Provided by: hping3_3.a2.ds2-7_i386 bug


       hping3 - send (almost) arbitrary TCP/IP packets to network hosts


       hping3  [ -hvnqVDzZ012WrfxykQbFSRPAUXYjJBuTG ] [ -c count ] [ -i wait ]
       [ --fast ] [ -I interface ] [ -9 signature ] [ -a host ] [ -t ttl  ]  [
       -N ip id ] [ -H ip protocol ] [ -g fragoff ] [ -m mtu ] [ -o tos ] [ -C
       icmp type ] [ -K icmp code ] [ -s source port ] [ -p[+][+] dest port  ]
       [ -w tcp window ] [ -O tcp offset ] [ -M tcp sequence number ] [ -L tcp
       ack ] [ -d data size ] [ -E filename ] [ -e signature ] [  --icmp-ipver
       version   ]  [  --icmp-iphlen  length  ]  [  --icmp-iplen  length  ]  [
       --icmp-ipid id ] [ --icmp-ipproto protocol ] [ --icmp-cksum checksum  ]
       [  --icmp-ts ] [ --icmp-addr ] [ --tcpexitcode ] [ --tcp-mss ] [ --tcp-
       timestamp ] [ --tr-stop ] [ --tr-keep-ttl ] [ --tr-no-rtt ]  [  --rand-
       dest ] [ --rand-source ] [ --beep ] hostname


       hping3  is  a  network  tool  able to send custom TCP/IP packets and to
       display target replies like ping program does with ICMP replies. hping3
       handle  fragmentation,  arbitrary packets body and size and can be used
       in order to transfer  files  encapsulated  under  supported  protocols.
       Using hping3 you are able to perform at least the following stuff:

        - Test firewall rules
        - Advanced port scanning
        - Test net performance using different protocols,
          packet size, TOS (type of service) and fragmentation.
        - Path MTU discovery
        - Transferring files between even really fascist firewall
        - Traceroute-like under different protocols.
        - Firewalk-like usage.
        - Remote OS fingerprinting.
        - TCP/IP stack auditing.
        - A lot of others.

       It's  also  a  good didactic tool to learn TCP/IP.  hping3 is developed
       and maintained by and is licensed under GPL  version
       2.  Development  is  open  so  you  can send me patches, suggestion and
       affronts without inhibitions.


       primary site at  You can found  both  the  stable
       release  and  the  instruction  to  download  the latest source code at


       -h --help
              Show an help screen on standard output, so you can pipe to less.

       -v --version
              Show version information and API used to  access  to  data  link
              layer, linux sock packet or libpcap.

       -c --count count
              Stop after sending (and receiving) count response packets. After
              last packet was send hping3  wait  COUNTREACHED_TIMEOUT  seconds
              target  host  replies. You are able to tune COUNTREACHED_TIMEOUT
              editing hping2.h

       -i --interval
              Wait the specified number of seconds or  micro  seconds  between
              sending  each  packet.   --interval  X  set  wait  to X seconds,
              --interval uX set wait to X micro seconds.  The  default  is  to
              wait  one  second  between each packet. Using hping3 to transfer
              files tune this option is really important in order to  increase
              transfer  rate.  Even  using  hping3  to  perform  idle/spoofing
              scanning you should tune this option, see HPING3-HOWTO for  more

       --fast Alias for -i u10000. Hping will send 10 packets for second.

              Alias  for -i u1. Faster then --fast ;) (but not as fast as your
              computer can send packets due to the signal-driven design).

              Sent packets as fast as possible, without taking  care  to  show
              incoming replies.  This is ways faster than to specify the -i u0

       -n --numeric
              Numeric output only, No attempt will be made to lookup  symbolic
              names for host addresses.

       -q --quiet
              Quiet  output.  Nothing is displayed except the summary lines at
              startup time and when finished.

       -I --interface interface name
              By default on linux and BSD systems hping3 uses default  routing
              interface.   In  other systems or when there is no default route
              hping3 uses the first non-loopback interface.  However  you  are
              able  to  force  hping3 to use the interface you need using this
              option. Note: you don't need to  specify  the  whole  name,  for
              example  -I  et will match eth0 ethernet0 myet1 et cetera. If no
              interfaces match hping3 will try to use lo.

