LinuxCommandLibrary

hping3

Ping using custom TCP/IP packets

TLDR

Ping a destination with 4 ICMP ping requests

$ hping3 [[-1|--icmp]] [[-c|--count]] 4 [ip_or_hostname]
copy

Ping an IP address over UDP on port 80
$ hping3 [[-2|--udp]] [[-p|--destport]] 80 [[-S|--syn]] [ip_or_hostname]
copy

Scan TCP port 80, scanning from the specific local source port 5090
$ hping3 [[-V|--verbose]] [[-S|--syn]] [[-p|--destport]] 80 [[-s|--baseport]] 5090 [ip_or_hostname]
copy

Traceroute using a TCP scan to a specific destination port
$ hping3 [[-T|--traceroute]] [[-V|--verbose]] [[-S|--syn]] [[-p|--destport]] [80] [ip_or_hostname]
copy

Scan a set of TCP ports on a specific IP address
$ hping3 [[-8|--scan]] [80,3000,9000] [[-S|--syn]] [ip_or_hostname]
copy

Perform a TCP ACK scan to check if a given host is alive
$ hping3 [[-c|--count]] [2] [[-V|--verbose]] [[-p|--destport]] [80] [[-A|--ack]] [ip_or_hostname]
copy

Perform a charge test on port 80
$ hping3 --flood [[-p|--destport]] 80 [[-S|--syn]] [ip_or_hostname]
copy

SYNOPSIS

hping3 [options] [host]

PARAMETERS

-0
    RAW IP mode

-1
    ICMP mode

-2
    UDP mode

-3
    Invisible mode (deprecated)

-a <srcip>
    Spoof source IP address

-c <count>
    Stop after sending <count> packets

-d <datasize>
    Set packet data size

-E <filename>
    Read packet data from file

-f
    Fragment packets

-g <port>
    Base source port for scan

-i <u_sec>
    Set inter-packet wait (microseconds)

-I <iface>
    Set network interface

-p [+]<port>
    Set destination port (increment with +)

-q
    Quiet mode

-r
    Relativize sequence numbers

-s <port>
    Set source port

-S
    Set SYN flag

-A
    Set ACK flag

-F
    Set FIN flag

-P
    Set PUSH flag

-R
    Set RST flag

-U
    Set URG flag

--flood
    Flood mode (no replies processed)

--rand-source
    Randomize source address

--listen
    Sniffer mode (listen to incoming packets)

-V
    Verbose mode

-w <size>
    Set TCP window size

-x <id>
    Set IP ID field

--tcp-timestamp
    Set TCP timestamp option

--fast
    Aggressive packet rate

DESCRIPTION

hping3 is a powerful command-line utility for generating and analyzing custom TCP/IP packets, succeeding the original hping tool. It enables precise control over packet headers, payloads, and protocols including TCP, UDP, ICMP, and raw IP, making it invaluable for network security testing, firewall and IDS evasion studies, port scanning, traceroute alternatives, and bandwidth measurement. Unlike basic tools like ping, hping3 crafts packets with arbitrary flags, sequences, windows, and data, simulating real traffic or attacks ethically. It supports features like fragmentation, spoofing, flooding (with caution), and sniffing in --listen mode to capture replies. Commonly used by penetration testers and network admins, it helps identify vulnerabilities without commercial software. Output displays packet stats, round-trip times, and lost packets, aiding diagnostics. While potent, it demands root privileges for raw sockets and ethical use to prevent misuse in DoS scenarios.

CAVEATS

Requires root for raw sockets.
High-rate use (--flood) may overload networks.
Potential for abuse in attacks; use ethically and legally.
Not for IPv6 in all modes.

SCANNING EXAMPLE

hping3 --fast -S -p 80 target.com
Performs quick SYN scan on port 80.

TRACEROUTE

hping3 --traceroute -V host
TCP traceroute with verbose output.

LISTEN MODE

hping3 --listen -i u1000 filter
Sniff packets matching filter at 1ms intervals.

HISTORY

Developed by Salvatore Sanfilippo (antirez) starting with hping in 1997. hping3 released around 2005 with IPv6, scripting, and advanced protocol support. Maintained sporadically; widely used in security tools like Metasploit.

SEE ALSO

nmap(1), tcpdump(8), tcptraceroute(8), netcat(1)

Copied to clipboard