1HPING2(8) System Manager's Manual HPING2(8)
2
3
4
6 hping2 - send (almost) arbitrary TCP/IP packets to network hosts
7
9 hping2 [ -hvnqVDzZ012WrfxykQbFSRPAUXYjJBuTG ] [ -c count ] [ -i wait ]
10 [ --fast ] [ -I interface ] [ -9 signature ] [ -a host ] [ -t ttl ] [
11 -N ip id ] [ -H ip protocol ] [ -g fragoff ] [ -m mtu ] [ -o tos ] [ -C
12 icmp type ] [ -K icmp code ] [ -s source port ] [ -p[+][+] dest port ]
13 [ -w tcp window ] [ -O tcp offset ] [ -M tcp sequence number ] [ -L tcp
14 ack ] [ -d data size ] [ -E filename ] [ -e signature ] [ --icmp-ipver
15 version ] [ --icmp-iphlen length ] [ --icmp-iplen length ] [
16 --icmp-ipid id ] [ --icmp-ipproto protocol ] [ --icmp-cksum checksum ]
17 [ --icmp-ts ] [ --icmp-addr ] [ --tcpexitcode ] [ --tcp-timestamp ] [
18 --tr-stop ] [ --tr-keep-ttl ] [ --tr-no-rtt ] [ --rand-dest ] [ --rand-
19 source ] [ --beep ] hostname
20
22 hping2 is a network tool able to send custom TCP/IP packets and to dis‐
23 play target replies like ping program does with ICMP replies. hping2
24 handle fragmentation, arbitrary packets body and size and can be used
25 in order to transfer files encapsulated under supported protocols.
26 Using hping2 you are able to perform at least the following stuff:
27
28 - Test firewall rules
29 - Advanced port scanning
30 - Test net performance using different protocols,
31 packet size, TOS (type of service) and fragmentation.
32 - Path MTU discovery
33 - Transferring files between even really fascist firewall
34 rules.
35 - Traceroute-like under different protocols.
36 - Firewalk-like usage.
37 - Remote OS fingerprinting.
38 - TCP/IP stack auditing.
39 - A lot of others.
40
41 It's also a good didactic tool to learn TCP/IP. hping2 is developed
42 and maintained by antirez@invece.org and is licensed under GPL version
43 2. Development is open so you can send me patches, suggestion and
44 affronts without inhibitions.
45
47 primary site at http://www.hping.org. You can found both the stable
48 release and the instruction to download the latest source code at
49 http://www.hping.org/download.html
50
52 -h --help
53 Show an help screen on standard output, so you can pipe to less.
54
55 -v --version
56 Show version information and API used to access to data link
57 layer, linux sock packet or libpcap.
58
59 -c --count count
60 Stop after sending (and receiving) count response packets. After
61 last packet was send hping2 wait COUNTREACHED_TIMEOUT seconds
62 target host replies. You are able to tune COUNTREACHED_TIMEOUT
63 editing hping2.h
64
65 -i --interval
66 Wait the specified number of seconds or micro seconds between
67 sending each packet. --interval X set wait to X seconds,
68 --interval uX set wait to X micro seconds. The default is to
69 wait one second between each packet. Using hping2 to transfer
70 files tune this option is really important in order to increase
71 transfer rate. Even using hping2 to perform idle/spoofing scan‐
72 ning you should tune this option, see HPING2-HOWTO for more
73 information.
74
75 --fast Alias for -i u10000. Hping will send 10 packets for second.
76
77 --faster
78 Alias for -i u1. Faster then --fast ;) (but not as fast as your
79 computer can send packets due to the signal-driven design).
80
81 --flood
82 Sent packets as fast as possible, without taking care to show
83 incoming replies. This is ways faster than to specify the -i u0
84 option.
85
86 -n --numeric
87 Numeric output only, No attempt will be made to lookup symbolic
88 names for host addresses.
89
90 -q --quiet
91 Quiet output. Nothing is displayed except the summary lines at
92 startup time and when finished.
93
94 -I --interface interface name
95 By default on linux and BSD systems hping2 uses default routing
96 interface. In other systems or when there is no default route
97 hping2 uses the first non-loopback interface. However you are
98 able to force hping2 to use the interface you need using this
99 option. Note: you don't need to specify the whole name, for
100 example -I et will match eth0 ethernet0 myet1 et cetera. If no
101 interfaces match hping2 will try to use lo.
