table of contents
- NAME
- SYNOPSIS
- DESCRIPTION
- OPTIONS SUMMARY
- TARGET SPECIFICATION
- OPTION SPECIFICATION
- GENERAL OPERATION
- PROBE MODES
- TCP CONNECT MODE
- TCP MODE
- UDP MODE
- ICMP MODE
- ARP MODE
- IPV4 OPTIONS
- IPV6 OPTIONS
- ETHERNET OPTIONS
- PAYLOAD OPTIONS
- ECHO MODE
- TIMING AND PERFORMANCE OPTIONS
- MISCELLANEOUS OPTIONS
- OUTPUT OPTIONS
- BUGS
- AUTHORS
- NOTES
other versions
- wheezy 6.00-0.3+deb7u1
- wheezy-backports 6.40-0.1~bpo70+1
- jessie 6.47-3+deb8u2
- testing 7.40-1
- unstable 7.40-1
| NPING(1) | Nping Reference Guide | NPING(1) |
NAME¶
nping - Network packet generation tool / ping utilitySYNOPSIS¶
nping
[ Options] {targets}
DESCRIPTION¶
Nping is an open-source tool for network packet generation, response analysis and response time measurement. Nping allows users to generate network packets of a wide range of protocols, letting them tune virtually any field of the protocol headers. While Nping can be used as a simple ping utility to detect active hosts, it can also be used as a raw packet generator for network stack stress tests, ARP poisoning, Denial of Service attacks, route tracing, and other purposes. Additionally, Nping offers a special mode of operation called the "Echo Mode", that lets users see how the generated probes change in transit, revealing the differences between the transmitted packets and the packets received at the other end. See section "Echo Mode" for details. The output from Nping is a list of the packets that are being sent and received. The level of detail depends on the options used. A typical Nping execution is shown in Example 1. The only Nping arguments used in this example are -c, to specify the number of times to target each host, --tcp to specify TCP Probe Mode, -p 80,433 to specify the target ports; and then the two target hostnames. Example 1. A representative Nping execution# nping -c 1 --tcp -p 80,433 scanme.nmap.org google.com Starting Nping ( http://nmap.org/nping ) SENT (0.0120s) TCP 96.16.226.135:50091 > 64.13.134.52:80 S ttl=64 id=52072 iplen=40 seq=1077657388 win=1480 RCVD (0.1810s) TCP 64.13.134.52:80 > 96.16.226.135:50091 SA ttl=53 id=0 iplen=44 seq=4158134847 win=5840 <mss 1460> SENT (1.0140s) TCP 96.16.226.135:50091 > 74.125.45.100:80 S ttl=64 id=13932 iplen=40 seq=1077657388 win=1480 RCVD (1.1370s) TCP 74.125.45.100:80 > 96.16.226.135:50091 SA ttl=52 id=52913 iplen=44 seq=2650443864 win=5720 <mss 1430> SENT (2.0140s) TCP 96.16.226.135:50091 > 64.13.134.52:433 S ttl=64 id=8373 iplen=40 seq=1077657388 win=1480 SENT (3.0140s) TCP 96.16.226.135:50091 > 74.125.45.100:433 S ttl=64 id=23624 iplen=40 seq=1077657388 win=1480 Statistics for host scanme.nmap.org (64.13.134.52): | Probes Sent: 2 | Rcvd: 1 | Lost: 1 (50.00%) |_ Max rtt: 169.720ms | Min rtt: 169.720ms | Avg rtt: 169.720ms Statistics for host google.com (74.125.45.100): | Probes Sent: 2 | Rcvd: 1 | Lost: 1 (50.00%) |_ Max rtt: 122.686ms | Min rtt: 122.686ms | Avg rtt: 122.686ms Raw packets sent: 4 (160B) | Rcvd: 2 (92B) | Lost: 2 (50.00%) Tx time: 3.00296s | Tx bytes/s: 53.28 | Tx pkts/s: 1.33 Rx time: 3.00296s | Rx bytes/s: 30.64 | Rx pkts/s: 0.67 Nping done: 2 IP addresses pinged in 4.01 seconds
OPTIONS SUMMARY¶
This options summary is printed when Nping is run with no arguments. It helps people remember the most common options, but is no substitute for the in-depth documentation in the rest of this manual. Some obscure options aren't even included here.Nping 0.5.59BETA1 ( http://nmap.org/nping ) Usage: nping [Probe mode] [Options] {target specification} TARGET SPECIFICATION: Targets may be specified as hostnames, IP addresses, networks, etc. Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 PROBE MODES: --tcp-connect : Unprivileged TCP connect probe mode. --tcp : TCP probe mode. --udp : UDP probe mode. --icmp : ICMP probe mode. --arp : ARP/RARP probe mode. --tr, --traceroute : Traceroute mode (can only be used with TCP/UDP/ICMP modes). TCP CONNECT MODE: -p, --dest-port <port spec> : Set destination port(s). -g, --source-port <portnumber> : Try to use a custom source port. TCP PROBE MODE: -g, --source-port <portnumber> : Set source port. -p, --dest-port <port spec> : Set destination port(s). --seq <seqnumber> : Set sequence number. --flags <flag list> : Set TCP flags (ACK,PSH,RST,SYN,FIN...) --ack <acknumber> : Set ACK number. --win <size> : Set window size. --badsum : Use a random invalid checksum. UDP PROBE MODE: -g, --source-port <portnumber> : Set source port. -p, --dest-port <port spec> : Set