       -V --verbose
              Enable verbose output. TCP replies will be shown as follows:

              len=46 ip=  flags=RA  DF  seq=0  ttl=255  id=0  win=0
              rtt=0.4 ms tos=0 iplen=40 seq=0 ack=1380893504 sum=2010 urp=0

       -D --debug
              Enable  debug mode, it's useful when you experience some problem
              with hping3. When debug  mode  is  enabled  you  will  get  more
              information  about  interface detection, data link layer access,
              interface  settings,  options   parsing,   fragmentation,   HCMP
              protocol and other stuff.

       -z --bind
              Bind  CTRL+Z  to  time  to  live  (TTL)  so  you  will  able  to
              increment/decrement ttl of outgoing packets pressing CTRL+Z once
              or twice.

       -Z --unbind
              Unbind CTRL+Z so you will able to stop hping3.

       --beep Beep  for  every  matching  received  packet  (but  not for ICMP


       Default protocol is TCP, by default hping3 will  send  tcp  headers  to
       target  host's  port  0  with  a winsize of 64 without any tcp flag on.
       Often this is the best way to do an 'hide ping', useful when target  is
       behind  a  firewall  that drop ICMP. Moreover a tcp null-flag to port 0
       has a good probability of not being logged.

       -0 --rawip
              RAW IP mode, in this mode hping3 will send IP header  with  data
              appended with --signature and/or --file, see also --ipproto that
              allows you to set the ip protocol field.

       -1 --icmp
              ICMP mode, by default hping3 will send  ICMP  echo-request,  you
              can   set  other  ICMP  type/code  using  --icmptype  --icmpcode

       -2 --udp
              UDP mode, by default hping3 will send udp to target host's  port
              0.   UDP  header  tunable options are the following: --baseport,
              --destport, --keep.

       -8 --scan
              Scan mode, the option expects an argument that describes  groups
              of  ports  to  scan.  port  groups are comma separated: a number
              describes just a single port, so 1,2,3 means port 1,  2  and  3.
              ranges  are  specified  using a start-end notation, like 1-1000,
              that tell hping to scan ports between 1 and 1000 (included). the
              special word all is an alias for 0-65535, while the special word
              known includes all the ports listed in /etc/services.
              Groups can be combined, so the following command line will  scan
              ports  between  1  and  1000  AND  port 8888 AND ports listed in
              /etc/services: hping --scan 1-1000,8888,known -S
              Groups can be  negated  (subtracted)  using  a  !  character  as
              prefix,  so  the  following command line will scan all the ports
              NOT listed in /etc/services in the range  1-1024:  hping  --scan
              '1-1024,!known' -S
              Keep  in  mind  that  while  hping  seems  much more like a port
              scanner in this mode, most  of  the  hping  switches  are  still
              honored,  so  for  example  to  perform  a  SYN scan you need to
              specify the -S option, you can change the TCP windows size, TTL,
              control  the  IP  fragmentation  as usually, and so on. The only
              real  difference  is  that  the  standard  hping  behaviors  are
              encapsulated into a scanning algorithm.
              Tech  note:  The  scan  mode  uses  a two-processes design, with
              shared memory for synchronization.  The  scanning  algorithm  is
              still not optimal, but already quite fast.
              Hint:  unlike  most  scanners, hping shows some interesting info
              about received packets, the IP ID, TCP  win,  TTL,  and  so  on,
              don't  forget  to  look  at this additional information when you
              perform a scan! Sometimes they shows interesting details.

       -9 --listen signature
              HPING3 listen mode, using this option hping3  waits  for  packet
              that  contain  signature and dump from signature end to packet's
              end. For example if hping3 --listen TEST  reads  a  packet  that
              contain    234-09sdflkjs45-TESThello_world   it   will   display


       -a --spoof hostname
              Use this option in order to set a fake IP source  address,  this
              option  ensures  that  target  will  not gain your real address.
              However replies will be sent to spoofed  address,  so  you  will
              can't  see  them.  In  order to see how it's possible to perform
              spoofed/idle scanning see the HPING3-HOWTO.

