1: .TH HPING2 8 "2001 Aug 14"
2: .SH NAME
3: hping2 \- send (almost) arbitrary TCP/IP packets to network hosts
4: .SH SYNOPSIS
5: .B hping2
6: [
7: .B \-hvnqVDzZ012WrfxykQbFSRPAUXYjJBuTG
8: ] [
9: .B \-c
10: .I count
11: ] [
12: .B \-i
13: .I wait
14: ] [
15: .B \-\-fast
16: ] [
17: .B \-I
18: .I interface
19: ] [
20: .B \-9
21: .I signature
22: ] [
23: .B \-a
24: .I host
25: ] [
26: .B \-t
27: .I ttl
28: ] [
29: .B \-N
30: .I ip id
31: ] [
32: .B \-H
33: .I ip protocol
34: ] [
35: .B \-g
36: .I fragoff
37: ] [
38: .B \-m
39: .I mtu
40: ] [
41: .B \-o
42: .I tos
43: ] [
44: .B \-C
45: .I icmp type
46: ] [
47: .B \-K
48: .I icmp code
49: ] [
50: .B \-s
51: .I source port
52: ] [
53: .B \-p[+][+]
54: .I dest port
55: ] [
56: .B \-w
57: .I tcp window
58: ] [
59: .B \-O
60: .I tcp offset
61: ] [
62: .B \-M
63: .I tcp sequence number
64: ] [
65: .B \-L
66: .I tcp ack
67: ] [
68: .B \-d
69: .I data size
70: ] [
71: .B \-E
72: .I filename
73: ] [
74: .B \-e
75: .I signature
76: ] [
77: .B \-\-icmp\-ipver
78: .I version
79: ] [
80: .B \-\-icmp\-iphlen
81: .I length
82: ] [
83: .B \-\-icmp\-iplen
84: .I length
85: ] [
86: .B \-\-icmp\-ipid
87: .I id
88: ] [
89: .B \-\-icmp\-ipproto
90: .I protocol
91: ] [
92: .B \-\-icmp\-cksum
93: .I checksum
94: ] [
95: .B \-\-icmp\-ts
96: ] [
97: .B \-\-icmp\-addr
98: ] [
99: .B \-\-tcpexitcode
100: ] [
101: .B \-\-tcp-timestamp
102: ] [
103: .B \-\-tr-stop
104: ] [
105: .B \-\-tr-keep-ttl
106: ] [
107: .B \-\-tr-no-rtt
108: ] [
109: .B \-\-rand-dest
110: ] [
111: .B \-\-rand-source
112: ]
113: hostname
114: .br
115: .ad
116: .SH DESCRIPTION
117: hping2 is a network tool able to send custom TCP/IP packets and to
118: display target replies like ping program does with ICMP replies. hping2
119: handle fragmentation, arbitrary packets body and size and can be used in
120: order to transfer files encapsulated under supported protocols. Using
121: hping2 you are able to perform at least the following stuff:
122:
123: - Test firewall rules
124: - Advanced port scanning
125: - Test net performance using different protocols,
126: packet size, TOS (type of service) and fragmentation.
127: - Path MTU discovery
128: - Transferring files between even really fascist firewall
129: rules.
130: - Traceroute-like under different protocols.
131: - Firewalk-like usage.
132: - Remote OS fingerprinting.
133: - TCP/IP stack auditing.
134: - A lot of others.
135:
136: .IR "It's also a good didactic tool to learn TCP/IP" .
137: hping2 is developed and maintained by antirez@invece.org and is
138: licensed under GPL version 2. Development is open so you can send
139: me patches, suggestion and affronts without inhibitions.
140: .SH HPING SITE
141: primary site at
142: .BR http://www.hping.org .
143: You can found both the stable release and the instruction
144: to download the latest source code at http://www.hping.org/download.html
145: .SH BASE OPTIONS
146: .TP
147: .I -h --help
148: Show an help screen on standard output, so you can pipe to less.
149: .TP
150: .I -v --version
151: Show version information and API used to access to data link layer,
152: .I linux sock packet
153: or
154: .IR libpcap.