destination port(s). --badsum : Use a random invalid checksum. ICMP PROBE MODE: --icmp-type <type> : ICMP type. --icmp-code <code> : ICMP code. --icmp-id <id> : Set identifier. --icmp-seq <n> : Set sequence number. --icmp-redirect-addr <addr> : Set redirect address. --icmp-param-pointer <pnt> : Set parameter problem pointer. --icmp-advert-lifetime <time> : Set router advertisement lifetime. --icmp-advert-entry <IP,pref> : Add router advertisement entry. --icmp-orig-time <timestamp> : Set originate timestamp. --icmp-recv-time <timestamp> : Set receive timestamp. --icmp-trans-time <timestamp> : Set transmit timestamp. ARP/RARP PROBE MODE: --arp-type <type> : Type: ARP, ARP-reply, RARP, RARP-reply. --arp-sender-mac <mac> : Set sender MAC address. --arp-sender-ip <addr> : Set sender IP address. --arp-target-mac <mac> : Set target MAC address. --arp-target-ip <addr> : Set target IP address. IPv4 OPTIONS: -S, --source-ip : Set source IP address. --dest-ip <addr> : Set destination IP address (used as an alternative to {target specification} ). --tos <tos> : Set type of service field (8bits). --id <id> : Set identification field (16 bits). --df : Set Don't Fragment flag. --mf : Set More Fragments flag. --ttl <hops> : Set time to live [0-255]. --badsum-ip : Use a random invalid checksum. --ip-options <S|R [route]|L [route]|T|U ...> : Set IP options --ip-options <hex string> : Set IP options --mtu <size> : Set MTU. Packets get fragmented if MTU is small enough. IPv6 OPTIONS: -6, --IPv6 : Use IP version 6. --dest-ip : Set destination IP address (used as an alternative to {target specification}). --hop-limit : Set hop limit (same as IPv4 TTL). --traffic-class <class> : : Set traffic class. --flow <label> : Set flow label. ETHERNET OPTIONS: --dest-mac <mac> : Set destination mac address. (Disables ARP resolution) --source-mac <mac> : Set source MAC address. --ether-type <type> : Set EtherType value. PAYLOAD OPTIONS: --data <hex string> : Include a custom payload. --data-string <text> : Include a custom ASCII text. --data-length <len> : Include len random bytes as payload. ECHO CLIENT/SERVER: --echo-client <passphrase> : Run Nping in client mode. --echo-server <passphrase> : Run Nping in server mode. --echo-port <port> : Use custom <port> to listen or connect. --no-crypto : Disable encryption and authentication. --once : Stop the server after one connection. --safe-payloads : Erase application data in echoed packets. TIMING AND PERFORMANCE: Options which take <time> are in seconds, or append 'ms' (milliseconds), 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m, 0.25h). --delay <time> : Adjust delay between probes. --rate <rate> : Send num packets per second. MISC: -h, --help : Display help information. -V, --version : Display current version number. -c, --count <n> : Stop after <n> rounds. -e, --interface <name> : Use supplied network interface. -H, --hide-sent : Do not display sent packets. -N, --no-capture : Do not try to capture replies. --privileged : Assume user is fully privileged. --unprivileged : Assume user lacks raw socket privileges. --send-eth : Send packets at the raw ethernet layer. --send-ip : Send packets using raw IP sockets. --bpf-filter <filter spec> : Specify custom BPF filter. OUTPUT: -v : Increment verbosity level by one. -v[level] : Set verbosity level. E.g: -v4 -d : Increment debugging level by one. -d[level] : Set debugging level. E.g: -d3 -q : Decrease verbosity level by one. -q[N] : Decrease verbosity level N times --quiet : Set verbosity and debug level to minimum. --debug : Set verbosity and debug to the max level. EXAMPLES: nping scanme.nmap.org nping --tcp -p 80 --flags rst --ttl 2 192.168.1.1 nping --icmp --icmp-type time --delay 500ms 192.168.254.254 nping --echo-server "public" -e wlan0 -vvv nping --echo-client "public" echo.nmap.org --tcp -p1-1024 --flags ack SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES
TARGET SPECIFICATION¶
