embedaddon/hping2/docs/HPING2-HOWTO.txt - view

File: [ELWIX - Embedded LightWeight unIX -] / embedaddon / hping2 / docs / HPING2-HOWTO.txt
Revision 1.1.1.1 (vendor branch): download - view: text, annotated - select for diffs - revision graph
Tue Feb 21 22:11:37 2012 UTC (13 years, 10 months ago) by misho
Branches: hping2, MAIN
CVS tags: v2_0_0rc3p7, v2_0_0rc3p5, v2_0_0rc3p4, v2_0_0rc3p0, v2_0_0rc3, HEAD

hping2

1: N.B.: this HOWTO is not completed and in some points very silly. I leave this 2: here only because maybe it's better that nothing. 3: 4: HPING2 HOWTO 5: 6: Changes Log 7: ----------- 8: Aug 7 1999 vi HPING2-HOWTO.txt 9: Aug 8 1999 __0000, __0001, __0002, __0003 10: Aug 10 1999 __0004 11: 12: Index 13: ----- 14: [search __XXXX in order to jump to point you want] 15: 16: __0000: Copyright notice 17: __0001: What is hping? 18: __0002: What i need to know about TCP/IP in order to use hping? 19: __0003: First step with hping 20: __0004: IP id and how to scan TCP ports using spoofing. 21: __0005: How to test firewall rules. (TODO) 22: __0006: How to trasfer files accross firewall. (TODO) 23: 24: __000A: hping usage example (TODO) 25: 26: __0000: Copyright notice, License, and all that stuff 27: 28: Copyright (C) Salvatore Sanfilippo, 1999. 29: 30: Permission is granted to make and distribute copies of this manual 31: provided the copyright notice and this permission notice are preserved 32: on all copies. 33: 34: Permission is granted to copy and distribute modified versions of this 35: manual under the conditions for verbatim copying, provided that the 36: derived work is distributed under the terms of a permission notice 37: identical to this one. Translations fall under the catagory of 38: ``modified versions.'' 39: 40: Warranty: None. 41: 42: Recommendations: Commercial redistribution is allowed and encouraged; 43: however, it is strongly recommended that the redistributor contact the 44: author before the redistribution, in the interest of keeping things 45: up-to-date (you could send me a copy of the thing you're making while 46: you're at it). Translators are also advised to contact the author 47: before translating. The printed version looks nicer. Recycle. 48: 49: __0001: What is hping? 50: 51: Hping is a software to do TCP/IP stack auditing, to uncover firewall 52: policy, to scan TCP port in a lot of different modes, to transfer 53: files accross a firewall and many other stuff. Using hping you are 54: able to do even a lot of not security-regarding stuff. For example you 55: can test networks performance, check if a host is up, check if TOS 56: is handled et cetera. 57: 58: __0002: What i need to know about TCP/IP in order to use hping? 59: 60: If you know TCP/IP you will find hping very usefull, otherwise 61: you can use hping only to do well known tests. See __000A for 62: some example. 63: 64: __0003: First step with hping 65: 66: The simplest usage of hping is the following: 67: 68: #hping host 69: 70: This command sends a TCP null-flags packet to port 0 of target 71: host every second and show the host replies. For example: 72: 73: # hping www.debian.org 74: ppp0 default routing interface selected (according to /proc) 75: HPING www.debian.org (ppp0 209.81.8.242): NO FLAGS are set, 40 headers + 0 data bytes 76: 40 bytes from 209.81.8.242: flags=RA seq=0 ttl=243 id=63667 win=0 time=369.4 ms 77: 40 bytes from 209.81.8.242: flags=RA seq=1 ttl=243 id=63719 win=0 time=420.0 ms 78: 40 bytes from 209.81.8.242: flags=RA seq=2 ttl=243 id=63763 win=0 time=350.0 ms 79: [Ctrl+C] 80: --- www.debian.org hping statistic --- 81: 3 packets