Annotation of embedaddon/hping2/docs/hping2.8, revision 1.1
1.1 ! misho 1: .TH HPING2 8 "2001 Aug 14"
! 2: .SH NAME
! 3: hping2 \- send (almost) arbitrary TCP/IP packets to network hosts
! 4: .SH SYNOPSIS
! 5: .B hping2
! 6: [
! 7: .B \-hvnqVDzZ012WrfxykQbFSRPAUXYjJBuTG
! 8: ] [
! 9: .B \-c
! 10: .I count
! 11: ] [
! 12: .B \-i
! 13: .I wait
! 14: ] [
! 15: .B \-\-fast
! 16: ] [
! 17: .B \-I
! 18: .I interface
! 19: ] [
! 20: .B \-9
! 21: .I signature
! 22: ] [
! 23: .B \-a
! 24: .I host
! 25: ] [
! 26: .B \-t
! 27: .I ttl
! 28: ] [
! 29: .B \-N
! 30: .I ip id
! 31: ] [
! 32: .B \-H
! 33: .I ip protocol
! 34: ] [
! 35: .B \-g
! 36: .I fragoff
! 37: ] [
! 38: .B \-m
! 39: .I mtu
! 40: ] [
! 41: .B \-o
! 42: .I tos
! 43: ] [
! 44: .B \-C
! 45: .I icmp type
! 46: ] [
! 47: .B \-K
! 48: .I icmp code
! 49: ] [
! 50: .B \-s
! 51: .I source port
! 52: ] [
! 53: .B \-p[+][+]
! 54: .I dest port
! 55: ] [
! 56: .B \-w
! 57: .I tcp window
! 58: ] [
! 59: .B \-O
! 60: .I tcp offset
! 61: ] [
! 62: .B \-M
! 63: .I tcp sequence number
! 64: ] [
! 65: .B \-L
! 66: .I tcp ack
! 67: ] [
! 68: .B \-d
! 69: .I data size
! 70: ] [
! 71: .B \-E
! 72: .I filename
! 73: ] [
! 74: .B \-e
! 75: .I signature
! 76: ] [
! 77: .B \-\-icmp\-ipver
! 78: .I version
! 79: ] [
! 80: .B \-\-icmp\-iphlen
! 81: .I length
! 82: ] [
! 83: .B \-\-icmp\-iplen
! 84: .I length
! 85: ] [
! 86: .B \-\-icmp\-ipid
! 87: .I id
! 88: ] [
! 89: .B \-\-icmp\-ipproto
! 90: .I protocol
! 91: ] [
! 92: .B \-\-icmp\-cksum
! 93: .I checksum
! 94: ] [
! 95: .B \-\-icmp\-ts
! 96: ] [
! 97: .B \-\-icmp\-addr
! 98: ] [
! 99: .B \-\-tcpexitcode
! 100: ] [
! 101: .B \-\-tcp-timestamp
! 102: ] [
! 103: .B \-\-tr-stop
! 104: ] [
! 105: .B \-\-tr-keep-ttl
! 106: ] [
! 107: .B \-\-tr-no-rtt
! 108: ] [
! 109: .B \-\-rand-dest
! 110: ] [
! 111: .B \-\-rand-source
! 112: ]
! 113: hostname
! 114: .br
! 115: .ad
! 116: .SH DESCRIPTION
! 117: hping2 is a network tool able to send custom TCP/IP packets and to
! 118: display target replies like ping program does with ICMP replies. hping2
! 119: handle fragmentation, arbitrary packets body and size and can be used in
! 120: order to transfer files encapsulated under supported protocols. Using
! 121: hping2 you are able to perform at least the following stuff:
! 122:
! 123: - Test firewall rules
! 124: - Advanced port scanning
! 125: - Test net performance using different protocols,
! 126: packet size, TOS (type of service) and fragmentation.
! 127: - Path MTU discovery
! 128: - Transferring files between even really fascist firewall
! 129: rules.
! 130: - Traceroute-like under different protocols.
! 131: - Firewalk-like usage.
! 132: - Remote OS fingerprinting.
! 133: - TCP/IP stack auditing.
