man hping3 Command

Man page for apt-get hping3 Command

Man Page for hping3 in Linux

Ubuntu Man Command : man hping3

Man Hping3  Command

This tutorial shows the man page for man hping3 in linux.

Open terminal with 'su' access and type the command as shown below:
man hping3

Result of the Command Execution shown below:

HPING3(8)                                                                                                                                                  HPING3(8)

hping3 send (almost) arbitrary TCP/IP packets to network hosts

hping3 [ hvnqVDzZ012WrfxykQbFSRPAUXYjJBuTG ] [ c count ] [ i wait ] [ fast ] [ I interface ] [ 9 signature ] [ a host ] [ t ttl ] [ N ip id ] [ H
ip protocol ] [ g fragoff ] [ m mtu ] [ o tos ] [ C icmp type ] [ K icmp code ] [ s source port ] [ p[+][+] dest port ] [ w tcp window ] [ O tcp
offset ] [ M tcp sequence number ] [ L tcp ack ] [ d data size ] [ E filename ] [ e signature ] [ icmp ipver version ] [ icmp iphlen length ] [
icmp iplen length ] [ icmp ipid id ] [ icmp ipproto protocol ] [ icmp cksum checksum ] [ icmp ts ] [ icmp addr ] [ tcpexitcode ] [ tcp mss ]
[ tcp timestamp ] [ tr stop ] [ tr keep ttl ] [ tr no rtt ] [ rand dest ] [ rand source ] [ beep ] hostname

hping3 is a network tool able to send custom TCP/IP packets and to display target replies like ping program does with ICMP replies. hping3 handle fragmenta Äê
tion, arbitrary packets body and size and can be used in order to transfer files encapsulated under supported protocols. Using hping3 you are able to perform
at least the following stuff:

Test firewall rules
Advanced port scanning
Test net performance using different protocols,
packet size, TOS (type of service) and fragmentation.
Path MTU discovery
Transferring files between even really fascist firewall
Traceroute like under different protocols.
Firewalk like usage.
Remote OS fingerprinting.
TCP/IP stack auditing.
A lot of others.

It's also a good didactic tool to learn TCP/IP. hping3 is developed and maintained by and is licensed under GPL version 2. Development is
open so you can send me patches, suggestion and affronts without inhibitions.

primary site at You can found both the stable release and the instruction to download the latest source code at

h help
Show an help screen on standard output, so you can pipe to less.

v version
Show version information and API used to access to data link layer, linux sock packet or libpcap.

c count count
Stop after sending (and receiving) count response packets. After last packet was send hping3 wait COUNTREACHED_TIMEOUT seconds target host replies.
You are able to tune COUNTREACHED_TIMEOUT editing hping2.h

i interval
Wait the specified number of seconds or micro seconds between sending each packet. interval X set wait to X seconds, interval uX set wait to X
micro seconds. The default is to wait one second between each packet. Using hping3 to transfer files tune this option is really important in order to
increase transfer rate. Even using hping3 to perform idle/spoofing scanning you should tune this option, see HPING3 HOWTO for more information.

fast Alias for i u10000. Hping will send 10 packets for second.

Alias for i u1. Faster then fast ;) (but not as fast as your computer can send packets due to the signal driven design).

Sent packets as fast as possible, without taking care to show incoming replies. This is ways faster than to specify the i u0 option.

n numeric
Numeric output only, No attempt will be made to lookup symbolic names for host addresses.

q quiet
Quiet output. Nothing is displayed except the summary lines at startup time and when finished.

I interface interface name
By default on linux and BSD systems hping3 uses default routing interface. In other systems or when there is no default route hping3 uses the first
non loopback interface. However you are able to force hping3 to use the interface you need using this option. Note: you don't need to specify the
whole name, for example I et will match eth0 ethernet0 myet1 et cetera. If no interfaces match hping3 will try to use lo.