tramitted, 3 packets received, 0% packet loss 82: 83: As you can see host replies with a TCP packet with RST and ACK flags 84: set. So you are able to perform a 'TCP ping', usefull when ICMPs are 85: filtered. By default port 0 are used because it's very strange that 86: is in LISTEN state. If we send a TCP null-flags to a port in 87: LISTEN state a lot of TCP/IP stack will not send any reply. So we are 88: able to know if a port is in LISTEN state. For example: 89: 90: # hping www.debian.org -p 80 91: ppp0 default routing interface selected (according to /proc) 92: HPING www.debian.org (ppp0 209.81.8.242): NO FLAGS are set, 40 headers + 0 data bytes 93: [Ctrl+C] 94: --- www.debian.org hping statistic --- 95: 5 packets trasmitted, 0 packets received, 100% packet loss 96: 97: Since port 80 of www.debian.org is in LISTEN mode we got 98: no response. 99: 100: But What's happen if we try to hping a firewalled port? This depends 101: on firewall policy/implementation. Usually we get an ICMP or 102: nothing. For example: 103: 104: # hping www.yahoo.com -p 79 105: ppp0 default routing interface selected (according to /proc) 106: HPING www.yahoo.com (ppp0 204.71.200.67): NO FLAGS are set, 40 headers + 0 data bytes 107: ICMP Packet filtered from 206.132.254.41 (pos1-0-2488M.hr8.SNV.globalcenter.net) 108: 109: --- www.yahoo.com hping statistic --- 110: 14 packets tramitted, 0 packets received, 100% packet loss 111: 112: yahoo firewall doesn't allow connection to port 79, so reply with 113: an ICMP Packet filtered (ICMP unreachable code 13). However 114: there are a lot of firewall that simply drop the packet. For example: 115: 116: # hping www.microsoft.com -p 79 117: ppp0 default routing interface selected (according to /proc) 118: HPING www.microsoft.com (ppp0 207.46.130.150): NO FLAGS are set, 40 headers + 0 data bytes 119: 120: --- www.microsoft.com hping statistic --- 121: 4 packets tramitted, 0 packets received, 100% packet loss 122: 123: No reply from microsoft. Is the port firewalled or in LISTEN mode? 124: To uncover this is very simply. Just we try to set ACK flag instead 125: to send a TCP null-flag packet. If the host respond maybe this port 126: is in LISTEN mode (but it's possible that there is a rules that 127: deny null-flag TCP packet but allow ACK). 128: 129: # hping www.microsoft.com -A -p 79 130: ppp0 default routing interface selected (according to /proc) 131: HPING www.microsoft.com (ppp0 207.46.130.149): A set, 40 headers + 0 data bytes 132: 133: --- www.microsoft.com hping statistic --- 134: 3 packets tramitted, 0 packets received, 100% packet loss 135: 136: No response again, So this port seems to be filtered. Anyway 137: it's possible that microsoft is using an 'intelligent' firewall 138: that know that in order to connect first I must send a SYN. 139: 140: # hping www.microsoft.com -S -p 79 141: ppp0 default routing interface selected (according to /proc) 142: HPING www.microsoft.com (ppp0 207.46.130.149): S set, 40 headers + 0 data bytes 143: 144: --- www.microsoft.com hping statistic --- 145: 3 packets tramitted, 0 packets received, 100% packet loss 146: 147: Ok.. seems that port 79 of microsoft is really filtered. 