Everything on the Nping command line that isn't an option or an option argument is treated as a target host specification. Nping uses the same syntax for target specifications that Nmap does. The simplest case is a single target given by IP address or hostname. Nping supports CIDR-style. addressing. You can append / numbits to an IPv4 address or hostname and Nping will send probes to every IP address for which the first numbits are the same as for the reference IP or hostname given. For example, 192.168.10.0/24 would send probes to the 256 hosts between 192.168.10.0 (binary: 11000000 10101000 00001010 00000000) and 192.168.10.255 (binary: 11000000 10101000 00001010 11111111), inclusive. 192.168.10.40/24 would ping exactly the same targets. Given that the host scanme.nmap.org. is at the IP address 64.13.134.52, the specification scanme.nmap.org/16 would send probes to the 65,536 IP addresses between 64.13.0.0 and 64.13.255.255. The smallest allowed value is /0, which targets the whole Internet. The largest value is /32, which targets just the named host or IP address because all address bits are fixed. CIDR notation is short but not always flexible enough. For example, you might want to send probes to 192.168.0.0/16 but skip any IPs ending with .0 or .255 because they may be used as subnet network and broadcast addresses. Nping supports this through octet range addressing. Rather than specify a normal IP address, you can specify a comma-separated list of numbers or ranges for each octet. For example, 192.168.0-255.1-254 will skip all addresses in the range that end in .0 or .255, and 192.168.3-5,7.1 will target the four addresses 192.168.3.1, 192.168.4.1, 192.168.5.1, and 192.168.7.1. Either side of a range may be omitted; the default values are 0 on the left and 255 on the right. Using - by itself is the same as 0-255, but remember to use 0- in the first octet so the target specification doesn't look like a command-line option. Ranges need not be limited to the final octets: the specifier 0-.-.13.37 will send probes to all IP addresses on the Internet ending in .13.37. This sort of broad sampling can be useful for Internet surveys and research. IPv6 addresses can only be specified by their fully qualified IPv6 address or hostname. CIDR and octet ranges aren't supported for IPv6 because they are rarely useful. Nping accepts multiple host specifications on the command line, and they don't need to be the same type. The command nping scanme.nmap.org 192.168.0.0/8 10.0.0,1,3-7.- does what you would expect.OPTION SPECIFICATION¶
Nping is designed to be very flexible and fit a wide variety of needs. As with most command-line tools, its behavior can be adjusted using command-line options. These general principles apply to option arguments, unless stated otherwise. Options that take integer numbers can accept values specified in decimal, octal or hexadecimal base. When a number starts with 0x, it will be treated as hexadecimal; when it simply starts with 0, it will be treated as octal. Otherwise, Nping will assume the number has been specified in base 10. Virtually all numbers that can be supplied from the command line are unsigned so, as a general rule, the minimum value is zero. Users may also specify the word random or rand to make Nping generate a random value within the expected range. IP addresses may be given as IPv4 addresses (e.g. 192.168.1.1), IPv6 addresses (e.g. 2001:db8:85a3::8e4c:760:7146), or hostnames, which will be resolved using the default DNS server configured in the host system. Options that take MAC addresses accept the usual colon-separated 6 hex byte format (e.g. 00:50:56:d4:01:98). Hyphens may also be used instead of colons (e.g. 00-50-56-c0-00-08). The special word random or rand sets a random address and the word broadcast or bcast sets ff:ff:ff:ff:ff:ff.GENERAL OPERATION¶
Unlike other ping and packet generation tools, Nping supports multiple target host and port specifications. While this provides great flexibility, it is not obvious how Nping handles situations where there is more than one host and/or more than one port to send probes to. This section explains how Nping behaves in these cases. When multiple target hosts are specified, Nping rotates among them in round-robin fashion. This gives slow hosts more time to send their responses before another probe is sent to them. Ports are also scheduled using round robin. So, unless only one port is specified, Nping never sends two probes to the same target host and port consecutively. The loop around targets is the “inner loop” and the loop around ports is the “outer loop”. All targets will be sent a probe for a given port before moving on to the next port. Between probes, Nping waits a configurable amount of time called the “inter-probe delay”, which is controlled by the --delay option. These examples show how it works.# nping --tcp -c 2 1.1.1.1 -p 100-102 Starting Nping ( http://nmap.org/nping ) SENT (0.0210s) TCP 192.168.1.77 > 1.1.1.1:100 SENT (1.0230s) TCP 192.168.1.77 > 1.1.1.1:101 SENT (2.0250s) TCP 192.168.1.77 > 1.1.1.1:102 SENT (3.0280s) TCP 192.168.1.77 > 1.1.1.1:100 SENT (4.0300s) TCP 192.168.1.77 > 1.1.1.1:101 SENT (5.0320s) TCP 192.168.1.77 > 1.1.1.1:102
