hping3 - send (almost) arbitrary TCP/IP packets to network hosts

       Salvatore Sanfilippo <antirez@invece.org>, with the help of the people mentioned in AUTHORS file  and  at
       http://www.hping.org/authors.html

-h--help
              Show an help screen on standard output, so you can pipe to less.

       -v--version
              Show version information and API used to access to data link layer, linuxsockpacket or libpcap.-c--countcount
              Stop  after sending (and receiving) count response packets. After last packet was send hping3 wait
              COUNTREACHED_TIMEOUT seconds target host  replies.  You  are  able  to  tune  COUNTREACHED_TIMEOUT
              editing hping2.h

       -i--interval
              Wait  the  specified number of seconds or micro seconds between sending each packet.  --interval X
              set wait to X seconds, --interval uX set wait to X micro seconds.  The  default  is  to  wait  one
              second between each packet. Using hping3 to transfer files tune this option is really important in
              order  to  increase  transfer rate. Even using hping3 to perform idle/spoofing scanning you should
              tune this option, see HPING3-HOWTO for more information.

       --fast Alias for -i u10000. Hping will send 10 packets for second.

       --faster
              Alias for -i u1. Faster then --fast ;) (but not as fast as your computer can send packets  due  to
              the signal-driven design).

       --flood
              Sent  packets  as  fast  as  possible, without taking care to show incoming replies.  This is ways
              faster than to specify the -i u0 option.

       -n--numeric
              Numeric output only, No attempt will be made to lookup symbolic names for host addresses.

       -q--quiet
              Quiet output. Nothing is displayed except the summary lines at startup time and when finished.

       -I--interfaceinterfacename
              By default on linux and BSD systems hping3 uses default routing interface.  In  other  systems  or
              when there is no default route hping3 uses the first non-loopback interface.  However you are able
              to  force  hping3 to use the interface you need using this option. Note: you don't need to specify
              the whole name, for example -I et will match eth0 ethernet0 myet1  et  cetera.  If  no  interfaces
              match hping3 will try to use lo.

       -V--verbose
              Enable verbose output. TCP replies will be shown as follows:

              len=46  ip=192.168.1.1  flags=RA  DF  seq=0  ttl=255  id=0  win=0  rtt=0.4 ms tos=0 iplen=40 seq=0
              ack=1380893504 sum=2010 urp=0

       -D--debug
              Enable debug mode, it's useful when you experience some problem with hping3. When  debug  mode  is
              enabled you will get more information about interfacedetection,datalinklayeraccess,interfacesettings,optionsparsing,fragmentation,HCMPprotocol and other stuff.

       -z--bind
              Bind  CTRL+Z to timetolive(TTL) so you will able to increment/decrement ttl of outgoing packets
              pressing CTRL+Z once or twice.

       -Z--unbind
              Unbind CTRL+Z so you will able to stop hping3.

       --beep Beep for every matching received packet (but not for ICMP errors).

       Even  using  the  --end  and  --safe  options to transfer files the final packet will be padded with 0x00
       bytes.

       Data is read without care about alignment, but alignment is enforced in the data structures.   This  will
       not  be  a  problem  under  i386  but, while usually the TCP/IP headers are naturally aligned, may create
       problems with different processors and bogus packets if there is some unaligned access  around  the  code
       (hopefully none).

       On  solaris hping does not work on the loopback interface. This seems a solaris problem, as stated in the
       tcpdump-workers mailing list, so the libpcap can't do nothing to handle it properly.

-d--datadatasize
              Set packet body size. Warning, using --data 40  hping3  will  not  generate  0  byte  packets  but
              protocol_header+40  bytes.  hping3 will display packet size information as first line output, like
              this: HPINGwww.yahoo.com(ppp0204.71.200.67):NOFLAGSareset,40headers+40databytes-E--filefilename
              Use filename contents to fill packet's data.

       -e--signsignature
              Fill first signaturelength bytes of data with signature.  If the signaturelength is bigger  than
              data  size  an error message will be displayed.  If you don't specify the data size hping will use
              the signature size as data size.  This option can be used  safely  with  --filefilename  option,
              remainder data space will be filled using filename.