              This option enables the random source  mode.   hping  will  send
              packets  with  random  source  address. It is interesting to use
              this option to stress firewall state tables,  and  other  per-ip
              basis  dynamic  tables  inside  the  TCP/IP  stacks and firewall

              This option enables the random  destination  mode.   hping  will
              send the packets to random addresses obtained following the rule
              you specify as the target host. You need to specify a  numerical
              IP address as target host like 10.0.0.x.  All the occurrences of
              x will be replaced with a random number in the range  0-255.  So
              to  obtain  Internet  IP  addresses  in the whole IPv4 space use
              something like hping x.x.x.x --rand-dest.  If you are  not  sure
              about  what kind of addresses your rule is generating try to use
              the --debug switch to  display  every  new  destination  address
              generated.  When this option is turned on, matching packets will
              be accept from all the destinations.
              Warning: when this option is  enabled  hping  can't  detect  the
              right  outgoing interface for the packets, so you should use the
              --interface option to select the desired outgoing interface.

       -t --ttl time to live
              Using this option you can set TTL (time  to  live)  of  outgoing
              packets, it's likely that you will use this with --traceroute or
              --bind options. If in  doubt  try  `hping3  -t  1

       -N --id
              Set  ip->id  field. Default id is random but if fragmentation is
              turned on and id isn't specified it will be getpid()  &  0xFFFF,
              to implement a better solution is in TODO list.

       -H --ipproto
              Set the ip protocol in RAW IP mode.

       -W --winid
              id  from  Windows*  systems  before  Win2k  has  different  byte
              ordering, if this option is enable hping3 will properly  display
              id replies from those Windows.

       -r --rel
              Display  id  increments  instead of id. See the HPING3-HOWTO for
              more information. Increments aren't  computed  as  id[N]-id[N-1]
              but  using  packet  loss  compensation.  See  relid.c  for  more

       -f --frag
              Split packets in more fragments, this may be useful in order  to
              test  IP  stacks  fragmentation  performance and to test if some
              packet filter is so weak that can be passed using tiny fragments
              (anachronistic).  Default  'virtual  mtu'  is 16 bytes. see also
              --mtu option.

       -x --morefrag
              Set more fragments IP flag, use this option  if  you  want  that
              target host send an ICMP time-exceeded during reassembly.

       -y --dontfrag
              Set don't fragment IP flag, this can be used to perform MTU path

       -g --fragoff fragment offset value
              Set the fragment offset.

       -m --mtu mtu value
              Set different  'virtual  mtu'  than  16  when  fragmentation  is
              enabled.   If   packets  size  is  greater  that  'virtual  mtu'
              fragmentation is automatically turned on.

       -o --tos hex_tos
              Set Type Of Service (TOS), for more information try --tos help.

       -G --rroute
              Record route. Includes the RECORD_ROUTE option  in  each  packet
              sent  and  displays  the  route buffer of returned packets. Note
              that the IP header is only large enough for  nine  such  routes.
              Many  hosts  ignore or discard this option. Also note that using
              hping you are able to use  record  route  even  if  target  host
              filter  ICMP.  Record route is an IP option, not an ICMP option,
              so you can use record route option even in TCP and UDP mode.


       -C --icmptype type
              Set icmp type, default is ICMP echo request (implies --icmp).

       -K --icmpcode code
              Set icmp code, default is 0 (implies --icmp).

              Set IP version of IP header contained into ICMP data, default is

              Set  IP  header  length  of  IP header contained into ICMP data,
              default is 5 (5 words of 32 bits).

              Set IP packet length of IP  header  contained  into  ICMP  data,
              default is the real length.

              Set  IP  id  of  IP  header contained into ICMP data, default is

              Set IP protocol of IP header contained into ICMP  data,  default
              is TCP.

              Set ICMP checksum, for default is the valid checksum.