# nping --tcp -c 2 1.1.1.1 2.2.2.2 3.3.3.3 -p 8080 Starting Nping ( http://nmap.org/nping ) SENT (0.0230s) TCP 192.168.0.21 > 1.1.1.1:8080 SENT (1.0240s) TCP 192.168.0.21 > 2.2.2.2:8080 SENT (2.0260s) TCP 192.168.0.21 > 3.3.3.3:8080 SENT (3.0270s) TCP 192.168.0.21 > 1.1.1.1:8080 SENT (4.0290s) TCP 192.168.0.21 > 2.2.2.2:8080 SENT (5.0310s) TCP 192.168.0.21 > 3.3.3.3:8080
# nping --tcp -c 1 --delay 500ms 1.1.1.1 2.2.2.2 3.3.3.3 -p 137-139 Starting Nping ( http://nmap.org/nping ) SENT (0.0230s) TCP 192.168.0.21 > 1.1.1.1:137 SENT (0.5250s) TCP 192.168.0.21 > 2.2.2.2:137 SENT (1.0250s) TCP 192.168.0.21 > 3.3.3.3:137 SENT (1.5280s) TCP 192.168.0.21 > 1.1.1.1:138 SENT (2.0280s) TCP 192.168.0.21 > 2.2.2.2:138 SENT (2.5310s) TCP 192.168.0.21 > 3.3.3.3:138 SENT (3.0300s) TCP 192.168.0.21 > 1.1.1.1:139 SENT (3.5330s) TCP 192.168.0.21 > 2.2.2.2:139 SENT (4.0330s) TCP 192.168.0.21 > 3.3.3.3:139
PROBE MODES¶
Nping supports a wide variety of protocols. Although in some cases Nping can automatically determine the mode from the options used, it is generally a good idea to specify it explicitly. --tcp-connect (TCP Connect mode) .TCP connect mode is the default mode when a
user does not have raw packet privileges. Instead of writing raw packets as
most other modes do, Nping asks the underlying operating system to establish a
connection with the target machine and port by issuing the connect system
call. This is the same high-level system call that web browsers, P2P clients,
and most other network-enabled applications use to establish a connection. It
is part of a programming interface known as the Berkeley Sockets API. Rather
than read raw packet responses off the wire, Nping uses this API to obtain
status information on each connection attempt. For this reason, you will not
be able to see the contents of the packets that are sent or received but only
status information about the TCP connection establishment taking place.
--tcp (TCP mode) .
TCP is the mode that lets users create and
send any kind of TCP packet. TCP packets are sent embedded in IP packets that
can also be tuned. This mode can be used for many different purposes. For
example you could try to discover open ports by sending TCP SYN messages
without completing the three-way handshake. This technique is often referred
to as half-open scanning, because you don't open a full TCP connection. You
send a SYN packet, as if you are going to open a real connection and then wait
for a response. A SYN/ACK indicates the port is open, while a RST indicates
it's closed. If no response is received one could assume that some
intermediate network device is filtering the responses. Another use could be
to see how a remote TCP/IP stack behaves when it receives a non-RFC-compliant
packet, like one with both SYN and RST flags set. One could also do some evil
by creating custom RST packets using an spoofed IP address with the intent of
closing an active TCP connection.
--udp (UDP mode) .
UDP mode can have two different behaviours.
Under normal circumstances, it lets users create custom IP/UDP packets.
However, if Nping is run by a user without raw packet privileges and no
changes to the default protocol headers are requested, then Nping enters the
unprivileged UDP mode which basically sends UDP packets to the specified
target hosts and ports using the sendto system call. Note that in this
unprivileged mode it is not possible to see low-level header information of
the packets on the wire but only status information about the amount of bytes
that are being transmitted and received. UDP mode can be used to interact with
any UDP-based server. Examples are DNS servers, streaming servers, online
gaming servers, and port knocking/single-packet. authorization daemons.
--icmp (ICMP mode) .
ICMP mode is the default mode when the user
runs Nping with raw packet privileges. Any kind of ICMP message can be
created. The default ICMP type is Echo, i.e., ping. ICMP mode can be used for
many different purposes, from a simple request for a timestamp or a netmask to
the transmission of fake destination unreachable messages, custom redirects,
and router advertisements.
--arp (ARP/RARP mode) .
ARP lets you create and send a few different
ARP-related packets. These include ARP, RARP, DRARP, and InARP requests and
replies. This mode can ban be used to perform low-level host discovery, and
conduct ARP-cache poisoning attacks.
