Description

Nping is an open source tool for network packet generation, response analysis and response time measurement. Nping can generate network packets for a wide range of protocols, allowing users full control over protocol headers. While Nping can be used as a simple ping utility to detect active hosts, it can also be used as a raw packet generator for network stack stress testing, ARP poisoning, Denial of Service attacks, route tracing, etc. Nping's novel echo mode lets users see how packets change in transit between the source and destination hosts. That's a great way to understand firewall rules, detect packet corruption, and more.

Installation

Backtrack

Backtrack 5 R2 already comes with nping 0.5.61TEST4 installed, in /usr/local/bin.

From scratch

Nping is part of nmap. To install it, run following commands:

$ cd ~/src/
$ wget http://nmap.org/dist/nmap-6.01.tar.bz2
$ bzip2-cd nmap-6.01.tar.bz2 | tar xf -
$ cd nmap-6.01/
$ ./configure
$ make
$ sudo make install

Usage

Syntax

nping [Probe mode] [Options] {target specification}

Options

Target Specification

Targets may be specified as hostnames, IP addresses, networks, etc.

Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254

Probe modes

--tcp-connect: Unprivileged TCP connect probe mode.
--tcp: TCP probe mode.
--udp: UDP probe mode.
--icmp: ICMP probe mode.
--arp: ARP/RARP probe mode.
--tr, --traceroute: Traceroute mode (can only be used with TCP/UDP/ICMP modes).

TCP CONNECT mode

-p, --dest-port <port spec>: Set destination port(s).
-g, --source-port <portnumber>: Try to use a custom source port.

TCP Probe mode

-g, --source-port <portnumber>: Set source port.
-p, --dest-port <port spec>: Set destination port(s).
--seq <seqnumber>: Set sequence number.
--flags <flag list>: Set TCP flags (ACK,PSH,RST,SYN,FIN...)
--ack <acknumber>: Set ACK number.
--win <size>: Set window size.
--badsum: Use a random invalid checksum.

UDP Probe mode

-g, --source-port <portnumber>: Set source port.
-p, --dest-port <port spec>: Set destination port(s).
--badsum: Use a random invalid checksum.

ICMP Probe mode

--icmp-type <type>: ICMP type.
--icmp-code <code>: ICMP code.
--icmp-id <id>: Set identifier.
--icmp-seq <n>: Set sequence number.
--icmp-redirect-addr <addr>: Set redirect address.
--icmp-param-pointer <pnt>: Set parameter problem pointer.
--icmp-advert-lifetime: Set router advertisement lifetime.
--icmp-advert-entry <IP,pref>: Add router advertisement entry.
--icmp-orig-time <timestamp>: Set originate timestamp.
--icmp-recv-time <timestamp>: Set receive timestamp.
--icmp-trans-time <timestamp>: Set transmit timestamp.

ARP/RARP Probe mode

--arp-type <type>: Type: ARP, ARP-reply, RARP, RARP-reply.
--arp-sender-mac <mac>: Set sender MAC address.
--arp-sender-ip <addr>: Set sender IP address.
--arp-target-mac <mac>: Set target MAC address.
--arp-target-ip <addr>: Set target IP address.

IPv4 options

-S, --source-ip: Set source IP address.
--dest-ip <addr>: Set destination IP address (used as an alternative to {target specification} ).
--tos <tos>: Set type of service field (8bits).
--id <id>: Set identification field (16 bits).
--df: Set Don't Fragment flag.
--mf: Set More Fragments flag.
--ttl <hops>: Set time to live [0-255].
--badsum-ip: Use a random invalid checksum.
--ip-options <S|R [route]|L [route]|T|U ...>: Set IP options
--ip-options <hex string>: Set IP options
--mtu <size>: Set MTU. Packets get fragmented if MTU is small enough.

IPv6 Options

-6, --IPv6: Use IP version 6.
--dest-ip: Set destination IP address (used as an alternative to {target specification}).
--hop-limit: Set hop limit (same as IPv4 TTL).
--traffic-class <class>: Set traffic class.
--flow <label>: Set flow label.

Ethernet Options

--dest-mac <mac>: Set destination mac address. (Disables ARP resolution)
--source-mac <mac>: Set source MAC address.
--ether-type <type>: Set EtherType value.

Payloads Options

--data <hex string>: Include a custom payload.
--data-string <text>: Include a custom ASCII text.
--data-length <len>: Include len random bytes as payload.

Echo Client/Server

--echo-client <passphrase>: Run Nping in client mode.
--echo-server <passphrase>: Run Nping in server mode.
--echo-port <port>: Use custom <port> to listen or connect.
--no-crypto: Disable encryption and authentication.
--once: Stop the server after one connection.
--safe-payloads: Erase application data in echoed packets.

Timing and Performance

Options which take are in seconds, or append 'ms' (milliseconds), 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m, 0.25h).

--delay: Adjust delay between probes.
--rate <rate>: Send num packets per second.