              Alias for --icmptype 13 (to send ICMP timestamp requests).

              Alias for --icmptype 17 (to send ICMP address mask requests).


       -s --baseport source port
              hping3  uses  source  port  in  order  to guess replies sequence
              number. It starts with a base source port number,  and  increase
              this  number  for  each  packet  sent.  When  packet is received
              sequence  number  can  be  computed   as   replies.dest.port   -
              base.source.port.   Default  base  source  port is random, using
              this option you are able to set different number.  If  you  need
              that  source  port not be increased for each sent packet use the
              -k --keep option.

       -p --destport [+][+]dest port
              Set destination port, default is 0. If  '+'  character  precedes
              dest port number (i.e. +1024) destination port will be increased
              for each reply received. If double '+' precedes dest port number
              (i.e.  ++1024),  destination  port  will  be  increased for each
              packet sent.   By  default  destination  port  can  be  modified
              interactively using CTRL+z.

       --keep keep still source port, see --baseport for more information.

       -w --win
              Set TCP window size. Default is 64.

       -O --tcpoff
              Set fake tcp data offset. Normal data offset is tcphdrlen / 4.

       -M --tcpseq
              Set the TCP sequence number.

       -L --tcpack
              Set the TCP ack.

       -Q --seqnum
              This  option  can  be  used in order to collect sequence numbers
              generated by target host. This can be useful when  you  need  to
              analyze  whether  TCP  sequence  number  is  predictable. Output

              #hping3 win98 --seqnum -p 139 -S -i u1 -I eth0
              HPING uaz (eth0 S set, 40 headers + 0 data bytes
              2361294848 +2361294848
              2411626496 +50331648
              2545844224 +134217728
              2713616384 +167772160
              2881388544 +167772160
              3049160704 +167772160
              3216932864 +167772160
              3384705024 +167772160
              3552477184 +167772160
              3720249344 +167772160
              3888021504 +167772160
              4055793664 +167772160
              4223565824 +167772160

              The  first  column  reports  the  sequence  number,  the  second
              difference  between current and last sequence number. As you can
              see target host's sequence numbers are predictable.

       -b --badcksum
              Send packets with a bad UDP/TCP checksum.

              Enable the TCP MSS option and set it to the given value.

              Enable the TCP timestamp option, and try to guess the  timestamp
              update frequency and the remote system uptime.

       -F --fin
              Set FIN tcp flag.

       -S --syn
              Set SYN tcp flag.

       -R --rst
              Set RST tcp flag.

       -P --push
              Set PUSH tcp flag.

       -A --ack
              Set ACK tcp flag.

       -U --urg
              Set URG tcp flag.

       -X --xmas
              Set Xmas tcp flag.

       -Y --ymas
              Set Ymas tcp flag.


       -d --data data size
              Set  packet  body size. Warning, using --data 40 hping3 will not
              generate 0 byte packets  but  protocol_header+40  bytes.  hping3
              will  display packet size information as first line output, like
              this: HPING (ppp0  NO  FLAGS  are
              set, 40 headers + 40 data bytes

       -E --file filename
              Use filename contents to fill packet's data.

       -e --sign signature
              Fill  first  signature  length bytes of data with signature.  If
              the signature length is bigger than data size an  error  message
              will  be  displayed.   If  you don't specify the data size hping
              will use the signature size as data size.  This  option  can  be
              used  safely  with  --file filename option, remainder data space
              will be filled using filename.

       -j --dump
              Dump received packets in hex.

       -J --print
              Dump received packets' printable characters.

       -B --safe
              Enable safe protocol, using this option  lost  packets  in  file
              transfers  will  be  resent.  For  example in order to send file
              /etc/passwd from host A to host B you may use the following:
              # hping3 host_b --udp -p 53 -d 100 --sign signature --safe --file /etc/passwd
              # hping3 host_a --listen signature --safe --icmp

       -u --end
              If you are using --file filename option, tell you when  EOF  has
              been  reached.  Moreover  prevent  that  other  end  accept more
              packets. Please, for more information see the HPING3-HOWTO.