--traceroute (Traceroute mode) .
Traceroute is not a mode by itself but a
complement to TCP, UDP, and ICMP modes. When this option is specified Nping
will set the IP TTL value of the first probe to 1. When the next router
receives the packet it will drop it due to the expiration of the TTL and it
will generate an ICMP destination unreachable message. The next probe will
have a TTL of 2 so now the first router will forward the packet while the
second router will be the one that drops the packet and generates the ICMP
message. The third probe will have a TTL value of 3 and so on. By examining
the source addresses of all those ICMP Destination Unreachable messages it is
possible to determine the path that the probes take until they reach their
final destination.
TCP CONNECT MODE¶
-p port_spec, --dest-port port_spec (Target ports) .This option specifies which ports you want to
try to connect to. It can be a single port, a comma-separated list of ports
(e.g. 80,443,8080), a range (e.g. 1-1023), and any combination of those (e.g.
21-25,80,443,1024-2048). The beginning and/or end values of a range may be
omitted, causing Nping to use 1 and 65535, respectively. So you can specify
-p- to target ports from 1 through 65535. Using port zero is allowed if you
specify it explicitly.
-g portnumber, --source-port
portnumber (Spoof source port) .
This option asks Nping to use the specified
port as source port for the TCP connections. Note that this might not work on
all systems or may require root privileges. Specified value must be an integer
in the range [0–65535].
TCP MODE¶
-p port_spec, --dest-port port_spec (Target ports)This option specifies which destination ports
you want to send probes to. It can be a single port, a comma-separated list of
ports (e.g. 80,443,8080), a range (e.g. 1-1023), and any combination of those
(e.g. 21-25,80,443,1024-2048). The beginning and/or end values of a range may
be omitted, causing Nping to use 1 and 65535, respectively. So you can specify
-p- to target ports from 1 through 65535. Using port zero is allowed if you
specify it explicitly.
-g portnumber, --source-port
portnumber (Spoof source port)
This option asks Nping to use the specified
port as source port for the TCP connections. Note that this might not work on
all systems or may require root privileges. Specified value must be an integer
in the range [0–65535].
--seq seqnumber (Sequence Number) .
Specifies the TCP sequence number. In SYN
packets this is the initial sequence number (ISN). In a normal transmission
this corresponds to the sequence number of the first byte of data in the
segment. seqnumber must be a number in the range
[0–4294967295].
--flags flags (TCP Flags) .
This option specifies which flags should be
set in the TCP packet. flags may be specified in three different ways:
There are 8 possible flags to set: CWR, ECN, URG, ACK, PSH, RST, SYN, and FIN.
The special value ALL means to set all flags. NONE means to set no flags. It
is important that if you don't want any flag to be set, you request it
explicitly because in some cases the SYN flag may be set by default. Here is a
brief description of the meaning of each flag:
CWR (Congestion Window Reduced) .
--win size (Window Size) .
1.As a comma-separated list of flags, e.g.
--flags syn,ack,rst
2.As a list of one-character flag initials,
e.g. --flags SAR tells Nping to set flags SYN, ACK, and RST.
3.As an 8-bit hexadecimal number, where the
supplied number is the exact value that will be placed in the flags field of
the TCP header. The number should start with the prefix 0x and should be in
the range [0x00–0xFF], e.g. --flags 0x20 sets the URG flag as 0x20
corresponds to binary 00100000 and the URG flag is represented by the third
bit.
Set by an ECN-Capable sender when it reduces
its congestion window (due to a retransmit timeout, a fast retransmit or in
response to an ECN notification.
ECN (Explicit Congestion Notification) .
During the three-way handshake it indicates
that sender is capable of performing explicit congestion notification.
Normally it means that a packet with the IP Congestion Experienced flag set
was received during normal transmission. See RFC 3168. for more
information.
URG (Urgent) .
Segment is urgent and the urgent pointer field
carries valid information.
ACK (Acknowledgement) .
The segment carries an acknowledgement and the
value of the acknowledgement number field is valid and contains the next
sequence number that is expected from the receiver.
PSH (Push) .
The data in this segment should be immediately
pushed to the application layer on arrival.
RST (Reset) .
There was some problem and the sender wants to
abort the connection.
SYN (Synchronize) .
The segment is a request to synchronize
sequence numbers and establish a connection. The sequence number field
contains the sender's initial sequence number.
FIN (Finish) .
The sender wants to close the
connection.
Specifies the TCP window size, this is, the
number of octets the sender of the segment is willing to accept from the
receiver at one time. This is usually the size of the reception buffer that
the OS allocates for a given connection. size must be a number in the
range [0–65535].
