This short document is for users of hping-beta54 or prior versions
and helps to exploit all the new features of this hping2 release in a
short time. You may want to read the new man page anyway but the
following will help for sure:

=== release candidate 3 news

In this release a nasty bug with the checksum code was fixed.
If you experimented strange problems like some kind of packet
generated with a wrong checksum try this version.

Try the --scan option in the command line to see the port-scanner features.

  Example of the --scan option usage:

# hping3 --scan known 1.2.3.4

Scanning 1.2.3.4 (1.2.3.4), port known
245 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name |  flags  |ttl| id  | win | len |
+----+-----------+---------+---+-----+-----+-----+
    9 discard    : .S..A...  64     0 32767    44
   13 daytime    : .S..A...  64     0 32767    44
   21 ftp        : .S..A...  64     0 32767    44
   22 ssh        : .S..A...  64     0 32767    44
   25 smtp       : .S..A...  64     0 32767    44
   37 time       : .S..A...  64     0 32767    44
   80 www        : .S..A...  64     0 32767    44
  111 sunrpc     : .S..A...  64     0 32767    44
  113 auth       : .S..A...  64     0 32767    44
  631 ipp        : .S..A...  64     0 32767    44
 3306 mysql      : .S..A...  64     0 32767    44
 6000 x11        : .S..A...  64     0 32767    44
 6667 ircd       : .S..A...  64     0  3072    44
All replies received. Done.
Not responding ports: 

Check the man page for more information on the scan mode.

=== release candidate 2 news

. Now hping is able to send/parse source routed IP headers.
  See the manpage for more info.

. Hping was almost rewrote, at least all the most important parts.
  You should experiment a more readable, compact, fast to compile
  code.

. The new option parsing code allows you to specify abbreviated
  options. you can now use for example --tcp-ti instead of --tcp-timestamp
  and so on.

. The new feature rand-dest allows to send the packet to random
  IP addresses. This is very useful to do some Internet survey
  or large subnet random scanning.

  For example the follow command line will send TCP packets with the
  SYN flag on to the port 80 of the 192.168.0.0/16 address space:

  hping 192.168.x.x --rand-dest -p 80 -S

  Every occurrence of 'x' is substituted with a random number
  in the 0-255 range.

. The new feature rand-source allows to send packets with random
  source addresses. Useful to test some DoS condition against firewalls
  or TCP/IP stacks that implements some per-IP basis information
  recording.

. The output was enhanced and fixed a bit.

. The "force incremental dest port" option (++<port>) now works with UDP
  packets and works better with TCP, since it is more selective
  with the incoming responses.

. Now you should be really able to set the sequence and acknowledge
  number of the TCP packets. The rc1 code was broken because
  atoi() was used to get a long unsigned value.

. The documentation (and the french translation) was updated
  to reflect the changes.

=== release candidate 1 news

. Now hping works better on BSD, and works on Solaris. It should
  be many times simplest to port it to an unsupported platform.
  Problems with systems that uses 32bit pids are now fixed.

. The output is different to be more parseable and compact, example:

  len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.5 ms

  now the presence of the Don't fragment IP flag is signaled with 'DF'.
  all the fields with a value are in the form 'field=value'.

. To specify the outgoing interface with -I is no longer needed,
  hping will try to detect the right interface according to the
  system routing table. Of course you can override it using -I.

. Instead to specify -i u10000 to get a speed of ten packets for second
  you can just use --fast.

. Now --traceroute (-T) implies --ttl 1. You can override this using --ttl.

. Using hping as traceroute you have now RTT informations about the
  hops.

. You can monitor a specific hop in traceroute mode, using the following
  syntax:

  hping2 -T www.yahoo.com --tr-keep-ttl --ttl 5

  see the output:

  HPING www.yahoo.com (ippp0 64.58.76.177): NO FLAGS are set, 40 headers + 0 dat
  a bytes
  5->TTL 0 during transit from 144.232.234.57  (sl-gw18-nyc-2-2.sprintlink.net)
  5->RTT was: 136.9 ms
  5->TTL 0 during transit from 144.232.234.57  (sl-gw18-nyc-2-2.sprintlink.net)
  5->RTT was: 136.8 ms
  5->TTL 0 during transit from 144.232.234.57  (sl-gw18-nyc-2-2.sprintlink.net)
  5->RTT was: 136.9 ms
  5->TTL 0 during transit from 144.232.234.57  (sl-gw18-nyc-2-2.sprintlink.net)
  5->RTT was: 136.7 ms

 --- www.yahoo.com hping statistic ---
 4 packets tramitted, 0 packets received, 100% packet loss
 round-trip min/avg/max = 136.7/136.8/136.9 ms

 you get only information about the 5 hop, after Ctrl+C the round-trip
 min/avg/max is calculated using the rtt of this hop.

. Using the option --tr-stop you can obtain that hping will exit
  when the first matching packet that isn't an ICMP time exceeded
  in transit is received, like the original traceroute. Without
  this hping continue to send packets to the target host forever.

. You can use --tr-no-rtt to suppress the rtt information in traceroute
  mode.

. With the --tcp-timestamp feature you can guess the uptime of some
  remote systems. Example:

HPING www.hping.org (ippp0 192.70.106.166): S set, 40 headers + 0 data bytes
56 bytes from 192.70.106.166: flags=SA seq=0 ttl=49 id=28881 win=16080 rtt=105.0 ms
  TCP timestamp: 258597761

56 bytes from 192.70.106.166: flags=SA seq=1 ttl=49 id=28882 win=16080 rtt=105.4 ms
  TCP timestamp: 258597860
  HZ seems 100
  System uptime seems: 29 days, 22 hours, 19 minutes, 38 seconds

56 bytes from 192.70.106.166: flags=SA seq=2 ttl=49 id=28883 win=16080 rtt=105.1 ms
  TCP timestamp: 258597960
  HZ seems 100
  System uptime seems: 29 days, 22 hours, 19 minutes, 39 seconds


--- www.hping.org hping statistic ---
3 packets tramitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 105.0/105.2/105.4 ms

  As you can see the first reply does not contain any uptime information
  since at least two packets are needed to estimate the increment frequency
  of the timestamp timer (that is HZ in the output).

. You can now use ICMP timestamp and address subnet mask requests.
  Two shortcut are provided to use they: --icmp-ts and --icmp-addr.

. Now the sequence number handling is revisited to allow hping to
  show the right rtt info even if the sequence number overflows.

. Now hping should never (hopefully) SIGBUS on sparc.

I hope you will find hping better to use and more powerful, these enhancements
were implemented thanks to many people that helped a lot with code and
new ideas, see the CHANGES file for more information and credits.

have fun,
antirez