       -j--dump
              Dump received packets in hex.

       -J--print
              Dump received packets' printable characters.

       -B--safe
              Enable safe protocol, using this option lost packets in file transfers will be resent. For example
              in order to send file /etc/passwd from host A to host B you may use the following:
              [host_a]#hping3host_b--udp-p53-d100--signsignature--safe--file/etc/passwd[host_b]#hping3host_a--listensignature--safe--icmp-u--end
              If you are using --filefilename option, tell you when EOF has been reached. Moreover prevent that
              other end accept more packets. Please, for more information see the HPING3-HOWTO.

       -T--traceroute
              Traceroute  mode.  Using  this option hping3 will increase ttl for each ICMPtimetolive0duringtransit received. Try hping3host--traceroute.  This option implies --bind and --ttl 1.  You  can
              override the ttl of 1 using the --ttl option. Since 2.0.0 stable it prints RTT information.

       --tr-keep-ttl
              Keep  the TTL fixed in traceroute mode, so you can monitor just one hop in the route. For example,
              to monitor how the 5th hop changes or how its RTT changes you can  try  hping3host--traceroute--ttl5--tr-keep-ttl.

       --tr-stop
              If this option is specified hping will exit once the first packet that isn't an ICMP time exceeded
              is received. This better emulates the traceroute behavior.

       --tr-no-rtt
              Don't  show RTT information in traceroute mode. The ICMP time exceeded RTT information aren't even
              calculated if this option is set.

       --tcpexitcode
              Exit with last received packet tcp->th_flag as exit  code.  Useful  for  scripts  that  need,  for
              example,  to known if the port 999 of some host reply with SYN/ACK or with RST in response to SYN,
              i.e. the service is up or down.

       hping3 is a network tool able to send custom TCP/IP packets and  to  display  target  replies  like  ping
       program  does  with ICMP replies. hping3 handle fragmentation, arbitrary packets body and size and can be
       used in order to transfer files encapsulated under supported protocols. Using  hping3  you  are  able  to
       perform at least the following stuff:

        - Test firewall rules
        - Advanced port scanning
        - Test net performance using different protocols,
          packet size, TOS (type of service) and fragmentation.
        - Path MTU discovery
        - Transferring files between even really fascist firewall
          rules.
        - Traceroute-like under different protocols.
        - Firewalk-like usage.
        - Remote OS fingerprinting.
        - TCP/IP stack auditing.
        - A lot of others.

       It'salsoagooddidactictooltolearnTCP/IP.  hping3 is developed and maintained by antirez@invece.org
       and  is  licensed  under  GPL  version  2. Development is open so you can send me patches, suggestion and
       affronts without inhibitions.

       primary site at http://www.hping.org.  You can found both the  stable  release  and  the  instruction  to
       download the latest source code at http://www.hping.org/download.html

       An example of ICMP output is:

       ICMP Port Unreachable from ip=192.168.1.1 name=nano.marmoc.net

       It is very simple to understand. It starts with the string "ICMP" followed by the description of the ICMP
       error, Port Unreachable in the example. The ip field  is  the  IP  source  address  of  the  IP  datagram
       containing  the  ICMP  error,  the name field is just the numerical address resolved to a name (a dns PTR
       request) or UNKNOWN if the resolution failed.

       The ICMP Time exceeded during transit or reassembly format is a bit different:

       TTL 0 during transit from ip=192.168.1.1 name=nano.marmoc.net

       TTL 0 during reassembly from ip=192.70.106.25 name=UNKNOWN

       The only difference is the description of the error, it starts with TTL 0.

-C--icmptypetype
              Set icmp type, default is ICMPechorequest (implies --icmp).

       -K--icmpcodecode
              Set icmp code, default is 0 (implies --icmp).

       --icmp-ipver
              Set IP version of IP header contained into ICMP data, default is 4.