--badsum (Invalid Checksum) .
Asks Nping to use an invalid TCP checksum for
the packets sent to target hosts. Since virtually all host IP stacks properly
drop these packets, any responses received are likely coming from a firewall
or an IDS that didn't bother to verify the checksum. For more details on this
technique, see http://nmap.org/p60-12.html.
UDP MODE¶
-p port_spec, --dest-port port_spec (Target ports) .This option specifies which ports you want UDP
datagrams to be sent to. It can be a single port, a comma-separated list of
ports (e.g. 80,443,8080), a range (e.g. 1-1023), and any combination of those
(e.g. 21-25,80,443,1024-2048). The beginning and/or end values of a range may
be omitted, causing Nping to use 1 and 65535, respectively. So you can specify
-p- to target ports from 1 through 65535. Using port zero is allowed if you
specify it explicitly.
-g portnumber, --source-port
portnumber (Spoof source port) .
This option asks Nping to use the specified
port as source port for the transmitted datagrams. Note that this might not
work on all systems or may require root privileges. Specified value must be an
integer in the range [0–65535].
--badsum (Invalid Checksum)
Asks Nping to use an invalid UDP checksum for
the packets sent to target hosts. Since virtually all host IP stacks properly
drop these packets, any responses received are likely coming from a firewall
or an IDS that didn't bother to verify the checksum. For more details on this
technique, see http://nmap.org/p60-12.html.
ICMP MODE¶
--icmp-type type (ICMP type) .This option specifies which type of ICMP
messages should be generated. type can be supplied in two different
ways. You can use the official type numbers assigned by IANA[1] (e.g.
--icmp-type 8 for ICMP Echo Request), or you can use any of the
mnemonics listed in the section called “ICMP Types”.
--icmp-code code (ICMP code) .
This option specifies which ICMP code should
be included in the generated ICMP messages. code can be supplied in two
different ways. You can use the official code numbers assigned by
IANA[1] (e.g. --icmp-code 1 for Fragment Reassembly Time Exceeded),
or you can use any of the mnemonics listed in the section called “ICMP
Codes”.
--icmp-id id (ICMP identifier) .
This option specifies the value of the
identifier used in some of the ICMP messages. In general it is used to match
request and reply messages. id must be a number in the range
[0–65535].
--icmp-seq seq (ICMP sequence) .
This option specifies the value of the
sequence number field used in some ICMP messages. In general it is used to
match request and reply messages. id must be a number in the range
[0–65535].
--icmp-redirect-addr addr (ICMP Redirect address) .
This option sets the address field in ICMP
Redirect messages. In other words, it sets the IP address of the router that
should be used when sending IP datagrams to the original destination.
addr can be either an IPv4 address or a hostname.
--icmp-param-pointer pointer (ICMP Parameter Problem
pointer) .
This option specifies the pointer that
indicates the location of the problem in ICMP Parameter Problem messages.
pointer should be a number in the range [0–255]. Normally this
option is only used when ICMP code is set to 0 ("Pointer indicates the
error").
--icmp-advert-lifetime ttl (ICMP Router Advertisement
Lifetime) .
This option specifies the router advertisement
lifetime, this is, the number of seconds the information carried in an ICMP
Router Advertisement can be considered valid for. ttl must be a
positive integer in the range [0–65535].
--icmp-advert-entry addr,pref (ICMP
Router Advertisement Entry) .
This option adds a Router Advertisement entry
to an ICMP Router Advertisement message. The parameter must be two values
separated by a comma. addr is the router's IP and can be specified
either as an IP address in dot-decimal notation or as a hostname. pref
is the preference level for the specified IP. It must be a number in the range
[0–4294967295]. An example is --icmp-advert-entry
192.168.128.1,3.
--icmp-orig-time timestamp (ICMP Originate Timestamp) .
This option sets the Originate Timestamp in
ICMP Timestamp messages. The Originate Timestamp is expressed as the number of
milliseconds since midnight UTC and it corresponds to the time the sender last
touched the Timestamp message before its transmission. timestamp can be
specified as a regular time (e.g. 10s, 3h, 1000ms), or the special string now.
You can add or subtract values from now, for example --icmp-orig-time
now-2s, --icmp-orig-time now+1h, --icmp-orig-time
now+200ms.
--icmp-recv-time timestamp (ICMP Receive Timestamp) .
This option sets the Receive Timestamp in ICMP
Timestamp messages. The Receive Timestamp is expressed as the number of
milliseconds since midnight UTC and it corresponds to the time the echoer
first touched the Timestamp message on receipt. timestamp is as with
--icmp-orig-time.
--icmp-trans-time timestamp (ICMP Transmit Timestamp) .