148: Just for clearness we send some ACK to port 80 of www.debian.org: 149: 150: # hping www.debian.org -p 80 -A 151: ppp0 default routing interface selected (according to /proc) 152: HPING www.debian.org (ppp0 209.81.8.242): A set, 40 headers + 0 data bytes 153: 40 bytes from 209.81.8.242: flags=R seq=0 ttl=243 id=5590 win=0 time=379.5 ms 154: 40 bytes from 209.81.8.242: flags=R seq=1 ttl=243 id=5638 win=0 time=370.0 ms 155: 40 bytes from 209.81.8.242: flags=R seq=2 ttl=243 id=5667 win=0 time=360.0 ms 156: 157: --- www.debian.org hping statistic --- 158: 3 packets tramitted, 3 packets received, 0% packet loss 159: 160: We can see replies even if port 80 is in LISTEN mode because 161: a port in LISTEN mode may not replay only to NULL, FIN, Xmas, Ymas 162: flags TCP packet. ACK and RST are two important TCP flags that 163: allow to do ACL tests and to guess ip->id without to produce any log 164: (usually). 165: 166: __0004: IP id and how to scan TCP ports using spoofing. 167: 168: Every IP packet is identified by a 16 bit id. Thanks to this id 169: IP stacks are able to handle fragmentation. A lot of OSs handle 170: ip->id travially: just increment by 1 this id for each packet sent. 171: Using this id you are able at least to estimate hosts traffic and to 172: scan with spoofed packets. OpenBSD >= 2.5 and many others implement 173: a random not repetitive id so you aren't able to joke with ip->id. 174: Win* ip->id has different byte ordering, so you must specify 175: --winid or -W option if you are using hping2 against Win*. 176: 177: N.B.: You are able to scan spoofed hosts with safe/random ip->id 178: because in order to spoof your packets you need a third 179: part host with incremental id rule but you don't need that 180: target of your scanning has an incremental id. 181: 182: How to estimate host traffic using ip->id? It's really simple: 183: 184: # hping www.yahoo.com -p 80 -A 185: ppp0 default routing interface selected (according to /proc) 186: HPING www.yahoo.com (ppp0 204.71.200.74): A set, 40 headers + 0 data bytes 187: 40 bytes from 204.71.200.74: flags=R seq=0 ttl=53 id=29607 win=0 rtt=329.4 ms 188: 40 bytes from 204.71.200.74: flags=R seq=1 ttl=53 id=31549 win=0 rtt=390.0 ms 189: 40 bytes from 204.71.200.74: flags=R seq=2 ttl=53 id=33432 win=0 rtt=390.0 ms 190: 40 bytes from 204.71.200.74: flags=R seq=3 ttl=53 id=35368 win=0 rtt=380.0 ms 191: 40 bytes from 204.71.200.74: flags=R seq=4 ttl=53 id=37335 win=0 rtt=390.0 ms 192: 40 bytes from 204.71.200.74: flags=R seq=5 ttl=53 id=39157 win=0 rtt=380.0 ms 193: 40 bytes from 204.71.200.74: flags=R seq=6 ttl=53 id=41118 win=0 rtt=370.0 ms 194: 40 bytes from 204.71.200.74: flags=R seq=7 ttl=53 id=43330 win=0 rtt=390.0 ms 195: 196: --- www.yahoo.com hping statistic --- 197: 8 packets tramitted, 8 packets received, 0% packet loss 198: round-trip min/avg/max = 329.4/377.4/390.0 ms 199: 200: As you can se id field increase. Packet with sequence 0 has id=29607, 201: sequence 1 has id=31549, so www.yahoo.com host sent 31549-29607 = 1942 202: packets in circa one second. Using -r|--relid option hping output 203: id field as difference between last and current received packet id. 204: 205: # hping www.yahoo.com -P 80 -A -r 206: ppp0 default routing interface selected (according to /proc) 207: HPING www.yahoo.com (ppp0 204.71.200.68): A set, 40 headers + 0 data bytes 208: 40 bytes from 204.71.200.68: flags=R seq=0 ttl=53 id=65179 win=0 rtt=327.1 ms 209: 40 bytes from 204.71.200.68: flags=R seq=1 ttl=53 id=+1936 win=0 rtt=360.0 ms 210: 40 bytes from 204.71.200.68: flags=R seq=2 ttl=53 id=+1880 win=0 rtt=340.0 ms 211: 40 bytes from 204.71.200.68: flags=R seq=3 ttl=53 id=+1993 win=0 rtt=330.0 ms 212: 40 bytes from 204.71.200.68: flags=R seq=4 ttl=53 id=+1871 win=0 rtt=350.0 ms 213: 40 bytes from 204.71.200.68: flags=R seq=5 ttl=53 id=+1932 win=0 rtt=340.0 ms 214: 40 bytes from 204.71.200.68: flags=R seq=6 ttl=53 id=+1776 win=0 rtt=330.0 ms 215: 40 bytes from 204.71.200.68: flags=R seq=7 ttl=53 id=+1749 win=0 