V verbose
Enable verbose output. TCP replies will be shown as follows:

len=46 ip= flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms tos=0 iplen=40 seq=0 ack=1380893504 sum=2010 urp=0

D debug
Enable debug mode, it's useful when you experience some problem with hping3. When debug mode is enabled you will get more information about interface
detection, data link layer access, interface settings, options parsing, fragmentation, HCMP protocol and other stuff.

z bind
Bind CTRL+Z to time to live (TTL) so you will able to increment/decrement ttl of outgoing packets pressing CTRL+Z once or twice.

Z unbind
Unbind CTRL+Z so you will able to stop hping3.

beep Beep for every matching received packet (but not for ICMP errors).

Default protocol is TCP, by default hping3 will send tcp headers to target host's port 0 with a winsize of 64 without any tcp flag on. Often this is the best
way to do an 'hide ping', useful when target is behind a firewall that drop ICMP. Moreover a tcp null flag to port 0 has a good probability of not being

0 rawip
RAW IP mode, in this mode hping3 will send IP header with data appended with signature and/or file, see also ipproto that allows you to set the
ip protocol field.

1 icmp
ICMP mode, by default hping3 will send ICMP echo request, you can set other ICMP type/code using icmptype icmpcode options.

2 udp
UDP mode, by default hping3 will send udp to target host's port 0. UDP header tunable options are the following: baseport, destport, keep.

8 scan
Scan mode, the option expects an argument that describes groups of ports to scan. port groups are comma separated: a number describes just a single
port, so 1,2,3 means port 1, 2 and 3. ranges are specified using a start end notation, like 1 1000, that tell hping to scan ports between 1 and 1000
(included). the special word all is an alias for 0 65535, while the special word known includes all the ports listed in /etc/services.
Groups can be combined, so the following command line will scan ports between 1 and 1000 AND port 8888 AND ports listed in /etc/services: hping scan
1 1000,8888,known S
Groups can be negated (subtracted) using a ! character as prefix, so the following command line will scan all the ports NOT listed in /etc/services in
the range 1 1024: hping scan '1 1024,!known' S
Keep in mind that while hping seems much more like a port scanner in this mode, most of the hping switches are still honored, so for example to per Äê
form a SYN scan you need to specify the S option, you can change the TCP windows size, TTL, control the IP fragmentation as usually, and so on. The
only real difference is that the standard hping behaviors are encapsulated into a scanning algorithm.
Tech note: The scan mode uses a two processes design, with shared memory for synchronization. The scanning algorithm is still not optimal, but already
quite fast.
Hint: unlike most scanners, hping shows some interesting info about received packets, the IP ID, TCP win, TTL, and so on, don't forget to look at this
additional information when you perform a scan! Sometimes they shows interesting details.

9 listen signature
HPING3 listen mode, using this option hping3 waits for packet that contain signature and dump from signature end to packet's end. For example if
hping3 listen TEST reads a packet that contain 234 09sdflkjs45 TESThello_world it will display hello_world.

a spoof hostname
Use this option in order to set a fake IP source address, this option ensures that target will not gain your real address. However replies will be
sent to spoofed address, so you will can't see them. In order to see how it's possible to perform spoofed/idle scanning see the HPING3 HOWTO.

rand source
This option enables the random source mode. hping will send packets with random source address. It is interesting to use this option to stress fire Äê
wall state tables, and other per ip basis dynamic tables inside the TCP/IP stacks and firewall software.

rand dest
This option enables the random destination mode. hping will send the packets to random addresses obtained following the rule you specify as the tar Äê
get host. You need to specify a numerical IP address as target host like 10.0.0.x. All the occurrences of x will be replaced with a random number in
the range 0 255. So to obtain Internet IP addresses in the whole IPv4 space use something like hping x.x.x.x rand dest. If you are not sure about
what kind of addresses your rule is generating try to use the debug switch to display every new destination address generated. When this option is
turned on, matching packets will be accept from all the destinations.
Warning: when this option is enabled hping can't detect the right outgoing interface for the packets, so you should use the interface option to
select the desired outgoing interface.

t ttl time to live
Using this option you can set TTL (time to live) of outgoing packets, it's likely that you will use this with traceroute or bind options. If in
doubt try `hping3 t 1 traceroute'.