! 134: - A lot of others.
! 135:
! 136: .IR "It's also a good didactic tool to learn TCP/IP" .
! 137: hping2 is developed and maintained by antirez@invece.org and is
! 138: licensed under GPL version 2. Development is open so you can send
! 139: me patches, suggestion and affronts without inhibitions.
! 140: .SH HPING SITE
! 141: primary site at
! 142: .BR http://www.hping.org .
! 143: You can found both the stable release and the instruction
! 144: to download the latest source code at http://www.hping.org/download.html
! 145: .SH BASE OPTIONS
! 146: .TP
! 147: .I -h --help
! 148: Show an help screen on standard output, so you can pipe to less.
! 149: .TP
! 150: .I -v --version
! 151: Show version information and API used to access to data link layer,
! 152: .I linux sock packet
! 153: or
! 154: .IR libpcap.
! 155: .TP
! 156: .I -c --count count
! 157: Stop after sending (and receiving)
! 158: .I count
! 159: response packets. After last packet was send hping2 wait COUNTREACHED_TIMEOUT
! 160: seconds target host replies. You are able to tune COUNTREACHED_TIMEOUT editing
! 161: hping2.h
! 162: .TP
! 163: .I -i --interval
! 164: Wait
! 165: the specified number of seconds or micro seconds between sending each packet.
! 166: --interval X set
! 167: .I wait
! 168: to X seconds, --interval uX set
! 169: .I wait
! 170: to X micro seconds.
! 171: The default is to wait
! 172: one second between each packet. Using hping2 to transfer files tune this
! 173: option is really important in order to increase transfer rate. Even using
! 174: hping2 to perform idle/spoofing scanning you should tune this option, see
! 175: .B HPING2-HOWTO
! 176: for more information.
! 177: .TP
! 178: .I --fast
! 179: Alias for -i u10000. Hping will send 10 packets for second.
! 180: .TP
! 181: .I --faster
! 182: Alias for -i u1. Faster then --fast ;) (but not as fast as your computer can send packets due to the signal-driven design).
! 183: .TP
! 184: .I -n --numeric
! 185: Numeric output only, No attempt will be made to lookup symbolic names for host addresses.
! 186: .TP
! 187: .I -q --quiet
! 188: Quiet output. Nothing is displayed except the summary lines at
! 189: startup time and when finished.
! 190: .TP
! 191: .I -I --interface interface name
! 192: By default on linux and BSD systems hping2 uses default routing interface.
! 193: In other systems or when there is no default route
! 194: hping2 uses the first non-loopback interface.
! 195: However you are able to force hping2 to use the interface you need using
! 196: this option. Note: you don't need to specify the whole name, for
! 197: example -I et will match eth0 ethernet0 myet1 et cetera. If no interfaces
! 198: match hping2 will try to use lo.
! 199: .TP
! 200: .I -V --verbose
! 201: Enable verbose output. TCP replies will be shown as follows:
! 202:
! 203: len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms
! 204: tos=0 iplen=40 seq=0 ack=1380893504 sum=2010 urp=0
! 205: .TP
! 206: .I -D --debug
! 207: Enable debug mode, it's useful when you experience some problem with
! 208: hping2. When debug mode is enabled you will get more information about
! 209: .B interface detection, data link layer access, interface settings, options
! 210: .B parsing, fragmentation, HCMP protocol
! 211: and other stuff.
! 212: .TP
! 213: .I -z --bind
! 214: Bind CTRL+Z to
! 215: .B time to live (TTL)
! 216: so you will able to increment/decrement ttl of outgoing packets pressing
! 217: CTRL+Z once or twice.
! 218: .TP
! 219: .I -Z --unbind
! 220: Unbind CTRL+Z so you will able to stop hping2.
! 221: .SH PROTOCOL SELECTION
! 222: Default protocol is TCP, by default hping2 will send tcp headers to target
! 223: host's port 0 with a winsize of 64 without any tcp flag on. Often this
! 224: is the best way to do an 'hide ping', useful when target is behind
! 225: a firewall that drop ICMP. Moreover a tcp null-flag to port 0 has a good
! 226: probability of not being logged.