       --icmp-iphlen
              Set IP header length of IP header contained into ICMP data, default is 5 (5 words of 32 bits).

       --icmp-iplen
              Set IP packet length of IP header contained into ICMP data, default is the real length.

       --icmp-ipid
              Set IP id of IP header contained into ICMP data, default is random.

       --icmp-ipproto
              Set IP protocol of IP header contained into ICMP data, default is TCP.

       --icmp-cksum
              Set ICMP checksum, for default is the valid checksum.

       --icmp-ts
              Alias for --icmptype 13 (to send ICMP timestamp requests).

       --icmp-addr
              Alias for --icmptype 17 (to send ICMP address mask requests).

-a--spoofhostname
              Use this option in order to set a fake IP source address, this option ensures that target will not
              gain your real address. However replies will be sent to spoofed address, so  you  will  can't  see
              them. In order to see how it's possible to perform spoofed/idle scanning see the HPING3-HOWTO.

       --rand-source
              This  option  enables the randomsourcemode.  hping will send packets with random source address.
              It is interesting to use this option to stress firewall  state  tables,  and  other  per-ip  basis
              dynamic tables inside the TCP/IP stacks and firewall software.

       --rand-dest
              This  option enables the randomdestinationmode.  hping will send the packets to random addresses
              obtained following the rule you specify as the target host. You need to  specify  a  numerical  IP
              address  as  target  host  like 10.0.0.x.  All the occurrences of x will be replaced with a random
              number in the range 0-255. So to obtain  Internet  IP  addresses  in  the  whole  IPv4  space  use
              something  like  hpingx.x.x.x--rand-dest.  If you are not sure about what kind of addresses your
              rule is generating try to use  the  --debug  switch  to  display  every  new  destination  address
              generated.   When  this  option  is  turned  on,  matching  packets  will  be  accept from all the
              destinations.
              Warning: when this option is enabled hping can't detect  the  right  outgoing  interface  for  the
              packets, so you should use the --interface option to select the desired outgoing interface.

       -t--ttltimetolive
              Using  this  option  you can set TTL(timetolive) of outgoing packets, it's likely that you will
              use this with --traceroute or  --bind  options.  If  in  doubt  try  `hping3some.host.com-t1--traceroute'.

       -N--id
              Set ip->id field. Default id is random but if fragmentation is turned on and id isn't specified it
              will be getpid()&0xFFFF, to implement a better solution is in TODO list.

       -H--ipproto
              Set the ip protocol in RAW IP mode.

       -W--winid
              id from Windows* systems before Win2k has different byte ordering, if this option is enable hping3
              will properly display id replies from those Windows.

       -r--rel
              Display  id increments instead of id. See the HPING3-HOWTO for more information. Increments aren't
              computed as id[N]-id[N-1] but using packet loss compensation. See relid.c for more information.

       -f--frag
              Split packets in more fragments, this may be useful in  order  to  test  IP  stacks  fragmentation
              performance  and  to test if some packet filter is so weak that can be passed using tiny fragments
              (anachronistic). Default 'virtual mtu' is 16 bytes. see also --mtu option.

       -x--morefrag
              Set more fragments IP flag, use this option if you want  that  target  host  send  an  ICMPtime-exceededduringreassembly.

       -y--dontfrag
              Set don't fragment IP flag, this can be used to perform MTUpathdiscovery.

       -g--fragofffragmentoffsetvalue
              Set the fragment offset.

       -m--mtumtuvalue
              Set different 'virtual mtu' than 16 when fragmentation is enabled. If packets size is greater that
              'virtual mtu' fragmentation is automatically turned on.

       -o--toshex_tos
              Set TypeOfService(TOS), for more information try --toshelp.