102
103 -V --verbose
104 Enable verbose output. TCP replies will be shown as follows:
105
106 len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0
107 rtt=0.4 ms tos=0 iplen=40 seq=0 ack=1380893504 sum=2010 urp=0
108
109 -D --debug
110 Enable debug mode, it's useful when you experience some problem
111 with hping2. When debug mode is enabled you will get more infor‐
112 mation about interface detection, data link layer access, inter‐
113 face settings, options parsing, fragmentation, HCMP protocol and
114 other stuff.
115
116 -z --bind
117 Bind CTRL+Z to time to live (TTL) so you will able to incre‐
118 ment/decrement ttl of outgoing packets pressing CTRL+Z once or
119 twice.
120
121 -Z --unbind
122 Unbind CTRL+Z so you will able to stop hping2.
123
124 --beep Beep for every matching received packet (but not for ICMP
125 errors).
126
128 Default protocol is TCP, by default hping2 will send tcp headers to
129 target host's port 0 with a winsize of 64 without any tcp flag on.
130 Often this is the best way to do an 'hide ping', useful when target is
131 behind a firewall that drop ICMP. Moreover a tcp null-flag to port 0
132 has a good probability of not being logged.
133
134 -0 --rawip
135 RAW IP mode, in this mode hping2 will send IP header with data
136 appended with --signature and/or --file, see also --ipproto that
137 allows you to set the ip protocol field.
138
139 -1 --icmp
140 ICMP mode, by default hping2 will send ICMP echo-request, you
141 can set other ICMP type/code using --icmptype --icmpcode
142 options.
143
144 -2 --udp
145 UDP mode, by default hping2 will send udp to target host's port
146 0. UDP header tunable options are the following: --baseport,
147 --destport, --keep.
148
149 -8 --scan
150 Scan mode, the option expects an argument that describes groups
151 of ports to scan. port groups are comma separated: a number
152 describes just a single port, so 1,2,3 means port 1, 2 and 3.
153 ranges are specified using a start-end notation, like 1-1000,
154 that tell hping to scan ports between 1 and 1000 (included). the
155 special word all is an alias for 0-65535, while the special word
156 known includes all the ports listed in /etc/services.
157 Groups can be combined, so the following command line will scan
158 ports between 1 and 1000 AND port 8888 AND ports listed in
159 /etc/services: hping --scan 1-1000,8888,known -S target.host.com
160 Groups can be negated (subtracted) using a ! character as pre‐
161 fix, so the following command line will scan all the ports NOT
162 listed in /etc/services in the range 1-1024: hping --scan
163 '1-1024,!known' -S target.host.com
164 Keep in mind that while hping seems much more like a port scan‐
165 ner in this mode, most of the hping switches are still honored,
166 so for example to perform a SYN scan you need to specify the -S
167 option, you can change the TCP windows size, TTL, control the IP
168 fragmentation as usually, and so on. The only real difference is
169 that the standard hping behaviors are encapsulated into a scan‐
170 ning algorithm.
171 Tech note: The scan mode uses a two-processes design, with
172 shared memory for synchronization. The scanning algorithm is
173 still not optimal, but already quite fast.
174 Hint: unlike most scanners, hping shows some interesting info
175 about received packets, the IP ID, TCP win, TTL, and so on,
176 don't forget to look at this additional information when you
177 perform a scan! Sometimes they shows interesting details.
178
179 -9 --listen signature
180 HPING2 listen mode, using this option hping2 waits for packet
181 that contain signature and dump from signature end to packet's
182 end. For example if hping2 --listen TEST reads a packet that
183 contain 234-09sdflkjs45-TESThello_world it will display
184 hello_world.
185
187 -a --spoof hostname
188 Use this option in order to set a fake IP source address, this
189 option ensures that target will not gain your real address. How‐
190 ever replies will be sent to spoofed address, so you will can't
191 see them. In order to see how it's possible to perform
192 spoofed/idle scanning see the HPING2-HOWTO.
193
194 --rand-source
195 This option enables the random source mode. hping will send
196 packets with random source address. It is interesting to use
197 this option to stress firewall state tables, and other per-ip
198 basis dynamic tables inside the TCP/IP stacks and firewall soft‐
199 ware.
