in  bytes, of the data captured from the data link
476       layer excluding the data link header size. This may not  match  the  IP
477       datagram size due to low level transport layer padding.
478
479       ip is the source ip address.
480
481       flags  are the TCP flags, R for RESET, S for SYN, A for ACK, F for FIN,
482       P for PUSH, U for URGENT, X for not standard 0x40, Y for  not  standard
483       0x80.
484
485       If the reply contains DF the IP header has the don't fragment bit set.
486
487       seq  is  the  sequence  number of the packet, obtained using the source
488       port for TCP/UDP packets, the sequence field for ICMP packets.
489
490       id is the IP ID field.
491
492       win is the TCP window size.
493
494       rtt is the round trip time in milliseconds.
495
496       If you run hping using the -V command line switch it will display addi‐
497       tional information about the packet, example:
498
499       len=46  ip=192.168.1.1  flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms
500       tos=0 iplen=40 seq=0 ack=1223672061 sum=e61d urp=0
501
502       tos is the type of service field of the IP header.
503
504       iplen is the IP total len field.
505
506       seq and ack are the sequence and acknowledge 32bit numbers in  the  TCP
507       header.
508
509       sum is the TCP header checksum value.
510
511       urp is the TCP urgent pointer value.
512
513

UDP OUTPUT FORMAT

515       The standard output format is:
516
517       len=46 ip=192.168.1.1 seq=0 ttl=64 id=0 rtt=6.0 ms
518
519       The  field  meaning  is  just the same as the TCP output meaning of the
520       same fields.
521
522

ICMP OUTPUT FORMAT

524       An example of ICMP output is:
525
526       ICMP Port Unreachable from ip=192.168.1.1 name=nano.marmoc.net
527
528       It is very simple to understand. It starts with the string "ICMP"  fol‐
529       lowed  by  the  description  of the ICMP error, Port Unreachable in the
530       example. The ip field is the IP source address of the IP datagram  con‐
531       taining  the  ICMP  error, the name field is just the numerical address
532       resolved to a name (a dns PTR request) or  UNKNOWN  if  the  resolution
533       failed.
534
535       The  ICMP  Time  exceeded  during transit or reassembly format is a bit
536       different:
537
538       TTL 0 during transit from ip=192.168.1.1 name=nano.marmoc.net
539
540       TTL 0 during reassembly from ip=192.70.106.25 name=UNKNOWN
541
542       The only difference is the description of the error, it starts with TTL
543       0.
544
545

AUTHOR

547       Salvatore  Sanfilippo <antirez@invece.org>, with the help of the people
548       mentioned in AUTHORS file and at http://www.hping.org/authors.html
549

BUGS

551       Even using the --end and --safe options to  transfer  files  the  final
552       packet will be padded with 0x00 bytes.
553
554       Data is read without care about alignment, but alignment is enforced in
555       the data structures.  This will not be a problem under i386 but,  while
556       usually  the  TCP/IP headers are naturally aligned, may create problems
557       with different processors and bogus packets if there is some  unaligned
558       access around the code (hopefully none).
559
560       On  solaris hping does not work on the loopback interface. This seems a
561       solaris problem, as stated in the tcpdump-workers mailing list, so  the
562       libpcap can't do nothing to handle it properly.
563

SEE ALSO

565       ping(8), traceroute(8), ifconfig(8), nmap(1)
566
567
568
569                                  2005 Nov  5                        HPING3(8)
Impressum