rtt=320.0 ms 216: 40 bytes from 204.71.200.68: flags=R seq=8 ttl=53 id=+1888 win=0 rtt=340.0 ms 217: 40 bytes from 204.71.200.68: flags=R seq=9 ttl=53 id=+1907 win=0 rtt=330.0 ms 218: 219: --- www.yahoo.com hping statistic --- 220: 10 packets tramitted, 10 packets received, 0% packet loss 221: round-trip min/avg/max = 320.0/336.7/360.0 ms 222: 223: Obviously checking the id every 1/2 second instead of 1 second, increment 224: will be half. 225: 226: # hping www.yahoo.com -P 80 -A -r -i u 500000 227: ppp0 default routing interface selected (according to /proc) 228: HPING www.yahoo.com (ppp0 204.71.200.68): A set, 40 headers + 0 data bytes 229: 40 bytes from 204.71.200.68: flags=R seq=0 ttl=53 id=35713 win=0 rtt=327.0 ms 230: 40 bytes from 204.71.200.68: flags=R seq=1 ttl=53 id=+806 win=0 rtt=310.0 ms 231: 40 bytes from 204.71.200.68: flags=R seq=2 ttl=53 id=+992 win=0 rtt=320.0 ms 232: 40 bytes from 204.71.200.68: flags=R seq=3 ttl=53 id=+936 win=0 rtt=330.0 ms 233: 40 bytes from 204.71.200.68: flags=R seq=4 ttl=53 id=+987 win=0 rtt=310.0 ms 234: 40 bytes from 204.71.200.68: flags=R seq=5 ttl=53 id=+952 win=0 rtt=320.0 ms 235: 40 bytes from 204.71.200.68: flags=R seq=6 ttl=53 id=+918 win=0 rtt=330.0 ms 236: 40 bytes from 204.71.200.68: flags=R seq=7 ttl=53 id=+809 win=0 rtt=320.0 ms 237: 40 bytes from 204.71.200.68: flags=R seq=8 ttl=53 id=+881 win=0 rtt=320.0 ms 238: 239: --- www.yahoo.com hping statistic --- 240: 9 packets tramitted, 9 packets received, 0% packet loss 241: round-trip min/avg/max = 310.0/320.8/330.0 ms 242: 243: N.B. Warning, using ip->id you are able only to guess *the number 244: of packets sent/time*. You can't always compare different hosts. 245: ip->id refers to all host interfaces and for example if an host 246: use NAT or redirect TCP connections to another host (for example 247: a firewall used to hide a web server) ip->id increment may 248: result fakely increased. 249: 250: hpinging windows box without using --winid option you will see as 251: increments are 256 multiple because different id byteordering. This 252: can be really usefull for OS fingerprinting: 253: 254: #hping win95 -r 255: HPING win95 (eth0 192.168.4.41): NO FLAGS are set, 40 headers + 0 data bytes 256: 46 bytes from 192.168.4.41: flags=RA seq=0 ttl=128 id=47371 win=0 rtt=0.5 ms 257: 46 bytes from 192.168.4.41: flags=RA seq=1 ttl=128 id=+256 win=0 rtt=0.5 ms 258: 46 bytes from 192.168.4.41: flags=RA seq=2 ttl=128 id=+256 win=0 rtt=0.6 ms 259: 46 bytes from 192.168.4.41: flags=RA seq=3 ttl=128 id=+256 win=0 rtt=0.5 ms 260: 261: --- win95 hping statistic --- 262: 4 packets tramitted, 4 packets received, 0% packet loss 263: round-trip min/avg/max = 0.5/0.5/0.6 ms 264: 265: Windows systems are "marked", so in order to discovery if an host is 266: a Windows host you need to send just some packet. 267: 268: How to perform spoofed SYN scan using incremental id? The following 269: is the original message to bugtraq about spoofed/indirect/idle scan method, 270: bottom i'll try to explain details and how this is possible even with UDP 271: with some restriction. 272: 273: ---- bugtraq posting about spoofed scanning ---- 274: 275: Hi, 276: 277: I have uncovered a new tcp port scan method. 278: Instead all others it allows you to scan using spoofed 279: packets, so scanned hosts can't see your real address. 280: In order to perform this i use three well known tcp/ip 281: implementation peculiarities of most OS: 282: 283: (1) * hosts reply SYN|ACK to SYN if tcp target port is open, 284: reply RST|ACK if tcp target port is closed. 