200
201 --rand-dest
202 This option enables the random destination mode. hping will
203 send the packets to random addresses obtained following the rule
204 you specify as the target host. You need to specify a numerical
205 IP address as target host like 10.0.0.x. All the occurrences of
206 x will be replaced with a random number in the range 0-255. So
207 to obtain Internet IP addresses in the whole IPv4 space use
208 something like hping x.x.x.x --rand-dest. If you are not sure
209 about what kind of addresses your rule is generating try to use
210 the --debug switch to display every new destination address gen‐
211 erated. When this option is turned on, matching packets will be
212 accept from all the destinations.
213 Warning: when this option is enabled hping can't detect the
214 right outgoing interface for the packets, so you should use the
215 --interface option to select the desired outgoing interface.
216
217 -t --ttl time to live
218 Using this option you can set TTL (time to live) of outgoing
219 packets, it's likely that you will use this with --traceroute or
220 --bind options. If in doubt try `hping2 some.host.com -t 1
221 --traceroute'.
222
223 -N --id
224 Set ip->id field. Default id is random but if fragmentation is
225 turned on and id isn't specified it will be getpid() & 0xFF, to
226 implement a better solution is in TODO list.
227
228 -H --ipproto
229 Set the ip protocol in RAW IP mode.
230
231 -W --winid
232 id from Windows* systems before Win2k has different byte order‐
233 ing, if this option is enable hping2 will properly display id
234 replies from those Windows.
235
236 -r --rel
237 Display id increments instead of id. See the HPING2-HOWTO for
238 more information. Increments aren't computed as id[N]-id[N-1]
239 but using packet loss compensation. See relid.c for more infor‐
240 mation.
241
242 -f --frag
243 Split packets in more fragments, this may be useful in order to
244 test IP stacks fragmentation performance and to test if some
245 packet filter is so weak that can be passed using tiny fragments
246 (anachronistic). Default 'virtual mtu' is 16 bytes. see also
247 --mtu option.
248
249 -x --morefrag
250 Set more fragments IP flag, use this option if you want that
251 target host send an ICMP time-exceeded during reassembly.
252
253 -y --dontfrag
254 Set don't fragment IP flag, this can be used to perform MTU path
255 discovery.
256
257 -g --fragoff fragment offset value
258 Set the fragment offset.
259
260 -m --mtu mtu value
261 Set different 'virtual mtu' than 16 when fragmentation is
262 enabled. If packets size is greater that 'virtual mtu' fragmen‐
263 tation is automatically turned on.
264
265 -o --tos hex_tos
266 Set Type Of Service (TOS), for more information try --tos help.
267
268 -G --rroute
269 Record route. Includes the RECORD_ROUTE option in each packet
270 sent and displays the route buffer of returned packets. Note
271 that the IP header is only large enough for nine such routes.
272 Many hosts ignore or discard this option. Also note that using
273 hping you are able to use record route even if target host fil‐
274 ter ICMP. Record route is an IP option, not an ICMP option, so
275 you can use record route option even in TCP and UDP mode.
276
278 -C --icmptype type
279 Set icmp type, default is ICMP echo request (implies --icmp).
280
281 -K --icmpcode code
282 Set icmp code, default is 0 (implies --icmp).
283
284 --icmp-ipver
285 Set IP version of IP header contained into ICMP data, default is
286 4.
287
288 --icmp-iphlen
289 Set IP header length of IP header contained into ICMP data,
290 default is 5 (5 words of 32 bits).
291
292 --icmp-iplen
293 Set IP packet length of IP header contained into ICMP data,
294 default is the real length.
295
296 --icmp-ipid
297 Set IP id of IP header contained into ICMP data, default is ran‐
298 dom.
299
300 --icmp-ipproto
301 Set IP protocol of IP header contained into ICMP data, default
302 is TCP.
303
304 --icmp-cksum
305 Set ICMP checksum, for default is the valid checksum.
306
307 --icmp-ts
308 Alias for --icmptype 13 (to send ICMP timestamp requests).
309
310 --icmp-addr
311 Alias for --icmptype 17 (to send ICMP address mask requests).
312
314 -s --baseport source port
315 hping2 uses source port in order to guess replies sequence num‐
316 ber. It starts with a base source port number, and increase this
317 number for each packet sent. When packet is received sequence
318 number can be computed as replies.dest.port - base.source.port.
