From aldeid
Jump to: navigation, search


Hping3 is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like ping do with ICMP replies. Hping3 handles fragmentation, arbitrary packet body and size and can be used in order to transfer files under supported protocols.

Hping3 can be used, among other things to:

  • Test firewall rules,
  • [spoofed] port scanning,
  • Test net performance using differents protocols, packet size, TOS (type of service) and fragmentation,
  • Path MTU discovery,
  • Files transfering even between really fascist firewall rules,
  • Traceroute like under different protocols,
  • Firewalk like usage,
  • Remote OS fingerprint,
  • TCP/IP stack auditing

It's also really a good didactic tool to learn TCP/IP.


$ sudo apt-get install hping3


Basic syntax

$ hping3 host [options]


Notice that new options (from v2) appear in yellow.


Notice that without precision, the default mode is TCP
-0, --rawip
RAW IP mode
-1, --icmp
ICMP mode
-2, --udp
UDP mode
-8, --scan
SCAN mode.
Example: hping --scan 1-30,70-90 -S www.target.host
-9, --listen
listen mode


-a, --spoof
spoof source address
random destionation address mode. see the man.
random source address mode. see the man.
-t --ttl
ttl (default 64)
-N --id
id (default random)
-W --winid
use win* id byte ordering
-r --rel
relativize id field
(to estimate host traffic)
-f --frag
split packets in more frag.
(may pass weak acl)
-x --morefrag
set more fragments flag
-y --dontfrag
set dont fragment flag
-g --fragoff
set the fragment offset
-m --mtu
set virtual mtu, implies --frag if packet size > mtu
-o --tos
type of service (default 0x00), try --tos help
-G --rroute
includes RECORD_ROUTE option and display the route buffer
loose source routing and record route
strict source routing and record route
-H --ipproto
set the IP protocol field, only in RAW IP mode


-C --icmptype
icmp type (default echo request)
-K --icmpcode
icmp code (default 0)
send all icmp types (default send only supported types)
set gateway address for ICMP redirect (default
Alias for --icmp --icmptype 13 (ICMP timestamp)
Alias for --icmp --icmptype 17 (ICMP address subnet mask)
display help for others icmp options


-s --baseport
base source port (default random)
-p --destport [+][+]<port>
destination port(default 0) ctrl+z inc/dec
-k --keep
keep still source port
-w --win
winsize (default 64)
-O --tcpoff
set fake tcp data offset (instead of tcphdrlen / 4)
-Q --seqnum
shows only tcp sequence number
-b --badcksum
(try to) send packets with a bad IP checksum many systems will fix the IP checksum sending the packet so you'll get bad UDP/TCP checksum instead.
-M --setseq
set TCP sequence number
-L --setack
set TCP ack
-F --fin
set FIN flag
-S --syn
set SYN flag
-R --rst
set RST flag
-P --push
set PUSH flag
-A --ack
set ACK flag
-U --urg
set URG flag
-X --xmas
set X unused flag (0x40)
-Y --ymas
set Y unused flag (0x80)
use last tcp->th_flags as exit code
enable the TCP timestamp option to guess the HZ/uptime


-d --data
data size (default is 0)
-E --file
data from file
-e --sign
add 'signature'
-j --dump
dump packets in hex
-J --print
dump printable characters
-B --safe
enable 'safe' protocol
-u --end
tell you when --file reached EOF and prevent rewind
-T --traceroute
traceroute mode (implies --bind and --ttl 1)
Exit when receive the first not ICMP in traceroute mode
Keep the source TTL fixed, useful to monitor just one hop
Don't calculate/show RTT information in traceroute mode ARS packet description (new, unstable)
Send the packet described with APD (see docs/APD.txt)

Other options

-h --help
show help
-v --version
show version
-c --count
packet count
-i --interval
wait (uX for X microseconds, for example -i u1000)
alias for -i u10000 (10 packets for second)
alias for -i u1000 (100 packets for second)
send packets as fast as possible. Don't show replies.
-n --numeric
numeric output
-q --quiet
-I --interface
interface name (otherwise default routing interface)
-V --verbose
verbose mode
-D --debug
debugging info
-z --bind
bind ctrl+z to ttl (default to dst port)
-Z --unbind
unbind ctrl+z
beep for every matching packet received


Open port

Following command checks the status of port 22/tcp with a TCP SYN scan:

$ sudo hping3 -c 1 -I wlan0 -S -p 22
HPING (wlan0 S set, 40 headers + 0 data bytes
len=46 ip= ttl=64 DF id=0 sport=22 flags=SA seq=0 win=5840 rtt=1.9 ms

--- hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.9/1.9/1.9 ms

Closed port

Following command sends a TCP SYN packet to port 81/tcp on host

$ sudo hping3 -c 1 -I wlan0 -S -p 81
HPING (wlan0 S set, 40 headers + 0 data bytes
len=46 ip= ttl=64 DF id=0 sport=81 flags=RA seq=0 win=0 rtt=2.4 ms

--- hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 2.4/2.4/2.4 ms

Scan mode

$ sudo hping3 -I wlan0 -S --scan 20,21,22,80,8080 -V
using wlan0, addr:, MTU: 1500
Scanning (, port 20,21,22,80,8080
5 ports to scan, use -V to see all the replies
|port| serv name |  flags  |ttl| id  | win | len |
   20 ftp-data   : ..R.A...  64     0     0    46
   21 ftp        : ..R.A...  64     0     0    46
   22 ssh        : .S..A...  64     0  5840    46
   80 www        : .S..A...  64     0  5840    46
 8080 http-alt   : .S..A...  64     0  5840    46
All replies received. Done.
Not responding ports:


blog comments powered by Disqus