This option sets the Transmit Timestamp in
ICMP Timestamp messages. The Transmit Timestamp is expressed as the number of
milliseconds since midnight UTC and it corresponds to the time the echoer last
touched the Timestamp message before its transmission. timestamp is as
with --icmp-orig-time.
ICMP Types¶
These identifiers may be used as mnemonics for the ICMP type numbers given to the --icmp-type. option. In general there are three forms of each identifier: the full name (e.g. destination-unreachable), the short name (e.g. dest-unr), or the initials (e.g. du). In ICMP types that request something, the word "request" is omitted. echo-reply, echo-rep, erEcho Reply (type 0). This message is sent in
response to an Echo Request message.
destination-unreachable, dest-unr, du
Destination Unreachable (type 3). This message
indicates that a datagram could not be delivered to its destination.
source-quench, sour-que, sq
Source Quench (type 4). This message is used
by a congested IP device to tell other device that is sending packets too fast
and that it should slow down.
redirect, redi, r
Redirect (type 5). This message is normally
used by routers to inform a host that there is a better route to use for
sending datagrams. See also the --icmp-redirect-addr option.
echo-request, echo, e
Echo Request (type 8). This message is used to
test the connectivity of another device on a network.
router-advertisement, rout-adv, ra
Router Advertisement (type 9). This message is
used by routers to let hosts know of their existence and capabilities. See
also the --icmp-advert-lifetime option.
router-solicitation, rout-sol, rs
Router Solicitation (type 10). This message is
used by hosts to request Router Advertisement messages from any listening
routers.
time-exceeded, time-exc, te
Time Exceeded (type 11). This message is
generated by some intermediate device (normally a router) to indicate that a
datagram has been discarded before reaching its destination because the IP TTL
expired.
parameter-problem, member-pro, pp
Parameter Problem (type 12). This message is
used when a device finds a problem with a parameter in an IP header and it
cannot continue processing it. See also the --icmp-param-pointer
option.
timestamp, time, tm
Timestamp Request (type 13). This message is
used to request a device to send a timestamp value for propagation time
calculation and clock synchronization. See also the --icmp-orig-time,
--icmp-recv-time, and --icmp-trans-time.
timestamp-reply, time-rep, tr
Timestamp Reply (type 14). This message is
sent in response to a Timestamp Request message.
information, info, i
Information Request (type 15). This message is
now obsolete but it was originally used to request configuration information
from another device.
information-reply, info-rep, ir
Information Reply (type 16). This message is
now obsolete but it was originally sent in response to an Information Request
message to provide configuration information.
mask-request, mask, m
Address Mask Request (type 17). This message
is used to ask a device to send its subnet mask.
mask-reply, mask-rep, mr
Address Mask Reply (type 18). This message
contains a subnet mask and is sent in response to a Address Mask Request
message.
traceroute, trace, tc
Traceroute (type 30). This message is normally
sent by an intermediate device when it receives an IP datagram with a
traceroute option. ICMP Traceroute messages are still experimental, see RFC
1393. for more information.
ICMP Codes¶
These identifiers may be used as mnemonics for the ICMP code numbers given to the --icmp-code. option. They are listed by the ICMP type they correspond to.
network-unreachable, netw-unr, net
Code 0. Datagram could not be delivered to its
destination network (probably due to some routing problem).
host-unreachable, host-unr, host
Code 1. Datagram was delivered to the
destination network but it was impossible to reach the specified host
(probably due to some routing problem).
protocol-unreachable, prot-unr, proto
Code 2. The protocol specified in the Protocol
field of the IP datagram is not supported by the host to which the datagram
was delivered.
port-unreachable, port-unr, port
Code 3. The TCP/UDP destination port was
invalid.
needs-fragmentation, need-fra, frag
Code 4. Datagram had the DF bit set but it was
too large for the MTU of the next physical network so it had to be
dropped.
source-route-failed, sour-rou, routefail
Code 5. IP datagram had a Source Route option
but a router couldn't pass it to the next hop.
network-unknown, netw-unk, net?
Code 6. Destination network is unknown. This
code is never used. Instead, Network Unreachable is used.
host-unknown, host-unk, host?