155: .TP
156: .I -c --count count
157: Stop after sending (and receiving)
158: .I count
159: response packets. After last packet was send hping2 wait COUNTREACHED_TIMEOUT
160: seconds target host replies. You are able to tune COUNTREACHED_TIMEOUT editing
161: hping2.h
162: .TP
163: .I -i --interval
164: Wait
165: the specified number of seconds or micro seconds between sending each packet.
166: --interval X set
167: .I wait
168: to X seconds, --interval uX set
169: .I wait
170: to X micro seconds.
171: The default is to wait
172: one second between each packet. Using hping2 to transfer files tune this
173: option is really important in order to increase transfer rate. Even using
174: hping2 to perform idle/spoofing scanning you should tune this option, see
175: .B HPING2-HOWTO
176: for more information.
177: .TP
178: .I --fast
179: Alias for -i u10000. Hping will send 10 packets for second.
180: .TP
181: .I --faster
182: Alias for -i u1. Faster then --fast ;) (but not as fast as your computer can send packets due to the signal-driven design).
183: .TP
184: .I -n --numeric
185: Numeric output only, No attempt will be made to lookup symbolic names for host addresses.
186: .TP
187: .I -q --quiet
188: Quiet output. Nothing is displayed except the summary lines at
189: startup time and when finished.
190: .TP
191: .I -I --interface interface name
192: By default on linux and BSD systems hping2 uses default routing interface.
193: In other systems or when there is no default route
194: hping2 uses the first non-loopback interface.
195: However you are able to force hping2 to use the interface you need using
196: this option. Note: you don't need to specify the whole name, for
197: example -I et will match eth0 ethernet0 myet1 et cetera. If no interfaces
198: match hping2 will try to use lo.
199: .TP
200: .I -V --verbose
201: Enable verbose output. TCP replies will be shown as follows:
202:
203: len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms
204: tos=0 iplen=40 seq=0 ack=1380893504 sum=2010 urp=0
205: .TP
206: .I -D --debug
207: Enable debug mode, it's useful when you experience some problem with
208: hping2. When debug mode is enabled you will get more information about
209: .B interface detection, data link layer access, interface settings, options
210: .B parsing, fragmentation, HCMP protocol
211: and other stuff.
212: .TP
213: .I -z --bind
214: Bind CTRL+Z to
215: .B time to live (TTL)
216: so you will able to increment/decrement ttl of outgoing packets pressing
217: CTRL+Z once or twice.
218: .TP
219: .I -Z --unbind
220: Unbind CTRL+Z so you will able to stop hping2.
221: .SH PROTOCOL SELECTION
222: Default protocol is TCP, by default hping2 will send tcp headers to target
223: host's port 0 with a winsize of 64 without any tcp flag on. Often this
224: is the best way to do an 'hide ping', useful when target is behind
225: a firewall that drop ICMP. Moreover a tcp null-flag to port 0 has a good
226: probability of not being logged.
227: .TP
228: .I -0 --rawip
229: RAW IP mode, in this mode hping2 will send IP header with data
230: appended with --signature and/or --file, see also --ipproto that
231: allows you to set the ip protocol field.
232: .TP
233: .I -1 --icmp
234: ICMP mode, by default hping2 will send ICMP echo-request, you can set
235: other ICMP type/code using
236: .B --icmptype --icmpcode
237: options.
238: .TP
239: .I -2 --udp
240: UDP mode, by default hping2 will send udp to target host's port 0.
241: UDP header tunable options are the following:
242: .B --baseport, --destport, --keep.
243: .TP
244: .I -8 --scan
245: Scan mode, the option expects an argument that describes groups of
246: ports to scan. port groups are comma separated: a number describes
247: just a single port, so 1,2,3 means port 1, 2 and 3. ranges are specified
248: using a start-end notation, like 1-1000, that tell hping to scan ports between 1 and 1000 (included). the special word
249: .B all
250: is an alias for 0-65535, while the special word
251: .B known
252: includes all the ports listed in /etc/services.