N id
Set ip >id field. Default id is random but if fragmentation is turned on and id isn't specified it will be getpid() & 0xFFFF, to implement a better
solution is in TODO list.

H ipproto
Set the ip protocol in RAW IP mode.

W winid
id from Windows* systems before Win2k has different byte ordering, if this option is enable hping3 will properly display id replies from those Win Äê

r rel
Display id increments instead of id. See the HPING3 HOWTO for more information. Increments aren't computed as id[N] id[N 1] but using packet loss com Äê
pensation. See relid.c for more information.

f frag
Split packets in more fragments, this may be useful in order to test IP stacks fragmentation performance and to test if some packet filter is so weak
that can be passed using tiny fragments (anachronistic). Default 'virtual mtu' is 16 bytes. see also mtu option.

x morefrag
Set more fragments IP flag, use this option if you want that target host send an ICMP time exceeded during reassembly.

y dontfrag
Set don't fragment IP flag, this can be used to perform MTU path discovery.

g fragoff fragment offset value
Set the fragment offset.

m mtu mtu value
Set different 'virtual mtu' than 16 when fragmentation is enabled. If packets size is greater that 'virtual mtu' fragmentation is automatically turned

o tos hex_tos
Set Type Of Service (TOS), for more information try tos help.

G rroute
Record route. Includes the RECORD_ROUTE option in each packet sent and displays the route buffer of returned packets. Note that the IP header is only
large enough for nine such routes. Many hosts ignore or discard this option. Also note that using hping you are able to use record route even if tar Äê
get host filter ICMP. Record route is an IP option, not an ICMP option, so you can use record route option even in TCP and UDP mode.

C icmptype type
Set icmp type, default is ICMP echo request (implies icmp).

K icmpcode code
Set icmp code, default is 0 (implies icmp).

icmp ipver
Set IP version of IP header contained into ICMP data, default is 4.

icmp iphlen
Set IP header length of IP header contained into ICMP data, default is 5 (5 words of 32 bits).

icmp iplen
Set IP packet length of IP header contained into ICMP data, default is the real length.

icmp ipid
Set IP id of IP header contained into ICMP data, default is random.

icmp ipproto
Set IP protocol of IP header contained into ICMP data, default is TCP.

icmp cksum
Set ICMP checksum, for default is the valid checksum.

icmp ts
Alias for icmptype 13 (to send ICMP timestamp requests).

icmp addr
Alias for icmptype 17 (to send ICMP address mask requests).

s baseport source port
hping3 uses source port in order to guess replies sequence number. It starts with a base source port number, and increase this number for each packet
sent. When packet is received sequence number can be computed as replies.dest.port base.source.port. Default base source port is random, using this
option you are able to set different number. If you need that source port not be increased for each sent packet use the k keep option.

p destport [+][+]dest port
Set destination port, default is 0. If '+' character precedes dest port number (i.e. +1024) destination port will be increased for each reply
received. If double '+' precedes dest port number (i.e. ++1024), destination port will be increased for each packet sent. By default destination port
can be modified interactively using CTRL+z.

keep keep still source port, see baseport for more information.

w win
Set TCP window size. Default is 64.

O tcpoff
Set fake tcp data offset. Normal data offset is tcphdrlen / 4.

M tcpseq
Set the TCP sequence number.

L tcpack
Set the TCP ack.

Q seqnum
This option can be used in order to collect sequence numbers generated by target host. This can be useful when you need to analyze whether TCP
sequence number is predictable. Output example:

Related Topics

Apt Get Commands