! 227: .TP
! 228: .I -0 --rawip
! 229: RAW IP mode, in this mode hping2 will send IP header with data
! 230: appended with --signature and/or --file, see also --ipproto that
! 231: allows you to set the ip protocol field.
! 232: .TP
! 233: .I -1 --icmp
! 234: ICMP mode, by default hping2 will send ICMP echo-request, you can set
! 235: other ICMP type/code using
! 236: .B --icmptype --icmpcode
! 237: options.
! 238: .TP
! 239: .I -2 --udp
! 240: UDP mode, by default hping2 will send udp to target host's port 0.
! 241: UDP header tunable options are the following:
! 242: .B --baseport, --destport, --keep.
! 243: .TP
! 244: .I -8 --scan
! 245: Scan mode, the option expects an argument that describes groups of
! 246: ports to scan. port groups are comma separated: a number describes
! 247: just a single port, so 1,2,3 means port 1, 2 and 3. ranges are specified
! 248: using a start-end notation, like 1-1000, that tell hping to scan ports between 1 and 1000 (included). the special word
! 249: .B all
! 250: is an alias for 0-65535, while the special word
! 251: .B known
! 252: includes all the ports listed in /etc/services.
! 253: .br
! 254: Groups can be combined, so the following command line will
! 255: scan ports between 1 and 1000 AND port 8888 AND ports listed in /etc/services:
! 256: .B hping --scan 1-1000,8888,known -S target.host.com
! 257: .br
! 258: Groups can be negated (subtracted) using a ! character as prefix,
! 259: so the following command line will scan all the ports NOT listed
! 260: in /etc/services in the range 1-1024:
! 261: .B hping --scan '1-1024,!known' -S target.host.com
! 262: .br
! 263: Keep in mind that while hping seems much more like a port scanner in
! 264: this mode, most of the hping switches are still honored, so for example to
! 265: perform a SYN scan you need to specify the
! 266: .B -S
! 267: option, you can change the TCP windows size, TTL, control the
! 268: IP fragmentation as usually, and so on. The only real difference is that
! 269: the standard hping behaviors are encapsulated into a scanning
! 270: algorithm.
! 271: .br
! 272: .BR "Tech note" :
! 273: The scan mode uses a two-processes design, with shared memory for synchronization. The scanning algorithm is still not optimal, but already quite fast.
! 274: .br
! 275: .BR Hint :
! 276: unlike most scanners, hping shows some interesting info about received
! 277: packets, the IP ID, TCP win, TTL, and so on, don't forget to look
! 278: at this additional information when you perform a scan! Sometimes they
! 279: shows interesting details.
! 280: .TP
! 281: .I -9 --listen signature
! 282: HPING2 listen mode, using this option hping2 waits for packet that contain
! 283: .I signature
! 284: and dump from
! 285: .I signature
! 286: end to packet's end. For example if hping2 --listen TEST reads a packet
! 287: that contain
! 288: .B 234-09sdflkjs45-TESThello_world
! 289: it will display
! 290: .BR hello_world .
! 291: .SH IP RELATED OPTIONS
! 292: .TP
! 293: .I -a --spoof hostname
! 294: Use this option in order to set a fake IP source address, this option
! 295: ensures that target will not gain your real address. However replies
! 296: will be sent to spoofed address, so you will can't see them. In order
! 297: to see how it's possible to perform spoofed/idle scanning see the
! 298: .BR HPING2-HOWTO .
! 299: .TP
! 300: .I --rand-source
! 301: This option enables the
! 302: .BR "random source mode" .
! 303: hping will send packets with random source address. It is interesting
! 304: to use this option to stress firewall state tables, and other
! 305: per-ip basis dynamic tables inside the TCP/IP stacks and firewall
! 306: software.
! 307: .TP
! 308: .I --rand-dest
! 309: This option enables the
! 310: .BR "random destination mode" .
! 311: hping will send the packets to random addresses obtained following
! 312: the rule you specify as the target host. You need to specify
! 313: a numerical IP address as target host like
! 314: .BR 10.0.0.x .