253: .br
254: Groups can be combined, so the following command line will
255: scan ports between 1 and 1000 AND port 8888 AND ports listed in /etc/services:
256: .B hping --scan 1-1000,8888,known -S target.host.com
257: .br
258: Groups can be negated (subtracted) using a ! character as prefix,
259: so the following command line will scan all the ports NOT listed
260: in /etc/services in the range 1-1024:
261: .B hping --scan '1-1024,!known' -S target.host.com
262: .br
263: Keep in mind that while hping seems much more like a port scanner in
264: this mode, most of the hping switches are still honored, so for example to
265: perform a SYN scan you need to specify the
266: .B -S
267: option, you can change the TCP windows size, TTL, control the
268: IP fragmentation as usually, and so on. The only real difference is that
269: the standard hping behaviors are encapsulated into a scanning
270: algorithm.
271: .br
272: .BR "Tech note" :
273: The scan mode uses a two-processes design, with shared memory for synchronization. The scanning algorithm is still not optimal, but already quite fast.
274: .br
275: .BR Hint :
276: unlike most scanners, hping shows some interesting info about received
277: packets, the IP ID, TCP win, TTL, and so on, don't forget to look
278: at this additional information when you perform a scan! Sometimes they
279: shows interesting details.
280: .TP
281: .I -9 --listen signature
282: HPING2 listen mode, using this option hping2 waits for packet that contain
283: .I signature
284: and dump from
285: .I signature
286: end to packet's end. For example if hping2 --listen TEST reads a packet
287: that contain
288: .B 234-09sdflkjs45-TESThello_world
289: it will display
290: .BR hello_world .
291: .SH IP RELATED OPTIONS
292: .TP
293: .I -a --spoof hostname
294: Use this option in order to set a fake IP source address, this option
295: ensures that target will not gain your real address. However replies
296: will be sent to spoofed address, so you will can't see them. In order
297: to see how it's possible to perform spoofed/idle scanning see the
298: .BR HPING2-HOWTO .
299: .TP
300: .I --rand-source
301: This option enables the
302: .BR "random source mode" .
303: hping will send packets with random source address. It is interesting
304: to use this option to stress firewall state tables, and other
305: per-ip basis dynamic tables inside the TCP/IP stacks and firewall
306: software.
307: .TP
308: .I --rand-dest
309: This option enables the
310: .BR "random destination mode" .
311: hping will send the packets to random addresses obtained following
312: the rule you specify as the target host. You need to specify
313: a numerical IP address as target host like
314: .BR 10.0.0.x .
315: All the occurrences of
316: .B x
317: will be replaced with a random number in the range 0-255. So to obtain
318: Internet IP addresses in the whole IPv4 space use something like
319: .BR "hping x.x.x.x --rand-dest" .
320: If you are not sure about what kind of addresses your rule is generating
321: try to use the
322: .B --debug
323: switch to display every new destination address generated.
324: When this option is turned on, matching packets will be accept from all
325: the destinations.
326: .br
327: .BR Warning :
328: when this option is enabled hping can't detect the right outgoing
329: interface for the packets, so you should use the
330: .B --interface
331: option to select the desired outgoing interface.
332: .TP
333: .I -t --ttl time to live
334: Using this option you can set
335: .B TTL (time to live)
336: of outgoing packets, it's likely that you will use this with
337: .B --traceroute
338: or
339: .B --bind
340: options. If in doubt try
341: .BR "" "`" "hping2 some.host.com -t 1 --traceroute" "'."
342: .TP
343: .I -N --id
344: Set ip->id field. Default id is random but if fragmentation is turned on
345: and id isn't specified it will be
346: .BR "getpid() & 0xFF" ,
347: to implement a better solution is in TODO list.
348: .TP
349: .I -H --ipproto
350: Set the ip protocol in RAW IP mode.
351: .TP
352: .I -W --winid
353: id from Windows* systems before Win2k has different byte ordering, if this
354: option is enable
355: hping2 will properly display id replies from those Windows.
356: .TP
357: .I -r --rel
358: Display id increments instead of id. See the
359: .B HPING2-HOWTO
360: for more information. Increments aren't computed as id[N]-id[N-1] but
361: using packet loss compensation. See relid.c for more information.
362: .TP
363: .I -f --frag
364: Split packets in more fragments, this may be useful in order to test
365: IP stacks fragmentation performance and to test if some
366: packet filter is so weak that can be passed using tiny fragments
367: (anachronistic). Default 'virtual mtu' is 16 bytes. see also
368: .I --mtu
369: option.