319 Default base source port is random, using this option you are
320 able to set different number. If you need that source port not
321 be increased for each sent packet use the -k --keep option.
322
323 -p --destport [+][+]dest port
324 Set destination port, default is 0. If '+' character precedes
325 dest port number (i.e. +1024) destination port will be increased
326 for each reply received. If double '+' precedes dest port number
327 (i.e. ++1024), destination port will be increased for each
328 packet sent. By default destination port can be modified inter‐
329 actively using CTRL+z.
330
331 --keep keep still source port, see --baseport for more information.
332
333 -w --win
334 Set TCP window size. Default is 64.
335
336 -O --tcpoff
337 Set fake tcp data offset. Normal data offset is tcphdrlen / 4.
338
339 -M --tcpseq
340 Set the TCP sequence number.
341
342 -L --tcpack
343 Set the TCP ack.
344
345 -Q --seqnum
346 This option can be used in order to collect sequence numbers
347 generated by target host. This can be useful when you need to
348 analyze whether TCP sequence number is predictable. Output exam‐
349 ple:
350
351 #hping2 win98 --seqnum -p 139 -S -i u1 -I eth0
352 HPING uaz (eth0 192.168.4.41): S set, 40 headers + 0 data bytes
353 2361294848 +2361294848
354 2411626496 +50331648
355 2545844224 +134217728
356 2713616384 +167772160
357 2881388544 +167772160
358 3049160704 +167772160
359 3216932864 +167772160
360 3384705024 +167772160
361 3552477184 +167772160
362 3720249344 +167772160
363 3888021504 +167772160
364 4055793664 +167772160
365 4223565824 +167772160
366
367 The first column reports the sequence number, the second differ‐
368 ence between current and last sequence number. As you can see
369 target host's sequence numbers are predictable.
370
371 -b --badcksum
372 Send packets with a bad UDP/TCP checksum.
373
374 --tcp-timestamp
375 Enable the TCP timestamp option, and try to guess the timestamp
376 update frequency and the remote system uptime.
377
378 -F --fin
379 Set FIN tcp flag.
380
381 -S --syn
382 Set SYN tcp flag.
383
384 -R --rst
385 Set RST tcp flag.
386
387 -P --push
388 Set PUSH tcp flag.
389
390 -A --ack
391 Set ACK tcp flag.
392
393 -U --urg
394 Set URG tcp flag.
395
396 -X --xmas
397 Set Xmas tcp flag.
398
399 -Y --ymas
400 Set Ymas tcp flag.
401
403 -d --data data size
404 Set packet body size. Warning, using --data 40 hping2 will not
405 generate 0 byte packets but protocol_header+40 bytes. hping2
406 will display packet size information as first line output, like
407 this: HPING www.yahoo.com (ppp0 204.71.200.67): NO FLAGS are
408 set, 40 headers + 40 data bytes
409
410 -E --file filename
411 Use filename contents to fill packet's data.
412
413 -e --sign signature
414 Fill first signature length bytes of data with signature. If
415 the signature length is bigger than data size an error message
416 will be displayed. If you don't specify the data size hping
417 will use the signature size as data size. This option can be
418 used safely with --file filename option, remainder data space
419 will be filled using filename.
420
421 -j --dump
422 Dump received packets in hex.
423
424 -J --print
425 Dump received packets' printable characters.
426
427 -B --safe
428 Enable safe protocol, using this option lost packets in file
429 transfers will be resent. For example in order to send file
430 /etc/passwd from host A to host B you may use the following:
431 [host_a]
432 # hping2 host_b --udp -p 53 -d 100 --sign signature --safe --file /etc/passwd
433 [host_b]
434 # hping2 host_a --listen signature --safe --icmp
435
436 -u --end
437 If you are using --file filename option, tell you when EOF has
438 been reached. Moreover prevent that other end accept more pack‐
439 ets. Please, for more information see the HPING2-HOWTO.
440
441 -T --traceroute
442 Traceroute mode. Using this option hping2 will increase ttl for
443 each ICMP time to live 0 during transit received. Try hping2
444 host --traceroute. This option implies --bind and --ttl 1. You
445 can override the ttl of 1 using the --ttl option. Since 2.0.0
446 stable it prints RTT information.