285: 286: (2) * You can know the number of packets that hosts are sending 287: using id ip header field. See my previous posting 'about the ip 288: header' in this ml. 289: 290: (3) * hosts reply RST to SYN|ACK, reply nothing to RST. 291: 292: 293: The Players: 294: 295: host A - evil host, the attacker. 296: host B - silent host. 297: host C - victim host. 298: 299: A is your host. 300: B is a particular host: It must not send any packets while 301: you are scanning C. There are a lot of 'zero traffic' hosts 302: in internet, especially in the night :) 303: C is the victim, it must be vulnerable to SYN scan. 304: 305: I've called this scan method 'dumb host scan' in honour of host 306: B characteristics. 307: 308: 309: How it works: 310: 311: Host A monitors number of outgoing packets from B using id iphdr. 312: You can do this simply using hping: 313: 314: #hping B -r 315: HPING B (eth0 xxx.yyy.zzz.jjj): no flags are set, 40 data bytes 316: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=0 ttl=64 id=41660 win=0 time=1.2 ms 317: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=1 ttl=64 id=+1 win=0 time=75 ms 318: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=2 ttl=64 id=+1 win=0 time=91 ms 319: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=3 ttl=64 id=+1 win=0 time=90 ms 320: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=4 ttl=64 id=+1 win=0 time=91 ms 321: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=5 ttl=64 id=+1 win=0 time=87 ms 322: -cut- 323: .. 324: . 325: 326: As you can see, id increases are always 1. So this host have the 327: characteristics that host B should to own. 328: 329: Now host A sends SYN to port X of C spoofing from B. 330: (using hping => 0.67 is very easy, http://www.kyuzz.org/antirez) 331: if port X of C is open, host C will send SYN|ACK to B (yes, 332: host C don't know that the real sender is A). In this 333: case host B replies to SYN|ACK with a RST. 334: If we send to host C a few of SYN it will reply to B with a few 335: of SYN|ACK, so B will reply to C a few of RST... so 336: we'll see that host B is sending packets! 337: 338: . 339: .. 340: -cut- 341: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=17 ttl=64 id=+1 win=0 time=96 ms 342: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=18 ttl=64 id=+1 win=0 time=80 ms 343: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=19 ttl=64 id=+2 win=0 time=83 ms 344: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=20 ttl=64 id=+3 win=0 time=94 ms 345: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=21 ttl=64 id=+1 win=0 time=92 ms 346: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=22 ttl=64 id=+2 win=0 time=82 ms 347: -cut- 348: .. 349: . 350: 351: The port is open! 352: 353: Instead, if port X of C is closed sending to C a few 354: of SYN spoofed from B, it will reply with RST to B, and 355: B will not reply (see 3). So we'll see that host B is not sending 356: any packet: 357: 358: . 359: .. 360: -cut- 361: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=52 ttl=64 id=+1 win=0 time=85 ms 362: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=53 ttl=64 id=+1 win=0 time=83 ms 363: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=54 ttl=64 id=+1 win=0 time=93 ms 364: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=55 ttl=64 id=+1 win=0 time=74 ms 365: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=56 ttl=64 id=+1 win=0 time=95 ms 366: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=57 ttl=64 id=+1 win=0 time=81 ms 367: -cut- 368: .. 369: . 370: 371: The port is closed. 