Miscellaneous

-h, --help: Display help information.
-V, --version: Display current version number.
-c, --count <n>: Stop after <n> rounds.
-e, --interface <name>: Use supplied network interface.
-H, --hide-sent: Do not display sent packets.
-N, --no-capture: Do not try to capture replies.
--privileged: Assume user is fully privileged.
--unprivileged: Assume user lacks raw socket privileges.
--send-eth: Send packets at the raw ethernet layer.
--send-ip: Send packets using raw IP sockets.
--bpf-filter <filter spec>: Specify custom BPF filter.

Output

-v: Increment verbosity level by one.
-v[level]: Set verbosity level. E.g: -v4
-d: Increment debugging level by one.
-d[level]: Set debugging level. E.g: -d3
-q: Decrease verbosity level by one.
-q[N]: Decrease verbosity level N times
--quiet: Set verbosity and debug level to minimum.
--debug: Set verbosity and debug to the max level.

Examples

ICMP ping

# nping aldeid.com
Starting Nping 0.6.01 ( http://nmap.org/nping ) at 2012-06-20 20:27 CEST
SENT (0.1879s) ICMP 192.168.60.129 > 199.83.132.66 Echo request (type=8/code=0) ttl=64 id=53514 iplen=28 
SENT (1.1890s) ICMP 192.168.60.129 > 199.83.132.66 Echo request (type=8/code=0) ttl=64 id=53514 iplen=28 
SENT (2.1901s) ICMP 192.168.60.129 > 199.83.132.66 Echo request (type=8/code=0) ttl=64 id=53514 iplen=28

TCP Flags

# nping --tcp -p 80 --flags rst -c 3 aldeid.com

Starting Nping 0.6.01 ( http://nmap.org/nping ) at 2012-06-20 20:30 CEST
SENT (0.2140s) TCP 192.168.60.129:46880 > 199.83.132.66:80 SR ttl=64 id=39564 iplen=40  seq=3392761691 win=1480 
SENT (1.2144s) TCP 192.168.60.129:46880 > 199.83.132.66:80 SR ttl=64 id=39564 iplen=40  seq=3392761691 win=1480 
SENT (2.2144s) TCP 192.168.60.129:46880 > 199.83.132.66:80 SR ttl=64 id=39564 iplen=40  seq=3392761691 win=1480 
nping_event_handler(): READ-PCAP killed: Resource temporarily unavailable
nping_event_handler(): TIMER killed: Resource temporarily unavailable
 
Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A
Raw packets sent: 3 (120B) | Rcvd: 0 (0B) | Lost: 3 (100.00%)
Tx time: 2.00146s | Tx bytes/s: 59.96 | Tx pkts/s: 1.50
Rx time: 3.00116s | Rx bytes/s: 0.00 | Rx pkts/s: 0.00
Nping done: 1 IP address pinged in 3.21 seconds

# nping --tcp -p 80 --flags syn -c 3 aldeid.com

Starting Nping 0.6.01 ( http://nmap.org/nping ) at 2012-06-20 20:31 CEST
SENT (0.1981s) TCP 192.168.60.129:47803 > 199.83.132.66:80 S ttl=64 id=52526 iplen=40  seq=2617481754 win=1480 
RCVD (0.3703s) TCP 199.83.132.66:80 > 192.168.60.129:47803 SA ttl=128 id=65419 iplen=44  seq=3288422312 win=64240 <mss 1460>
SENT (1.1984s) TCP 192.168.60.129:47803 > 199.83.132.66:80 S ttl=64 id=52526 iplen=40  seq=2617481754 win=1480 
RCVD (1.3191s) TCP 199.83.132.66:80 > 192.168.60.129:47803 SA ttl=128 id=65420 iplen=44  seq=1833067768 win=64240 <mss 1460>
SENT (2.1984s) TCP 192.168.60.129:47803 > 199.83.132.66:80 S ttl=64 id=52526 iplen=40  seq=2617481754 win=1480 
RCVD (2.3342s) TCP 199.83.132.66:80 > 192.168.60.129:47803 SA ttl=128 id=65421 iplen=44  seq=935977506 win=64240 <mss 1460>
 
Max rtt: 172.048ms | Min rtt: 120.478ms | Avg rtt: 142.689ms
Raw packets sent: 3 (120B) | Rcvd: 3 (138B) | Lost: 0 (0.00%)
Tx time: 2.00137s | Tx bytes/s: 59.96 | Tx pkts/s: 1.50
Rx time: 3.00543s | Rx bytes/s: 45.92 | Rx pkts/s: 1.00
Nping done: 1 IP address pinged in 3.20 seconds

# nping --tcp -p 80 --flags ack -c 3 aldeid.com

Starting Nping 0.6.01 ( http://nmap.org/nping ) at 2012-06-20 20:32 CEST
SENT (0.1972s) TCP 192.168.60.129:59078 > 199.83.132.66:80 SA ttl=64 id=21833 iplen=40  seq=991426470 win=1480 
RCVD (0.1977s) TCP 199.83.132.66:80 > 192.168.60.129:59078 R ttl=128 id=65424 iplen=40  seq=2736126497 win=32767 
SENT (1.1983s) TCP 192.168.60.129:59078 > 199.83.132.66:80 SA ttl=64 id=21833 iplen=40  seq=991426470 win=1480 
RCVD (1.1989s) TCP 199.83.132.66:80 > 192.168.60.129:59078 R ttl=128 id=65425 iplen=40  seq=2736126497 win=32767 
SENT (2.1989s) TCP 192.168.60.129:59078 > 199.83.132.66:80 SA ttl=64 id=21833 iplen=40  seq=991426470 win=1480 
RCVD (2.1995s) TCP 199.83.132.66:80 > 192.168.60.129:59078 R ttl=128 id=65426 iplen=40  seq=2736126497 win=32767 
nping_event_handler(): TIMER killed: Resource temporarily unavailable