! 315: All the occurrences of
! 316: .B x
! 317: will be replaced with a random number in the range 0-255. So to obtain
! 318: Internet IP addresses in the whole IPv4 space use something like
! 319: .BR "hping x.x.x.x --rand-dest" .
! 320: If you are not sure about what kind of addresses your rule is generating
! 321: try to use the
! 322: .B --debug
! 323: switch to display every new destination address generated.
! 324: When this option is turned on, matching packets will be accept from all
! 325: the destinations.
! 326: .br
! 327: .BR Warning :
! 328: when this option is enabled hping can't detect the right outgoing
! 329: interface for the packets, so you should use the
! 330: .B --interface
! 331: option to select the desired outgoing interface.
! 332: .TP
! 333: .I -t --ttl time to live
! 334: Using this option you can set
! 335: .B TTL (time to live)
! 336: of outgoing packets, it's likely that you will use this with
! 337: .B --traceroute
! 338: or
! 339: .B --bind
! 340: options. If in doubt try
! 341: .BR "" "`" "hping2 some.host.com -t 1 --traceroute" "'."
! 342: .TP
! 343: .I -N --id
! 344: Set ip->id field. Default id is random but if fragmentation is turned on
! 345: and id isn't specified it will be
! 346: .BR "getpid() & 0xFF" ,
! 347: to implement a better solution is in TODO list.
! 348: .TP
! 349: .I -H --ipproto
! 350: Set the ip protocol in RAW IP mode.
! 351: .TP
! 352: .I -W --winid
! 353: id from Windows* systems before Win2k has different byte ordering, if this
! 354: option is enable
! 355: hping2 will properly display id replies from those Windows.
! 356: .TP
! 357: .I -r --rel
! 358: Display id increments instead of id. See the
! 359: .B HPING2-HOWTO
! 360: for more information. Increments aren't computed as id[N]-id[N-1] but
! 361: using packet loss compensation. See relid.c for more information.
! 362: .TP
! 363: .I -f --frag
! 364: Split packets in more fragments, this may be useful in order to test
! 365: IP stacks fragmentation performance and to test if some
! 366: packet filter is so weak that can be passed using tiny fragments
! 367: (anachronistic). Default 'virtual mtu' is 16 bytes. see also
! 368: .I --mtu
! 369: option.
! 370: .TP
! 371: .I -x --morefrag
! 372: Set more fragments IP flag, use this option if you want that target
! 373: host send an
! 374: .BR "ICMP time-exceeded during reassembly" .
! 375: .TP
! 376: .I -y --dontfrag
! 377: Set don't fragment IP flag, this can be used to perform
! 378: .BR "MTU path discovery" .
! 379: .TP
! 380: .I -g --fragoff fragment offset value
! 381: Set the fragment offset.
! 382: .TP
! 383: .I -m --mtu mtu value
! 384: Set different 'virtual mtu' than 16 when fragmentation is enabled. If
! 385: packets size is greater that 'virtual mtu' fragmentation is automatically
! 386: turned on.
! 387: .TP
! 388: .I -o --tos hex_tos
! 389: Set
! 390: .BR "Type Of Service (TOS)" ,
! 391: for more information try
! 392: .BR "--tos help" .
! 393: .TP
! 394: .I -G --rroute
! 395: Record route. Includes the RECORD_ROUTE option in each packet sent and
! 396: displays the route buffer of returned packets. Note that the IP header
! 397: is only large enough for nine such routes. Many hosts ignore or discard
! 398: this option. Also note that using hping you are able to use record route
! 399: even if target host filter ICMP. Record route is an IP option, not
! 400: an ICMP option, so you can use record route option even in TCP and UDP
! 401: mode.
! 402: .SH ICMP RELATED OPTIONS
! 403: .TP
! 404: .I -C --icmptype type
! 405: Set icmp type, default is
! 406: .B ICMP echo request
! 407: (implies --icmp).
! 408: .TP
! 409: .I -K --icmpcode code
! 410: Set icmp code, default is 0 (implies --icmp).
! 411: .TP
! 412: .I --icmp-ipver
! 413: Set IP version of IP header contained into ICMP data, default is 4.