372: 373: All this can appear complicated to perform, but using two sessions 374: of hping on Linux virtual consoles or under X makes it more simple. 375: First session listen host B: hping B -r 376: Second session send spoofed SYN: hping C -a B -S 377: 378: Sorry if my english is not so clear. 379: However this posting is not adequate to describe exaustively 380: this scan method, so i'll write a paper on this topic, specially 381: about how to implement this in a port scanner (i.e. nmap), and 382: about players characteristics and OS used. 383: 384: happy new year, 385: antirez 386: 387: ---- EOF ---- 388: 389: As you can see spoofed scanning is travial to perform, especially 390: unsing hping2 you are able to specify micro seconds interval (-i uX) 391: so you don't need that B host is a totally idle host. You may read 392: id increment once every second sending 10 SYN every second. If you 393: send an adequate SYNnumber/second expected id increment is so big 394: that you are able to see if port is open or closed even if B host 395: is sending other packets. Example: 396: 397: # hping awake.host.org -p 80 -A -r 398: ppp0 default routing interface selected (according to /proc) 399: HPING server.alicom.com (ppp0 111.222.333.44): A set, 40 headers + 0 data bytes 400: 40 bytes from 111.222.333.44: flags=R seq=0 ttl=249 id=47323 win=0 rtt=239.7 ms 401: 40 bytes from 111.222.333.44: flags=R seq=1 ttl=249 id=+6 win=0 rtt=630.0 ms 402: 40 bytes from 111.222.333.44: flags=R seq=2 ttl=249 id=+6 win=0 rtt=280.0 ms 403: 40 bytes from 111.222.333.44: flags=R seq=3 ttl=249 id=+8 win=0 rtt=340.0 ms 404: 40 bytes from 111.222.333.44: flags=R seq=4 ttl=249 id=+5 win=0 rtt=440.0 ms 405: 40 bytes from 111.222.333.44: flags=R seq=5 ttl=249 id=+5 win=0 rtt=410.0 ms 406: 40 bytes from 111.222.333.44: flags=R seq=6 ttl=249 id=+8 win=0 rtt=1509.9 ms 407: 40 bytes from 111.222.333.44: flags=R seq=7 ttl=249 id=+4 win=0 rtt=1460.0 ms 408: 40 bytes from 111.222.333.44: flags=R seq=8 ttl=249 id=+7 win=0 rtt=770.0 ms 409: 40 bytes from 111.222.333.44: flags=R seq=9 ttl=249 id=+5 win=0 rtt=230.0 ms 410: ... 411: 412: as you can see this host isn't in idle, it sends ~ 6 packets every second. 413: Now scan www.yahoo.com's port 80 to see if it's open: 414: 415: root.1# hping -a server.alicom.com -S -p 80 -i u10000 www.yahoo.com 416: ppp0 default routing interface selected (according to /proc) 417: HPING www.yahoo.com (ppp0 204.71.200.74): S set, 40 headers + 0 data bytes 418: 419: [wait some second and press CTRL+C] 420: 421: --- www.yahoo.com hping statistic --- 422: 130 packets tramitted, 0 packets received, 100% packet loss 423: round-trip min/avg/max = 0.0/0.0/0.0 ms 424: 425: Looking output of 'hping awake.host.org -p 80 -A -r' it's 426: simple to understand that www.yahoo.com's port 80 is open: 427: 428: 40 bytes from 111.222.333.44: flags=R seq=59 ttl=249 id=+16 win=0 rtt=380.0 ms 429: 40 bytes from 111.222.333.44: flags=R seq=60 ttl=249 id=+75 win=0 rtt=850.0 ms 430: 40 bytes from 111.222.333.44: flags=R seq=61 ttl=249 id=+12 win=0 rtt=1050.0 ms 431: 40 bytes from 111.222.333.44: flags=R seq=62 ttl=249 id=+1 win=0 rtt=450.0 ms 432: 40 bytes from 111.222.333.44: flags=R seq=63 ttl=249 id=+27 win=0 rtt=230.0 ms 433: 40 bytes from 111.222.333.44: flags=R seq=64 ttl=249 id=+11 win=0 rtt=850.0 ms 434: 435: note that 16+75+12+27+11+1-6 = 136 and that we sent 130 packets. So it's 436: very realistic that increments are produced by our packtes. 437: 438: Tips: Using an idle host to perform spoofed scanning it's usefull to 439: output only replies that show an increment != 1. Try 440: `hping host -r | grep -v "id=+1"'