hping3 [ -hvnqVDzZ012WrfxykQbFSRPAUXYjJBuTG ] [ -c count ] [ -i wait ] [ --fast ] [ -I interface ] [ -9 signature ] [ -a host ] [ -t ttl ] [ -N ip id ] [ -H ip protocol ] [ -g fragoff ] [ -m mtu ] [ -o tos ] [ -C icmp type ] [ -K icmp code ] [ -s source port ] [ -p[+][+] dest port ] [ -w tcp window ] [ -O tcp offset ] [ -M tcp sequence number ] [ -L tcp ack ] [ -d data size ] [ -E filename ] [ -e signature ] [ --icmp-ipver version ] [ --icmp-iphlen length ] [ --icmp-iplen length ] [ --icmp-ipid id ] [ --icmp-ipproto protocol ] [ --icmp-cksum checksum ] [ --icmp-ts ] [ --icmp-addr ] [ --tcpexitcode ] [ --tcp-mss ] [ --tcp-timestamp ] [ --tr-stop ] [ --tr-keep-ttl ] [ --tr-no-rtt ] [ --rand-dest ] [ --rand-source ] [ --beep ] hostname
hping3 is a network tool able to send custom TCP/IP packets and to display target replies like ping program does with ICMP replies. hping3 handle fragmentation, arbitrary packets body and size and can be used in order to transfer files encapsulated under supported protocols. Using hping3 you are able to perform at least the following stuff:
- Test firewall rules - Advanced port scanning - Test net performance using different protocols, packet size, TOS (type of service) and fragmentation. - Path MTU discovery - Transferring files between even really fascist firewall rules. - Traceroute-like under different protocols. - Firewalk-like usage. - Remote OS fingerprinting. - TCP/IP stack auditing. - A lot of others.
It's also a good didactic tool to learn TCP/IP. hping3 is developed and maintained by firstname.lastname@example.org and is licensed under GPL version 2. Development is open so you can send me patches, suggestion and affronts without inhibitions.
primary site at http://www.hping.org. You can found both the stable release and the instruction to download the latest source code at http://www.hping.org/download.html
len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms tos=0 iplen=40 seq=0 ack=1380893504 sum=2010 urp=0
Default protocol is TCP, by default hping3 will send tcp headers to target host's port 0 with a winsize of 64 without any tcp flag on. Often this is the best way to do an 'hide ping', useful when target is behind a firewall that drop ICMP. Moreover a tcp null-flag to port 0 has a good probability of not being logged.
#hping3 win98 --seqnum -p 139 -S -i u1 -I eth0
HPING uaz (eth0 192.168.4.41): S set, 40 headers + 0 data bytes 2361294848 +2361294848 2411626496 +50331648 2545844224 +134217728 2713616384 +167772160 2881388544 +167772160 3049160704 +167772160 3216932864 +167772160 3384705024 +167772160 3552477184 +167772160 3720249344 +167772160 3888021504 +167772160 4055793664 +167772160 4223565824 +167772160
The first column reports the sequence number, the second difference between current and last sequence number. As you can see target host's sequence numbers are predictable.
[host_a] # hping3 host_b --udp -p 53 -d 100 --sign signature --safe --file /etc/passwd [host_b] # hping3 host_a --listen signature --safe --icmp
The standard TCP output format is the following:
len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms
len is the size, in bytes, of the data captured from the data link layer excluding the data link header size. This may not match the IP datagram size due to low level transport layer padding.
ip is the source ip address.
flags are the TCP flags, R for RESET, S for SYN, A for ACK, F for FIN, P for PUSH, U for URGENT, X for not standard 0x40, Y for not standard 0x80.
If the reply contains DF the IP header has the don't fragment bit set.
seq is the sequence number of the packet, obtained using the source port for TCP/UDP packets, the sequence field for ICMP packets.
id is the IP ID field.
win is the TCP window size.
rtt is the round trip time in milliseconds.
If you run hping using the -V command line switch it will display additional information about the packet, example:
len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms tos=0 iplen=40 seq=0 ack=1223672061 sum=e61d urp=0
tos is the type of service field of the IP header.
iplen is the IP total len field.
seq and ack are the sequence and acknowledge 32bit numbers in the TCP header.
sum is the TCP header checksum value.
urp is the TCP urgent pointer value.
The standard output format is:
len=46 ip=192.168.1.1 seq=0 ttl=64 id=0 rtt=6.0 ms
The field meaning is just the same as the TCP output meaning of the same fields.
An example of ICMP output is:
ICMP Port Unreachable from ip=192.168.1.1 name=nano.marmoc.net
It is very simple to understand. It starts with the string "ICMP" followed by the description of the ICMP error, Port Unreachable in the example. The ip field is the IP source address of the IP datagram containing the ICMP error, the name field is just the numerical address resolved to a name (a dns PTR request) or UNKNOWN if the resolution failed.
The ICMP Time exceeded during transit or reassembly format is a bit different:
TTL 0 during transit from ip=192.168.1.1 name=nano.marmoc.net
TTL 0 during reassembly from ip=220.127.116.11 name=UNKNOWN
The only difference is the description of the error, it starts with TTL 0.
Salvatore Sanfilippo <email@example.com>, with the help of the people mentioned in AUTHORS file and at http://www.hping.org/authors.html
Even using the --end and --safe options to transfer files the final packet will be padded with 0x00 bytes.
Data is read without care about alignment, but alignment is enforced in the data structures. This will not be a problem under i386 but, while usually the TCP/IP headers are naturally aligned, may create problems with different processors and bogus packets if there is some unaligned access around the code (hopefully none).
On solaris hping does not work on the loopback interface. This seems a solaris problem, as stated in the tcpdump-workers mailing list, so the libpcap can't do nothing to handle it properly.
ping(8), traceroute(8), ifconfig(8), nmap(1)