447
448 --tr-keep-ttl
449 Keep the TTL fixed in traceroute mode, so you can monitor just
450 one hop in the route. For example, to monitor how the 5th hop
451 changes or how its RTT changes you can try hping2 host --tracer‐
452 oute --ttl 5 --tr-keep-ttl.
453
454 --tr-stop
455 If this option is specified hping will exit once the first
456 packet that isn't an ICMP time exceeded is received. This better
457 emulates the traceroute behavior.
458
459 --tr-no-rtt
460 Don't show RTT information in traceroute mode. The ICMP time
461 exceeded RTT information aren't even calculated if this option
462 is set.
463
464 --tcpexitcode
465 Exit with last received packet tcp->th_flag as exit code. Useful
466 for scripts that need, for example, to known if the port 999 of
467 some host reply with SYN/ACK or with RST in response to SYN,
468 i.e. the service is up or down.
469
471 The standard TCP output format is the following:
472
473 len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms
474
475 len is the size, in bytes, of the data captured from the data link
476 layer excluding the data link header size. This may not match the IP
477 datagram size due to low level transport layer padding.
478
479 ip is the source ip address.
480
481 flags are the TCP flags, R for RESET, S for SYN, A for ACK, F for FIN,
482 P for PUSH, U for URGENT, X for not standard 0x40, Y for not standard
483 0x80.
484
485 If the reply contains DF the IP header has the don't fragment bit set.
486
487 seq is the sequence number of the packet, obtained using the source
488 port for TCP/UDP packets, the sequence field for ICMP packets.
489
490 id is the IP ID field.
491
492 win is the TCP window size.
493
494 rtt is the round trip time in milliseconds.
495
496 If you run hping using the -V command line switch it will display addi‐
497 tional information about the packet, example:
498
499 len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms
500 tos=0 iplen=40 seq=0 ack=1223672061 sum=e61d urp=0
501
502 tos is the type of service field of the IP header.
503
504 iplen is the IP total len field.
505
506 seq and ack are the sequence and acknowledge 32bit numbers in the TCP
507 header.
508
509 sum is the TCP header checksum value.
510
511 urp is the TCP urgent pointer value.
512
513
515 The standard output format is:
516
517 len=46 ip=192.168.1.1 seq=0 ttl=64 id=0 rtt=6.0 ms
518
519 The field meaning is just the same as the TCP output meaning of the
520 same fields.
521
522
524 An example of ICMP output is:
525
526 ICMP Port Unreachable from ip=192.168.1.1 name=nano.marmoc.net
527
528 It is very simple to understand. It starts with the string "ICMP" fol‐
529 lowed by the description of the ICMP error, Port Unreachable in the
530 example. The ip field is the IP source address of the IP datagram con‐
531 taining the ICMP error, the name field is just the numerical address
532 resolved to a name (a dns PTR request) or UNKNOWN if the resolution
533 failed.
534
535 The ICMP Time exceeded during transit or reassembly format is a bit
536 different:
537
538 TTL 0 during transit from ip=192.168.1.1 name=nano.marmoc.net
539
540 TTL 0 during reassembly from ip=192.70.106.25 name=UNKNOWN
541
542 The only difference is the description of the error, it starts with TTL
543 0.
544
545
547 Salvatore Sanfilippo <antirez@invece.org>, with the help of the people
548 mentioned in AUTHORS file and at http://www.hping.org/authors.html
549
551 Even using the --end and --safe options to transfer files the final
552 packet will be padded with 0x00 bytes.
553
554 Data is read without care about alignment, but alignment is enforced in
555 the data structures. This will not be a problem under i386 but, while
556 usually the TCP/IP headers are naturally aligned, may create problems
557 with different processors and bogus packets if there is some unaligned
558 access around the code (hopefully none).
559
560 On solaris hping does not work on the loopback interface. This seems a
561 solaris problem, as stated in the tcpdump-workers mailing list, so the
562 libpcap can't do nothing to handle it properly.
563
565 ping(8), traceroute(8), ifconfig(8), nmap(1)
566
567
568
569 2001 Aug 14 HPING2(8)