hping

View documentation for the original command

$ tldr hping3

hping3 [mode] [options] host

Common Modes:
(default) TCP mode
-0, --rawip RAW IP mode
-1, --icmp ICMP mode
-2, --udp UDP mode

Example Invocation:
hping3 -S -p 80 www.example.com
hping3 --icmp --count 5 google.com

-c
    Stop after sending packets.

-i
    Set interval between packets to milliseconds (default is 1 second). Use 'u' for microseconds (e.g., -i u1000).

-p , --destport
    Set destination port (default 0). Can be a specific port or ++ to increment for each packet (e.g., -p ++80).

-s , --baseport
    Set source port (default random). Use ++ to increment for each packet.

-S, --syn
    Set TCP SYN flag.

-A, --ack
    Set TCP ACK flag.

-F, --fin
    Set TCP FIN flag.

-P, --push
    Set TCP PSH flag.

-U, --urg
    Set TCP URG flag.

-R, --rst
    Set TCP RST flag.

-d , --data
    Set packet data size (payload size) in bytes. Default is 0.

-E , --file
    Use as data (payload).

-I , --interface
    Specify network interface (e.g., eth0, wlan0).

-V, --verbose
    Verbose mode. Show more information about sent and received packets.

-q, --quiet
    Quiet mode. Show only the summary.

-T , --ttl
    Set IP TTL (Time To Live).

--traceroute
    Traceroute mode. Increment TTL for each packet to discover hops.

--rand-source, --rand-dest
    Use random source or destination IP addresses (only for RAW IP mode).

--flood
    Send packets as fast as possible, without showing replies. Can be used for DoS attacks.

-k, --keep
    Keep original source address, do not change it based on routing table (requires root).

hping is a free packet generator and analyzer for the TCP/IP protocol. It's a command-line oriented ping program, but unlike the standard ping utility, hping can send custom ICMP, UDP, TCP, and RAW-IP packets. This versatility makes it an invaluable tool for network security professionals, system administrators, and developers.

It's widely used for testing firewalls, performing port scanning (similar to nmap but with more granular control), network troubleshooting, analyzing network protocols, performing DoS attacks (for testing purposes), and even for OS fingerprinting. hping allows users to specify nearly every aspect of the packet, including source and destination IP addresses, ports, TCP flags (SYN, ACK, PSH, URG, RST, FIN), sequence numbers, TTL, and payload data. It can also act as a simple traceroute, scan ranges of ports, and measure network latency. The current stable version is hping3.

Using hping for packet crafting and sending requires root privileges on most Linux systems, as it needs access to raw network sockets.

Care should be taken when using options like --flood or hping against systems you do not own or have permission to test, as it can be used for denial-of-service (DoS) attacks or be perceived as hostile network activity. Always ensure you have explicit authorization before scanning or testing any network or system.

While powerful, hping can be complex for beginners due to the vast number of options and the intricacies of TCP/IP protocols.

Firewall Testing: Determine which ports are open or closed, and how a firewall reacts to different TCP flags (e.g., SYN, ACK, RST packets).
Port Scanning: Efficiently scan a range of ports on a target host to identify open services.
Network Troubleshooting: Diagnose network connectivity issues, measure latency, and test network performance.
OS Fingerprinting: By observing how a target responds to specific packet combinations, one can often infer the operating system.
DoS Simulation: Test the resilience of a server to a flood of packets (only with explicit permission).

1. Basic SYN Scan (Port 80):
hping3 -S -p 80 example.com

Sends SYN packets to port 80 of example.com. If a SYN/ACK is received, the port is open.

2. ICMP Echo Request (like ping):
hping3 -1 example.com

Sends ICMP echo requests and displays replies.

3. UDP Port Scan (Port 53):
hping3 -2 -p 53 example.com

Sends UDP packets to port 53. If no ICMP Port Unreachable is received, the port might be open.

4. Traceroute Mode:
hping3 --traceroute -p 80 example.com

Performs a traceroute by incrementing the TTL and sending TCP SYN packets to port 80.

5. Sending Custom Data:
hping3 -d 100 -E my_data.txt --tcp-timestamp example.com

Sends 100 bytes of data from 'my_data.txt' with TCP timestamps enabled.

hping was originally created by Salvatore Sanfilippo, also known as 'Antirez', a renowned Italian programmer. The first version, hping1, was released in 1998, followed by hping2 and the current stable version, hping3.

It was designed as a low-level packet generator and analyzer, extending the capabilities of the basic ping utility by allowing users to craft custom TCP/IP packets. Its development focused on providing a versatile tool for network security research, penetration testing, and general network diagnostics, quickly becoming a staple in many security toolkits.

ping(8), nmap(1), netcat(1), tcpdump(1), traceroute(8)