       -G--rroute
              Record  route.  Includes the RECORD_ROUTE option in each packet sent and displays the route buffer
              of returned packets. Note that the IP header is only large enough for nine such routes. Many hosts
              ignore or discard this option. Also note that using hping you are able to use record route even if
              target host filter ICMP. Record route is an IP option, not an ICMP option, so you can  use  record
              route option even in TCP and UDP mode.

       hping3 - send (almost) arbitrary TCP/IP packets to network hosts

       Default protocol is TCP, by default hping3 will send tcp headers to target host's port 0 with  a  winsize
       of  64  without  any  tcp flag on. Often this is the best way to do an 'hide ping', useful when target is
       behind a firewall that drop ICMP. Moreover a tcp null-flag to port 0 has a good probability of not  being
       logged.

       -0--rawip
              RAW  IP  mode,  in this mode hping3 will send IP header with data appended with --signature and/or
              --file, see also --ipproto that allows you to set the ip protocol field.

       -1--icmp
              ICMP mode, by default hping3 will send ICMP echo-request, you can set other ICMP  type/code  using
              --icmptype--icmpcode options.

       -2--udp
              UDP mode, by default hping3 will send udp to target host's port 0.  UDP header tunable options are
              the following: --baseport,--destport,--keep.-8--scan
              Scan  mode, the option expects an argument that describes groups of ports to scan. port groups are
              comma separated: a number describes just a single port, so 1,2,3 means port 1, 2 and 3. ranges are
              specified using a start-end notation, like 1-1000, that tell hping to scan  ports  between  1  and
              1000  (included).  the  special  word  all  is  an alias for 0-65535, while the special word known
              includes all the ports listed in /etc/services.
              Groups can be combined, so the following command line will scan ports between 1 and 1000 AND  port
              8888 AND ports listed in /etc/services: hping--scan1-1000,8888,known-Starget.host.com
              Groups  can  be  negated (subtracted) using a ! character as prefix, so the following command line
              will scan  all  the  ports  NOT  listed  in  /etc/services  in  the  range  1-1024:  hping--scan'1-1024,!known'-Starget.host.com
              Keep  in mind that while hping seems much more like a port scanner in this mode, most of the hping
              switches are still honored, so for example to perform a SYN  scan  you  need  to  specify  the  -S
              option,  you can change the TCP windows size, TTL, control the IP fragmentation as usually, and so
              on. The only real difference is that the standard hping behaviors are encapsulated into a scanning
              algorithm.
              Technote: The scan mode uses a two-processes design, with shared memory for synchronization.  The
              scanning algorithm is still not optimal, but already quite fast.
              Hint:  unlike  most scanners, hping shows some interesting info about received packets, the IP ID,
              TCP win, TTL, and so on, don't forget to look at this additional information when  you  perform  a
              scan! Sometimes they shows interesting details.

       -9--listensignature
              HPING3 listen mode, using this option hping3 waits for packet that contain signature and dump from
              signature  end  to  packet's  end. For example if hping3 --listen TEST reads a packet that contain
              234-09sdflkjs45-TESThello_world it will display hello_world.

ping(8), traceroute(8), ifconfig(8), nmap(1)

                                                   2001 Aug 14                                         HPING3(8)

hping3  [  -hvnqVDzZ012WrfxykQbFSRPAUXYjJBuTG ] [ -ccount ] [ -iwait ] [ --fast ] [ -Iinterface ] [ -9signature ] [ -ahost ] [ -tttl ] [ -Nipid ] [ -Hipprotocol ] [ -gfragoff ] [ -mmtu ] [ -otos ] [
       -Cicmptype ] [ -Kicmpcode ] [ -ssourceport ] [ -p[+][+]destport ] [ -wtcpwindow  ]  [  -Otcpoffset  ]  [  -Mtcpsequencenumber ] [ -Ltcpack ] [ -ddatasize ] [ -Efilename ] [ -esignature ] [
       --icmp-ipverversion ]  [  --icmp-iphlenlength  ]  [  --icmp-iplenlength  ]  [  --icmp-ipidid  ]  [
       --icmp-ipprotoprotocol  ]  [  --icmp-cksumchecksum ] [ --icmp-ts ] [ --icmp-addr ] [ --tcpexitcode ] [
       --tcp-mss ] [ --tcp-timestamp ] [ --tr-stop ] [ --tr-keep-ttl ] [ --tr-no-rtt ] [ --rand-dest ] [ --rand-source ] [ --beep ] hostname

       The standard TCP output format is the following:

       len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms

       len is the size, in bytes, of the data captured from the data link layer excluding the data  link  header
       size. This may not match the IP datagram size due to low level transport layer padding.

       ip is the source ip address.

       flags  are  the  TCP flags, R for RESET, S for SYN, A for ACK, F for FIN, P for PUSH, U for URGENT, X for
       not standard 0x40, Y for not standard 0x80.