! 414: .TP
! 415: .I --icmp-iphlen
! 416: Set IP header length of IP header contained into ICMP data, default is 5 (5 words of 32 bits).
! 417: .TP
! 418: .I --icmp-iplen
! 419: Set IP packet length of IP header contained into ICMP data, default is the real
! 420: length.
! 421: .TP
! 422: .I --icmp-ipid
! 423: Set IP id of IP header contained into ICMP data, default is random.
! 424: .TP
! 425: .I --icmp-ipproto
! 426: Set IP protocol of IP header contained into ICMP data, default is TCP.
! 427: .TP
! 428: .I --icmp-cksum
! 429: Set ICMP checksum, for default is the valid checksum.
! 430: .TP
! 431: .I --icmp-ts
! 432: Alias for --icmptype 13 (to send ICMP timestamp requests).
! 433: .TP
! 434: .I --icmp-addr
! 435: Alias for --icmptype 17 (to send ICMP address mask requests).
! 436: .SH TCP/UDP RELATED OPTIONS
! 437: .TP
! 438: .I -s --baseport source port
! 439: hping2 uses source port in order to guess replies sequence number. It
! 440: starts with a base source port number, and increase this number for each
! 441: packet sent. When packet is received sequence number can be computed as
! 442: .IR "replies.dest.port - base.source.port" .
! 443: Default base source port is random, using this option you are able to
! 444: set different number. If you need that source port not be increased for
! 445: each sent packet use the
! 446: .I -k --keep
! 447: option.
! 448: .TP
! 449: .I -p --destport [+][+]dest port
! 450: Set destination port, default is 0. If '+' character precedes dest port
! 451: number (i.e. +1024) destination port will be increased for each reply
! 452: received. If double '+' precedes dest port number (i.e. ++1024), destination
! 453: port will be increased for each packet sent.
! 454: By default destination port can be modified interactively using
! 455: .BR CTRL+z .
! 456: .TP
! 457: .I --keep
! 458: keep still source port, see
! 459: .I --baseport
! 460: for more information.
! 461: .TP
! 462: .I -w --win
! 463: Set TCP window size. Default is 64.
! 464: .TP
! 465: .I -O --tcpoff
! 466: Set fake tcp data offset. Normal data offset is tcphdrlen / 4.
! 467: .TP
! 468: .I -M --tcpseq
! 469: Set the TCP sequence number.
! 470: .TP
! 471: .I -L --tcpack
! 472: Set the TCP ack.
! 473: .TP
! 474: .I -Q --seqnum
! 475: This option can be used in order to collect sequence numbers generated
! 476: by target host. This can be useful when you need to analyze whether
! 477: TCP sequence number is predictable. Output example:
! 478:
! 479: .B #hping2 win98 --seqnum -p 139 -S -i u1 -I eth0
! 480: .nf
! 481: HPING uaz (eth0 192.168.4.41): S set, 40 headers + 0 data bytes
! 482: 2361294848 +2361294848
! 483: 2411626496 +50331648
! 484: 2545844224 +134217728
! 485: 2713616384 +167772160
! 486: 2881388544 +167772160
! 487: 3049160704 +167772160
! 488: 3216932864 +167772160
! 489: 3384705024 +167772160
! 490: 3552477184 +167772160
! 491: 3720249344 +167772160
! 492: 3888021504 +167772160
! 493: 4055793664 +167772160
! 494: 4223565824 +167772160
! 495: .fi
! 496:
! 497: The first column reports the sequence number, the second difference
! 498: between current and last sequence number. As you can see target host's sequence
! 499: numbers are predictable.
! 500: .TP
! 501: .I -b --badcksum
! 502: Send packets with a bad UDP/TCP checksum.
! 503: .TP
! 504: .I --tcp-timestamp
! 505: Enable the TCP timestamp option, and try to guess the timestamp update
! 506: frequency and the remote system uptime.
! 507: .TP
! 508: .I -F --fin
! 509: Set FIN tcp flag.
! 510: .TP
! 511: .I -S --syn
! 512: Set SYN tcp flag.