370: .TP
371: .I -x --morefrag
372: Set more fragments IP flag, use this option if you want that target
373: host send an
374: .BR "ICMP time-exceeded during reassembly" .
375: .TP
376: .I -y --dontfrag
377: Set don't fragment IP flag, this can be used to perform
378: .BR "MTU path discovery" .
379: .TP
380: .I -g --fragoff fragment offset value
381: Set the fragment offset.
382: .TP
383: .I -m --mtu mtu value
384: Set different 'virtual mtu' than 16 when fragmentation is enabled. If
385: packets size is greater that 'virtual mtu' fragmentation is automatically
386: turned on.
387: .TP
388: .I -o --tos hex_tos
389: Set
390: .BR "Type Of Service (TOS)" ,
391: for more information try
392: .BR "--tos help" .
393: .TP
394: .I -G --rroute
395: Record route. Includes the RECORD_ROUTE option in each packet sent and
396: displays the route buffer of returned packets. Note that the IP header
397: is only large enough for nine such routes. Many hosts ignore or discard
398: this option. Also note that using hping you are able to use record route
399: even if target host filter ICMP. Record route is an IP option, not
400: an ICMP option, so you can use record route option even in TCP and UDP
401: mode.
402: .SH ICMP RELATED OPTIONS
403: .TP
404: .I -C --icmptype type
405: Set icmp type, default is
406: .B ICMP echo request
407: (implies --icmp).
408: .TP
409: .I -K --icmpcode code
410: Set icmp code, default is 0 (implies --icmp).
411: .TP
412: .I --icmp-ipver
413: Set IP version of IP header contained into ICMP data, default is 4.
414: .TP
415: .I --icmp-iphlen
416: Set IP header length of IP header contained into ICMP data, default is 5 (5 words of 32 bits).
417: .TP
418: .I --icmp-iplen
419: Set IP packet length of IP header contained into ICMP data, default is the real
420: length.
421: .TP
422: .I --icmp-ipid
423: Set IP id of IP header contained into ICMP data, default is random.
424: .TP
425: .I --icmp-ipproto
426: Set IP protocol of IP header contained into ICMP data, default is TCP.
427: .TP
428: .I --icmp-cksum
429: Set ICMP checksum, for default is the valid checksum.
430: .TP
431: .I --icmp-ts
432: Alias for --icmptype 13 (to send ICMP timestamp requests).
433: .TP
434: .I --icmp-addr
435: Alias for --icmptype 17 (to send ICMP address mask requests).
436: .SH TCP/UDP RELATED OPTIONS
437: .TP
438: .I -s --baseport source port
439: hping2 uses source port in order to guess replies sequence number. It
440: starts with a base source port number, and increase this number for each
441: packet sent. When packet is received sequence number can be computed as
442: .IR "replies.dest.port - base.source.port" .
443: Default base source port is random, using this option you are able to
444: set different number. If you need that source port not be increased for
445: each sent packet use the
446: .I -k --keep
447: option.
448: .TP
449: .I -p --destport [+][+]dest port
450: Set destination port, default is 0. If '+' character precedes dest port
451: number (i.e. +1024) destination port will be increased for each reply
452: received. If double '+' precedes dest port number (i.e. ++1024), destination
453: port will be increased for each packet sent.
454: By default destination port can be modified interactively using
455: .BR CTRL+z .
456: .TP
457: .I --keep
458: keep still source port, see
459: .I --baseport
460: for more information.
461: .TP
462: .I -w --win
463: Set TCP window size. Default is 64.
464: .TP
465: .I -O --tcpoff
466: Set fake tcp data offset. Normal data offset is tcphdrlen / 4.
467: .TP
468: .I -M --tcpseq
469: Set the TCP sequence number.
470: .TP
471: .I -L --tcpack
472: Set the TCP ack.