Max rtt: 0.078ms | Min rtt: 0.056ms | Avg rtt: 0.066ms
Raw packets sent: 3 (120B) | Rcvd: 3 (138B) | Lost: 0 (0.00%)
Tx time: 2.00279s | Tx bytes/s: 59.92 | Tx pkts/s: 1.50
Rx time: 3.00183s | Rx bytes/s: 45.97 | Rx pkts/s: 1.00
Nping done: 1 IP address pinged in 3.20 seconds

Echo client / server

Server

On the server, run:

# nping --echo-server "pass123" -e eth0 -vvv

Starting Nping 0.6.01 ( http://nmap.org/nping ) at 2012-06-20 20:38 CEST
Packet capture will be performed using network interface eth0.
Waiting for connections...
Server bound to 0.0.0.0:9929
[1340217541] Connection received from 192.168.1.13:56108
[1340217541] Client #0 (192.168.1.13:56108) disconnected
[1340217552] Connection received from 192.168.1.13:53935
[1340217552] Good packet specification received from client #1 (Specs=8,IP=4,Proto=6,Cnt=5)
[1340217552] NEP handshake with client #1 (192.168.1.13:53935) was performed successfully
[1340217555] Client #1 (192.168.1.13:53935) disconnected
^C 
Raw packets captured: 0 (0B) | Echoed: 0 (0B) | Not Matched: 0 (0B) (0.00%)
Tx time: 20.92945s | Tx bytes/s: 0.00 | Tx pkts/s: 0.00
Rx time: 20.92945s | Rx bytes/s: 0.00 | Rx pkts/s: 0.00
Nping done: 1 client served in 20.93 seconds

Client

On the client, run:

# nping --echo-client "pass123" 192.168.1.18 --tcp -p1-30 --flags ack

Starting Nping 0.5.61TEST4 ( http://nmap.org/nping ) at 2012-06-20 14:39 EDT
SENT (0.5060s) TCP 192.168.1.13:9776 > 192.168.1.18:1 SA ttl=64 id=8941 iplen=40  seq=563261407 win=1480 
RCVD (0.5069s) TCP 192.168.1.18:1 > 192.168.1.13:9776 R ttl=64 id=0 iplen=40  seq=2016569017 win=0 
SENT (1.5085s) TCP 192.168.1.13:9776 > 192.168.1.18:2 SA ttl=64 id=8941 iplen=40  seq=563261407 win=1480 
RCVD (1.5097s) TCP 192.168.1.18:2 > 192.168.1.13:9776 R ttl=64 id=0 iplen=40  seq=2016569017 win=0 
SENT (2.5120s) TCP 192.168.1.13:9776 > 192.168.1.18:3 SA ttl=64 id=8941 iplen=40  seq=563261407 win=1480 
RCVD (2.5137s) TCP 192.168.1.18:3 > 192.168.1.13:9776 R ttl=64 id=0 iplen=40  seq=2016569017 win=0 
^C 
Max rtt: 0.976ms | Min rtt: 0.491ms | Avg rtt: 0.811ms
Raw packets sent: 3 (120B) | Rcvd: 3 (138B) | Lost: 0 (0.00%)| Echoed: 0 (0B) 
Tx time: 2.51520s | Tx bytes/s: 47.71 | Tx pkts/s: 1.19
Rx time: 2.51520s | Rx bytes/s: 54.87 | Rx pkts/s: 1.19
Nping done: 1 IP address pinged in 3.02 seconds

Comments

Nping

Contents

Description

Installation

Backtrack

From scratch

Usage

Syntax

Options

Target Specification

Probe modes

TCP CONNECT mode

TCP Probe mode

UDP Probe mode

ICMP Probe mode

ARP/RARP Probe mode

IPv4 options

IPv6 Options

Ethernet Options

Payloads Options

Echo Client/Server

Timing and Performance

Miscellaneous

Output

Examples

ICMP ping

TCP Flags

Echo client / server

Server

Client

Comments

Share your opinion

Navigation menu

Nping

Description

Installation

Backtrack

From scratch

Usage

Syntax

Options

Target Specification

Probe modes

TCP CONNECT mode

TCP Probe mode

UDP Probe mode

ICMP Probe mode

ARP/RARP Probe mode

IPv4 options

IPv6 Options

Ethernet Options

Payloads Options

Echo Client/Server

Timing and Performance

Miscellaneous

Output

Examples

ICMP ping

TCP Flags

Echo client / server

Server

Client

Comments

Share your opinion

Navigation menu

Search