! 513: .TP
! 514: .I -R --rst
! 515: Set RST tcp flag.
! 516: .TP
! 517: .I -P --push
! 518: Set PUSH tcp flag.
! 519: .TP
! 520: .I -A --ack
! 521: Set ACK tcp flag.
! 522: .TP
! 523: .I -U --urg
! 524: Set URG tcp flag.
! 525: .TP
! 526: .I -X --xmas
! 527: Set Xmas tcp flag.
! 528: .TP
! 529: .I -Y --ymas
! 530: Set Ymas tcp flag.
! 531: .SH COMMON OPTIONS
! 532: .TP
! 533: .I -d --data data size
! 534: Set packet body size. Warning, using --data 40 hping2 will not generate
! 535: 0 byte packets but protocol_header+40 bytes. hping2 will display
! 536: packet size information as first line output, like this:
! 537: .B HPING www.yahoo.com (ppp0 204.71.200.67): NO FLAGS are set, 40 headers + 40 data bytes
! 538: .TP
! 539: .I -E --file filename
! 540: Use
! 541: .B filename
! 542: contents to fill packet's data.
! 543: .TP
! 544: .I -e --sign signature
! 545: Fill first
! 546: .I signature length
! 547: bytes of data with
! 548: .IR signature .
! 549: If the
! 550: .I signature length
! 551: is bigger than data size an error message will be displayed.
! 552: If you don't specify the data size hping will use the signature
! 553: size as data size.
! 554: This option can be used safely with
! 555: .I --file filename
! 556: option, remainder data space will be filled using
! 557: .IR filename .
! 558: .TP
! 559: .I -j --dump
! 560: Dump received packets in hex.
! 561: .TP
! 562: .I -J --print
! 563: Dump received packets' printable characters.
! 564: .TP
! 565: .I -B --safe
! 566: Enable safe protocol, using this option lost packets in file transfers
! 567: will be resent. For example in order to send file /etc/passwd from host
! 568: A to host B you may use the following:
! 569: .nf
! 570: .I [host_a]
! 571: .B # hping2 host_b --udp -p 53 -d 100 --sign signature --safe --file /etc/passwd
! 572: .I [host_b]
! 573: .B # hping2 host_a --listen signature --safe --icmp
! 574: .fi
! 575: .TP
! 576: .I -u --end
! 577: If you are using
! 578: .I --file filename
! 579: option, tell you when EOF has been reached. Moreover prevent that other end
! 580: accept more packets. Please, for more information see the
! 581: .BR HPING2-HOWTO .
! 582: .TP
! 583: .I -T --traceroute
! 584: Traceroute mode. Using this option hping2 will increase ttl for each
! 585: .B ICMP time to live 0 during transit
! 586: received. Try
! 587: .BR "hping2 host --traceroute" .
! 588: This option implies --bind and --ttl 1. You can override the ttl of 1
! 589: using the --ttl option. Since 2.0.0 stable it prints RTT information.
! 590: .TP
! 591: .I --tr-keep-ttl
! 592: Keep the TTL fixed in traceroute mode, so you can monitor just one hop
! 593: in the route. For example, to monitor how the 5th hop changes or
! 594: how its RTT changes you can try
! 595: .BR "hping2 host --traceroute --ttl 5 --tr-keep-ttl" .
! 596: .TP
! 597: .I --tr-stop
! 598: If this option is specified hping will exit once the first packet
! 599: that isn't an ICMP time exceeded is received. This better emulates
! 600: the traceroute behavior.
! 601: .TP
! 602: .I --tr-no-rtt
! 603: Don't show RTT information in traceroute mode. The ICMP time exceeded RTT
! 604: information aren't even calculated if this option is set.
! 605: .TP
! 606: .I --tcpexitcode
! 607: Exit with last received packet tcp->th_flag as exit code. Useful for scripts
! 608: that need, for example, to known if the port 999 of some host reply with
! 609: SYN/ACK or with RST in response to SYN, i.e. the service is up or down.