473: .TP
474: .I -Q --seqnum
475: This option can be used in order to collect sequence numbers generated
476: by target host. This can be useful when you need to analyze whether
477: TCP sequence number is predictable. Output example:
478:
479: .B #hping2 win98 --seqnum -p 139 -S -i u1 -I eth0
480: .nf
481: HPING uaz (eth0 192.168.4.41): S set, 40 headers + 0 data bytes
482: 2361294848 +2361294848
483: 2411626496 +50331648
484: 2545844224 +134217728
485: 2713616384 +167772160
486: 2881388544 +167772160
487: 3049160704 +167772160
488: 3216932864 +167772160
489: 3384705024 +167772160
490: 3552477184 +167772160
491: 3720249344 +167772160
492: 3888021504 +167772160
493: 4055793664 +167772160
494: 4223565824 +167772160
495: .fi
496:
497: The first column reports the sequence number, the second difference
498: between current and last sequence number. As you can see target host's sequence
499: numbers are predictable.
500: .TP
501: .I -b --badcksum
502: Send packets with a bad UDP/TCP checksum.
503: .TP
504: .I --tcp-timestamp
505: Enable the TCP timestamp option, and try to guess the timestamp update
506: frequency and the remote system uptime.
507: .TP
508: .I -F --fin
509: Set FIN tcp flag.
510: .TP
511: .I -S --syn
512: Set SYN tcp flag.
513: .TP
514: .I -R --rst
515: Set RST tcp flag.
516: .TP
517: .I -P --push
518: Set PUSH tcp flag.
519: .TP
520: .I -A --ack
521: Set ACK tcp flag.
522: .TP
523: .I -U --urg
524: Set URG tcp flag.
525: .TP
526: .I -X --xmas
527: Set Xmas tcp flag.
528: .TP
529: .I -Y --ymas
530: Set Ymas tcp flag.
531: .SH COMMON OPTIONS
532: .TP
533: .I -d --data data size
534: Set packet body size. Warning, using --data 40 hping2 will not generate
535: 0 byte packets but protocol_header+40 bytes. hping2 will display
536: packet size information as first line output, like this:
537: .B HPING www.yahoo.com (ppp0 204.71.200.67): NO FLAGS are set, 40 headers + 40 data bytes
538: .TP
539: .I -E --file filename
540: Use
541: .B filename
542: contents to fill packet's data.
543: .TP
544: .I -e --sign signature
545: Fill first
546: .I signature length
547: bytes of data with
548: .IR signature .
549: If the
550: .I signature length
551: is bigger than data size an error message will be displayed.
552: If you don't specify the data size hping will use the signature
553: size as data size.
554: This option can be used safely with
555: .I --file filename
556: option, remainder data space will be filled using
557: .IR filename .
558: .TP
559: .I -j --dump
560: Dump received packets in hex.
561: .TP
562: .I -J --print
563: Dump received packets' printable characters.
564: .TP
565: .I -B --safe
566: Enable safe protocol, using this option lost packets in file transfers
567: will be resent. For example in order to send file /etc/passwd from host
568: A to host B you may use the following:
569: .nf
570: .I [host_a]
571: .B # hping2 host_b --udp -p 53 -d 100 --sign signature --safe --file /etc/passwd
572: .I [host_b]
573: .B # hping2 host_a --listen signature --safe --icmp
574: .fi
575: .TP
576: .I -u --end
577: If you are using
578: .I --file filename
579: option, tell you when EOF has been reached. Moreover prevent that other end
580: accept more packets. Please, for more information see the
581: .BR HPING2-HOWTO .
582: .TP
583: .I -T --traceroute
584: Traceroute mode. Using this option hping2 will increase ttl for each
585: .B ICMP time to live 0 during transit
586: received. Try
587: .BR "hping2 host --traceroute" .
588: This option implies --bind and --ttl 1. You can override the ttl of 1
589: using the --ttl option. Since 2.0.0 stable it prints RTT information.
590: .TP
591: .I --tr-keep-ttl
592: Keep the TTL fixed in traceroute mode, so you can monitor just one hop
593: in the route. For example, to monitor how the 5th hop changes or
594: how its RTT changes you can try
595: .BR "hping2 host --traceroute --ttl 5 --tr-keep-ttl" .
596: .TP
597: .I --tr-stop
598: If this option is specified hping will exit once the first packet
599: that isn't an ICMP time exceeded is received. This better emulates
600: the traceroute behavior.