       If the reply contains DF the IP header has the don't fragment bit set.

       seq is the sequence number of the packet, obtained  using  the  source  port  for  TCP/UDP  packets,  the
       sequence field for ICMP packets.

       id is the IP ID field.

       win is the TCP window size.

       rtt is the round trip time in milliseconds.

       If  you  run  hping  using  the  -V  command line switch it will display additional information about the
       packet, example:

       len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms tos=0 iplen=40 seq=0 ack=1223672061
       sum=e61d urp=0

       tos is the type of service field of the IP header.

       iplen is the IP total len field.

       seqandack are the sequence and acknowledge 32bit numbers in the TCP header.

       sum is the TCP header checksum value.

       urp is the TCP urgent pointer value.

-s--baseportsourceport
              hping3  uses  source  port in order to guess replies sequence number. It starts with a base source
              port number, and increase this number for each packet  sent.  When  packet  is  received  sequence
              number  can  be  computed  as  replies.dest.port-base.source.port.  Default base source port is
              random, using this option you are able to set different number. If you need that source  port  not
              be increased for each sent packet use the -k--keep option.

       -p--destport[+][+]destport
              Set  destination  port,  default  is  0.  If  '+' character precedes dest port number (i.e. +1024)
              destination port will be increased for each reply received.  If  double  '+'  precedes  dest  port
              number  (i.e.  ++1024),  destination  port  will  be  increased  for each packet sent.  By default
              destination port can be modified interactively using CTRL+z.

       --keep keep still source port, see --baseport for more information.

       -w--win
              Set TCP window size. Default is 64.

       -O--tcpoff
              Set fake tcp data offset. Normal data offset is tcphdrlen / 4.

       -M--tcpseq
              Set the TCP sequence number.

       -L--tcpack
              Set the TCP ack.

       -Q--seqnum
              This option can be used in order to collect sequence numbers generated by target host. This can be
              useful when you need to analyze whether TCP sequence number is predictable. Output example:

              #hping3win98--seqnum-p139-S-iu1-Ieth0
              HPING uaz (eth0 192.168.4.41): S set, 40 headers + 0 data bytes
              2361294848 +2361294848
              2411626496 +50331648
              2545844224 +134217728
              2713616384 +167772160
              2881388544 +167772160
              3049160704 +167772160
              3216932864 +167772160
              3384705024 +167772160
              3552477184 +167772160
              3720249344 +167772160
              3888021504 +167772160
              4055793664 +167772160
              4223565824 +167772160

              The first column reports the sequence number, the  second  difference  between  current  and  last
              sequence number. As you can see target host's sequence numbers are predictable.

       -b--badcksum
              Send packets with a bad UDP/TCP checksum.

       --tcp-mss
              Enable the TCP MSS option and set it to the given value.

       --tcp-timestamp
              Enable  the  TCP  timestamp option, and try to guess the timestamp update frequency and the remote
              system uptime.

       -F--fin
              Set FIN tcp flag.

       -S--syn
              Set SYN tcp flag.

       -R--rst
              Set RST tcp flag.

       -P--push
              Set PUSH tcp flag.

       -A--ack
              Set ACK tcp flag.

       -U--urg
              Set URG tcp flag.

       -X--xmas
              Set Xmas tcp flag.

       -Y--ymas
              Set Ymas tcp flag.

       The standard output format is:

       len=46 ip=192.168.1.1 seq=0 ttl=64 id=0 rtt=6.0 ms

       The field meaning is just the same as the TCP output meaning of the same fields.