! 610: .SH TCP OUTPUT FORMAT
! 611: The standard TCP output format is the following:
! 612:
! 613: len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms
! 614:
! 615: .B len
! 616: is the size, in bytes, of the data captured from the data link layer
! 617: excluding the data link header size. This may not match the IP datagram
! 618: size due to low level transport layer padding.
! 619:
! 620: .B ip
! 621: is the source ip address.
! 622:
! 623: .B flags
! 624: are the TCP flags, R for RESET, S for SYN, A for ACK, F for FIN,
! 625: P for PUSH, U for URGENT, X for not standard 0x40, Y for not standard
! 626: 0x80.
! 627:
! 628: If the reply contains
! 629: .B DF
! 630: the IP header has the don't fragment bit set.
! 631:
! 632: .B seq
! 633: is the sequence number of the packet, obtained using the source
! 634: port for TCP/UDP packets, the sequence field for ICMP packets.
! 635:
! 636: .B id
! 637: is the IP ID field.
! 638:
! 639: .B win
! 640: is the TCP window size.
! 641:
! 642: .B rtt
! 643: is the round trip time in milliseconds.
! 644:
! 645: If you run hping using the
! 646: .B -V
! 647: command line switch it will display additional information about the
! 648: packet, example:
! 649:
! 650: len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms
! 651: tos=0 iplen=40 seq=0 ack=1223672061 sum=e61d urp=0
! 652:
! 653: .B tos
! 654: is the type of service field of the IP header.
! 655:
! 656: .B iplen
! 657: is the IP total len field.
! 658:
! 659: .B seq and ack
! 660: are the sequence and acknowledge 32bit numbers in the TCP header.
! 661:
! 662: .B sum
! 663: is the TCP header checksum value.
! 664:
! 665: .B urp
! 666: is the TCP urgent pointer value.
! 667:
! 668: .SH UDP OUTPUT FORMAT
! 669:
! 670: The standard output format is:
! 671:
! 672: len=46 ip=192.168.1.1 seq=0 ttl=64 id=0 rtt=6.0 ms
! 673:
! 674: The field meaning is just the same as the TCP output meaning of the
! 675: same fields.
! 676:
! 677: .SH ICMP OUTPUT FORMAT
! 678:
! 679: An example of ICMP output is:
! 680:
! 681: ICMP Port Unreachable from ip=192.168.1.1 name=nano.marmoc.net
! 682:
! 683: It is very simple to understand. It starts with the string "ICMP"
! 684: followed by the description of the ICMP error, Port Unreachable
! 685: in the example. The ip field is the IP source address of the IP
! 686: datagram containing the ICMP error, the name field is just the
! 687: numerical address resolved to a name (a dns PTR request) or UNKNOWN if the
! 688: resolution failed.
! 689:
! 690: The ICMP Time exceeded during transit or reassembly format is a bit
! 691: different:
! 692:
! 693: TTL 0 during transit from ip=192.168.1.1 name=nano.marmoc.net
! 694:
! 695: TTL 0 during reassembly from ip=192.70.106.25 name=UNKNOWN
! 696:
! 697: The only difference is the description of the error, it starts with
! 698: TTL 0.
! 699:
! 700: .SH AUTHOR
! 701: Salvatore Sanfilippo <antirez@invece.org>, with the help of the people mentioned in AUTHORS file and at http://www.hping.org/authors.html
! 702: .SH BUGS
! 703: Even using the --end and --safe options to transfer files the final packet
! 704: will be padded with 0x00 bytes.
! 705: .PP
! 706: Data is read without care about alignment, but alignment is enforced
! 707: in the data structures.
! 708: This will not be a problem under i386 but, while usually the TCP/IP
! 709: headers are naturally aligned, may create problems with different
! 710: processors and bogus packets if there is some unaligned access around
! 711: the code (hopefully none).
! 712: .PP
! 713: On solaris hping does not work on the loopback interface. This seems
! 714: a solaris problem, as stated in the tcpdump-workers mailing list,
! 715: so the libpcap can't do nothing to handle it properly.
! 716: .SH SEE ALSO
! 717: ping(8), traceroute(8), ifconfig(8), nmap(1)
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to hping2.8 CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / hping2 / docs