1: This short document is for users of hping-beta54 or prior versions
2: and helps to exploit all the new features of this hping2 release in a
3: short time. You may want to read the new man page anyway but the
4: following will help for sure:
5:
6: === release candidate 3 news
7:
8: In this release a nasty bug with the checksum code was fixed.
9: If you experimented strange problems like some kind of packet
10: generated with a wrong checksum try this version.
11:
12: Try the --scan option in the command line to see the port-scanner features.
13:
14: Example of the --scan option usage:
15:
16: # hping3 --scan known 1.2.3.4
17:
18: Scanning 1.2.3.4 (1.2.3.4), port known
19: 245 ports to scan, use -V to see all the replies
20: +----+-----------+---------+---+-----+-----+-----+
21: |port| serv name | flags |ttl| id | win | len |
22: +----+-----------+---------+---+-----+-----+-----+
23: 9 discard : .S..A... 64 0 32767 44
24: 13 daytime : .S..A... 64 0 32767 44
25: 21 ftp : .S..A... 64 0 32767 44
26: 22 ssh : .S..A... 64 0 32767 44
27: 25 smtp : .S..A... 64 0 32767 44
28: 37 time : .S..A... 64 0 32767 44
29: 80 www : .S..A... 64 0 32767 44
30: 111 sunrpc : .S..A... 64 0 32767 44
31: 113 auth : .S..A... 64 0 32767 44
32: 631 ipp : .S..A... 64 0 32767 44
33: 3306 mysql : .S..A... 64 0 32767 44
34: 6000 x11 : .S..A... 64 0 32767 44
35: 6667 ircd : .S..A... 64 0 3072 44
36: All replies received. Done.
37: Not responding ports:
38:
39: Check the man page for more information on the scan mode.
40:
41: === release candidate 2 news
42:
43: . Now hping is able to send/parse source routed IP headers.
44: See the manpage for more info.
45:
46: . Hping was almost rewrote, at least all the most important parts.
47: You should experiment a more readable, compact, fast to compile
48: code.
49:
50: . The new option parsing code allows you to specify abbreviated
51: options. you can now use for example --tcp-ti instead of --tcp-timestamp
52: and so on.
53:
54: . The new feature rand-dest allows to send the packet to random
55: IP addresses. This is very useful to do some Internet survey
56: or large subnet random scanning.
57:
58: For example the follow command line will send TCP packets with the
59: SYN flag on to the port 80 of the 192.168.0.0/16 address space:
60:
61: hping 192.168.x.x --rand-dest -p 80 -S
62:
63: Every occurrence of 'x' is substituted with a random number
64: in the 0-255 range.
65:
66: . The new feature rand-source allows to send packets with random
67: source addresses. Useful to test some DoS condition against firewalls
68: or TCP/IP stacks that implements some per-IP basis information
69: recording.
70:
71: . The output was enhanced and fixed a bit.
72:
73: . The "force incremental dest port" option (++<port>) now works with UDP
74: packets and works better with TCP, since it is more selective
75: with the incoming responses.
76:
77: . Now you should be really able to set the sequence and acknowledge
78: number of the TCP packets. The rc1 code was broken because
79: atoi() was used to get a long unsigned value.
80:
81: . The documentation (and the french translation) was updated
82: to reflect the changes.
83:
84: === release candidate 1 news
85:
86: . Now hping works better on BSD, and works on Solaris. It should
87: be many times simplest to port it to an unsupported platform.
88: Problems with systems that uses 32bit pids are now fixed.
89:
90: . The output is different to be more parseable and compact, example:
91:
92: len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.5 ms
93:
94: now the presence of the Don't fragment IP flag is signaled with 'DF'.
95: all the fields with a value are in the form 'field=value'.
96:
97: . To specify the outgoing interface with -I is no longer needed,
98: hping will try to detect the right interface according to the
99: system routing table. Of course you can override it using -I.
