hping

View documentation for the original command

$ tldr hping3

hping3 [options] [<target host>[:<port>]]

-c, --count <number>
    Stop after sending <number> packets.

-d, --data <size>
    Set packet body size (0 to 1024).

-s, --baseport <port>
    Set source port (default 0).

-p, --destport [+][<port>]
    Set destination port.

-w, --win <size>
    Set TCP window size.

-S
    Set SYN flag (TCP).

-A
    Set ACK flag (TCP).

-R
    Set TCP RST flag.

-F
    Set TCP FIN flag.

-P, --push
    Set TCP PSH flag.

-U
    Set TCP URG flag.

-1
    ICMP mode (ping-like).

-2
    UDP mode.

-9
    ICMP NETMASK request.

-8
    ICMP timestamp mode.

-5, --traceroute
    Traceroute mode (ICMP/UDP).

-i, --icmp <type:code>
    Set ICMP type and code.

-O, --tos <tos>
    Set IP TOS field.

-Q, --seq <seqnumber>
    Set sequence number.

-E, --file <file>
    Use data from file for packet body.

--flood
    Send packets as fast as possible.

-V, --verbose
    Enable verbose output.

-9, --listen
    Listen mode (receiver).

-b, --bind <if>
    Bind to specific interface.

-t, --ttl <ttl>
    Set IP TTL.

-m, --im <size>
    Set maximum packet size.

-g, --fragindex <index>
    Fragment offset (for fragmentation).

-x, --id <id>
    Set IP ID field.

-H, --ip <offset>
    Edit IP header at offset.

-N, --tcp-timestamp
    Set TCP timestamp option.

hping3 is a powerful command-line tool for generating and analyzing custom TCP/IP packets. It assembles packets with precise control over headers, payload, and protocols, then captures and displays target replies. Unlike ping, it supports TCP, UDP, ICMP, raw-IP, and more advanced features like fragmentation, idle scans, and protocol fingerprinting.

Primarily used for network security testing, firewall/IDS evasion, port scanning, and DoS simulation. It features a Tcl-based scripting engine for automation. Operates in normal, optimized, or fingerprint modes. Requires root for raw sockets to craft packets below IP level. Ideal for penetration testing and diagnostics, but demands caution to avoid network abuse.

Key capabilities include setting arbitrary TCP flags (SYN, ACK, FIN), sequence numbers, window sizes, IP options, and data patterns. Supports keepalive, flood modes, and ICMP-specific requests like traceroute or timestamp.

Requires root privileges for raw sockets. Can cause network disruption or be detected as attack traffic. Not for production without permission; potential for DoS or legal issues.

SYN scan: hping3 -S -c 5 -p 80 target
UDP flood: hping3 --flood --udp -p 53 target
ICMP ping: hping3 -1 -c 3 target

Default: TCP. Use -1 ICMP, -2 UDP, -0 raw-IP, --rawip for custom protocols.

Supports Tcl scripts: hping3 --script script.tcl target

Developed by Salvatore Sanfilippo (antirez) in 1997 as hping. hping2 added TCP support. hping3 (2005) introduced IPv6, fragmentation, scripting via Tcl, and Linux kernel optimizations. Maintained sporadically; widely used in security tools.

ping(8), tcpdump(8), nmap(1), netcat(1), scapy