       -T --traceroute
              Traceroute mode. Using this option hping3 will increase ttl  for
              each  ICMP  time  to  live 0 during transit received. Try hping3
              host --traceroute.  This option implies --bind and --ttl 1.  You
              can  override  the  ttl of 1 using the --ttl option. Since 2.0.0
              stable it prints RTT information.

              Keep the TTL fixed in traceroute mode, so you can  monitor  just
              one  hop  in  the route. For example, to monitor how the 5th hop
              changes  or  how  its  RTT  changes  you  can  try  hping3  host
              --traceroute --ttl 5 --tr-keep-ttl.

              If  this  option  is  specified  hping  will exit once the first
              packet that isn't an ICMP time exceeded is received. This better
              emulates the traceroute behavior.

              Don't  show  RTT  information  in traceroute mode. The ICMP time
              exceeded RTT information aren't even calculated if  this  option
              is set.

              Exit with last received packet tcp->th_flag as exit code. Useful
              for scripts that need, for example, to known if the port 999  of
              some  host  reply  with  SYN/ACK or with RST in response to SYN,
              i.e. the service is up or down.


       The standard TCP output format is the following:

       len=46 ip= flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms

       len is the size, in bytes, of the data  captured  from  the  data  link
       layer  excluding  the  data link header size. This may not match the IP
       datagram size due to low level transport layer padding.

       ip is the source ip address.

       flags are the TCP flags, R for RESET, S for SYN, A for ACK, F for  FIN,
       P  for  PUSH, U for URGENT, X for not standard 0x40, Y for not standard

       If the reply contains DF the IP header has the don't fragment bit set.

       seq is the sequence number of the packet,  obtained  using  the  source
       port for TCP/UDP packets, the sequence field for ICMP packets.

       id is the IP ID field.

       win is the TCP window size.

       rtt is the round trip time in milliseconds.

       If  you  run  hping  using  the  -V command line switch it will display
       additional information about the packet, example:

       len=46 ip= flags=RA DF seq=0 ttl=255 id=0 win=0  rtt=0.4  ms
       tos=0 iplen=40 seq=0 ack=1223672061 sum=e61d urp=0

       tos is the type of service field of the IP header.

       iplen is the IP total len field.

       seq  and  ack are the sequence and acknowledge 32bit numbers in the TCP

       sum is the TCP header checksum value.

       urp is the TCP urgent pointer value.


       The standard output format is:

       len=46 ip= seq=0 ttl=64 id=0 rtt=6.0 ms

       The field meaning is just the same as the TCP  output  meaning  of  the
       same fields.


       An example of ICMP output is:

       ICMP Port Unreachable from ip=

       It  is  very  simple  to  understand.  It starts with the string "ICMP"
       followed by the description of the ICMP error, Port Unreachable in  the
       example.  The  ip  field  is  the  IP source address of the IP datagram
       containing the ICMP error, the name field is just the numerical address
       resolved  to  a  name  (a dns PTR request) or UNKNOWN if the resolution

       The ICMP Time exceeded during transit or reassembly  format  is  a  bit

       TTL 0 during transit from ip=

       TTL 0 during reassembly from ip= name=UNKNOWN

       The only difference is the description of the error, it starts with TTL


       Salvatore Sanfilippo <>, with the help of the  people
       mentioned in AUTHORS file and at


       Even  using  the  --end  and --safe options to transfer files the final
       packet will be padded with 0x00 bytes.

       Data is read without care about alignment, but alignment is enforced in
       the  data structures.  This will not be a problem under i386 but, while
       usually the TCP/IP headers are naturally aligned, may  create  problems
       with  different processors and bogus packets if there is some unaligned
       access around the code (hopefully none).

       On solaris hping does not work on the loopback interface. This seems  a
       solaris  problem, as stated in the tcpdump-workers mailing list, so the
       libpcap can't do nothing to handle it properly.


       ping(8), traceroute(8), ifconfig(8), nmap(1)

                                  2001 Aug 14                        HPING3(8)