100:
101: . Instead to specify -i u10000 to get a speed of ten packets for second
102: you can just use --fast.
103:
104: . Now --traceroute (-T) implies --ttl 1. You can override this using --ttl.
105:
106: . Using hping as traceroute you have now RTT informations about the
107: hops.
108:
109: . You can monitor a specific hop in traceroute mode, using the following
110: syntax:
111:
112: hping2 -T www.yahoo.com --tr-keep-ttl --ttl 5
113:
114: see the output:
115:
116: HPING www.yahoo.com (ippp0 64.58.76.177): NO FLAGS are set, 40 headers + 0 dat
117: a bytes
118: 5->TTL 0 during transit from 144.232.234.57 (sl-gw18-nyc-2-2.sprintlink.net)
119: 5->RTT was: 136.9 ms
120: 5->TTL 0 during transit from 144.232.234.57 (sl-gw18-nyc-2-2.sprintlink.net)
121: 5->RTT was: 136.8 ms
122: 5->TTL 0 during transit from 144.232.234.57 (sl-gw18-nyc-2-2.sprintlink.net)
123: 5->RTT was: 136.9 ms
124: 5->TTL 0 during transit from 144.232.234.57 (sl-gw18-nyc-2-2.sprintlink.net)
125: 5->RTT was: 136.7 ms
126:
127: --- www.yahoo.com hping statistic ---
128: 4 packets tramitted, 0 packets received, 100% packet loss
129: round-trip min/avg/max = 136.7/136.8/136.9 ms
130:
131: you get only information about the 5 hop, after Ctrl+C the round-trip
132: min/avg/max is calculated using the rtt of this hop.
133:
134: . Using the option --tr-stop you can obtain that hping will exit
135: when the first matching packet that isn't an ICMP time exceeded
136: in transit is received, like the original traceroute. Without
137: this hping continue to send packets to the target host forever.
138:
139: . You can use --tr-no-rtt to suppress the rtt information in traceroute
140: mode.
141:
142: . With the --tcp-timestamp feature you can guess the uptime of some
143: remote systems. Example:
144:
145: HPING www.hping.org (ippp0 192.70.106.166): S set, 40 headers + 0 data bytes
146: 56 bytes from 192.70.106.166: flags=SA seq=0 ttl=49 id=28881 win=16080 rtt=105.0 ms
147: TCP timestamp: 258597761
148:
149: 56 bytes from 192.70.106.166: flags=SA seq=1 ttl=49 id=28882 win=16080 rtt=105.4 ms
150: TCP timestamp: 258597860
151: HZ seems 100
152: System uptime seems: 29 days, 22 hours, 19 minutes, 38 seconds
153:
154: 56 bytes from 192.70.106.166: flags=SA seq=2 ttl=49 id=28883 win=16080 rtt=105.1 ms
155: TCP timestamp: 258597960
156: HZ seems 100
157: System uptime seems: 29 days, 22 hours, 19 minutes, 39 seconds
158:
159:
160: --- www.hping.org hping statistic ---
161: 3 packets tramitted, 3 packets received, 0% packet loss
162: round-trip min/avg/max = 105.0/105.2/105.4 ms
163:
164: As you can see the first reply does not contain any uptime information
165: since at least two packets are needed to estimate the increment frequency
166: of the timestamp timer (that is HZ in the output).
167:
168: . You can now use ICMP timestamp and address subnet mask requests.
169: Two shortcut are provided to use they: --icmp-ts and --icmp-addr.
170:
171: . Now the sequence number handling is revisited to allow hping to
172: show the right rtt info even if the sequence number overflows.
173:
174: . Now hping should never (hopefully) SIGBUS on sparc.
175:
176: I hope you will find hping better to use and more powerful, these enhancements
177: were implemented thanks to many people that helped a lot with code and
178: new ideas, see the CHANGES file for more information and credits.
179:
180: have fun,
181: antirez
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>