601: .TP
602: .I --tr-no-rtt
603: Don't show RTT information in traceroute mode. The ICMP time exceeded RTT
604: information aren't even calculated if this option is set.
605: .TP
606: .I --tcpexitcode
607: Exit with last received packet tcp->th_flag as exit code. Useful for scripts
608: that need, for example, to known if the port 999 of some host reply with
609: SYN/ACK or with RST in response to SYN, i.e. the service is up or down.
610: .SH TCP OUTPUT FORMAT
611: The standard TCP output format is the following:
612:
613: len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms
614:
615: .B len
616: is the size, in bytes, of the data captured from the data link layer
617: excluding the data link header size. This may not match the IP datagram
618: size due to low level transport layer padding.
619:
620: .B ip
621: is the source ip address.
622:
623: .B flags
624: are the TCP flags, R for RESET, S for SYN, A for ACK, F for FIN,
625: P for PUSH, U for URGENT, X for not standard 0x40, Y for not standard
626: 0x80.
627:
628: If the reply contains
629: .B DF
630: the IP header has the don't fragment bit set.
631:
632: .B seq
633: is the sequence number of the packet, obtained using the source
634: port for TCP/UDP packets, the sequence field for ICMP packets.
635:
636: .B id
637: is the IP ID field.
638:
639: .B win
640: is the TCP window size.
641:
642: .B rtt
643: is the round trip time in milliseconds.
644:
645: If you run hping using the
646: .B -V
647: command line switch it will display additional information about the
648: packet, example:
649:
650: len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms
651: tos=0 iplen=40 seq=0 ack=1223672061 sum=e61d urp=0
652:
653: .B tos
654: is the type of service field of the IP header.
655:
656: .B iplen
657: is the IP total len field.
658:
659: .B seq and ack
660: are the sequence and acknowledge 32bit numbers in the TCP header.
661:
662: .B sum
663: is the TCP header checksum value.
664:
665: .B urp
666: is the TCP urgent pointer value.
667:
668: .SH UDP OUTPUT FORMAT
669:
670: The standard output format is:
671:
672: len=46 ip=192.168.1.1 seq=0 ttl=64 id=0 rtt=6.0 ms
673:
674: The field meaning is just the same as the TCP output meaning of the
675: same fields.
676:
677: .SH ICMP OUTPUT FORMAT
678:
679: An example of ICMP output is:
680:
681: ICMP Port Unreachable from ip=192.168.1.1 name=nano.marmoc.net
682:
683: It is very simple to understand. It starts with the string "ICMP"
684: followed by the description of the ICMP error, Port Unreachable
685: in the example. The ip field is the IP source address of the IP
686: datagram containing the ICMP error, the name field is just the
687: numerical address resolved to a name (a dns PTR request) or UNKNOWN if the
688: resolution failed.
689:
690: The ICMP Time exceeded during transit or reassembly format is a bit
691: different:
692:
693: TTL 0 during transit from ip=192.168.1.1 name=nano.marmoc.net
694:
695: TTL 0 during reassembly from ip=192.70.106.25 name=UNKNOWN
696:
697: The only difference is the description of the error, it starts with
698: TTL 0.
699:
700: .SH AUTHOR
701: Salvatore Sanfilippo <antirez@invece.org>, with the help of the people mentioned in AUTHORS file and at http://www.hping.org/authors.html
702: .SH BUGS
703: Even using the --end and --safe options to transfer files the final packet
704: will be padded with 0x00 bytes.
705: .PP
706: Data is read without care about alignment, but alignment is enforced
707: in the data structures.
708: This will not be a problem under i386 but, while usually the TCP/IP
709: headers are naturally aligned, may create problems with different
710: processors and bogus packets if there is some unaligned access around
711: the code (hopefully none).
712: .PP
713: On solaris hping does not work on the loopback interface. This seems
714: a solaris problem, as stated in the tcpdump-workers mailing list,
715: so the libpcap can't do nothing to handle it properly.
716: .SH SEE ALSO
717: ping(8), traceroute(8), ifconfig(8), nmap(1)
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to hping2.8 CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / hping2 / docs