Code 7. Specified host is unknown. Usually
generated by a router local to the destination host to inform of a bad
address.
host-isolated, host-iso, isolated
Code 8. Source Host Isolated. Not used.
network-prohibited, netw-pro, !net
Code 9. Communication with destination network
is administratively prohibited (source device is not allowed to send packets
to the destination network).
host-prohibited, host-pro, !host
Code 10. Communication with destination host
is administratively prohibited. (The source device is allowed to send packets
to the destination network but not to the destination device.)
network-tos, unreachable-network-tos, netw-tos, tosnet
Code 11. Destination network unreachable
because it cannot provide the type of service specified in the IP TOS
field.
host-tos, unreachable-host-tos, toshost
Code 12. Destination host unreachable because
it cannot provide the type of service specified in the IP TOS field.
communication-prohibited, comm-pro, !comm
Code 13. Datagram could not be forwarded due
to filtering that blocks the message based on its contents.
host-precedence-violation, precedence-violation, prec-vio, violation
Code 14. Precedence value in the IP TOS field
is not permitted.
precedence-cutoff, prec-cut, cutoff
Code 15. Precedence value in the IP TOS field
is lower than the minimum allowed for the network.
redirect-network, redi-net, net
Code 0. Redirect all future datagrams with the
same destination network as the original datagram, to the router specified in
the Address field. The use of this code is prohibited by RFC 1812..
redirect-host, redi-host, host
Code 1. Redirect all future datagrams with the
same destination host as the original datagram, to the router specified in the
Address field.
redirect-network-tos, redi-ntos, redir-ntos
Code 2. Redirect all future datagrams with the
same destination network and IP TOS value as the original datagram, to the
router specified in the Address field. The use of this code is prohibited by
RFC 1812.
redirect-host-tos, redi-htos, redir-htos
Code 3. Redirect all future datagrams with the
same destination host and IP TOS value as the original datagram, to the router
specified in the Address field.
normal-advertisement, norm-adv, normal, zero, default, def
Code 0. Normal router advertisement. In Mobile
IP: Mobility agent can act as a router for IP datagrams not related to mobile
nodes.
not-route-common-traffic, not-rou, mobile-ip, !route, !commontraffic
Code 16. Used for Mobile IP. The mobility
agent does not route common traffic. All foreign agents must forward to a
default router any datagrams received from a registered mobile node
ttl-exceeded-in-transit, ttl-exc, ttl-transit
Code 0. IP Time To Live expired during
transit.
fragment-reassembly-time-exceeded, frag-exc, frag-time
Code 1. Fragment reassembly time has been
exceeded.
pointer-indicates-error, poin-ind, pointer
Code 0. The pointer field indicates the
location of the problem. See the --icmp-param-pointer option.
missing-required-option, miss-option, option-missing
Code 1. IP datagram was expected to have an
option that is not present.
bad-length, bad-len, badlen
Code 2. The length of the IP datagram is
incorrect.
ARP MODE¶
--arp-type type (ICMP Type) .This option specifies which type of ARP
messages should be generated. type can be supplied in two different
ways. You can use the official numbers assigned by IANA[2] (e.g.
--arp-type 1 for ARP Request), or you can use one of the mnemonics from
the section called “ARP Types”.
--arp-sender-mac mac (Sender MAC address) .
This option sets the Sender Hardware Address
field of the ARP header. Although ARP supports many types of link layer
addresses, currently Nping only supports MAC addresses. mac must be
specified using the traditional MAC notation (e.g. 00:0a:8a:32:f4:ae). You can
also use hyphens as separators (e.g. 00-0a-8a-32-f4-ae).
--arp-sender-ip addr (Sender IP address) .
This option sets the Sender IP field of the
ARP header. addr can be given as an IPv4 address or a hostname.
--arp-target-mac mac (target MAC address) .
This option sets the Target Hardware Address
field of the ARP header.
--arp-target-ip addr (target ip address) .
This option sets the Target IP field of the
ARP header.
ARP Types¶
These identifiers may be used as mnemonics for the ARP type numbers given to the --arp-type. option. arp-request, arp, aARP Request (type 1). ARP requests are used to
translate network layer addresses (normally IP addresses) to link layer
addresses (usually MAC addresses). Basically, and ARP request is a broadcasted
message that asks the host in the same network segment that has a given IP
address to provide its MAC address.
arp-reply, arp-rep, ar
ARP Reply (type 2). An ARP reply is a message
that a host sends in response to an ARP request to provide its link layer
address.
rarp-request, rarp, r
RARP Requests (type 3). RARP requests are used
to translate a link layer address (normally a MAC address) to a network layer
address (usually an IP address). Basically a RARP request is a broadcasted
message sent by a host that wants to know his own IP address because it
doesn't have any. It was the first protocol designed to solve the
bootstrapping problem. However, RARP is now obsolete and DHCP is used instead.
For more information about RARP see RFC 903..
rarp-reply, rarp-rep, rr
RARP Reply (type 4). A RARP reply is a message
sent in response to a RARP request to provide an IP address to the host that
sent the RARP request in the first place.
drarp-request, drarp, d
Dynamic RARP Request (type 5). Dynamic RARP is
an extension to RARP used to obtain or assign a network layer address from a
fixed link layer address. DRARP was used mainly in Sun Microsystems platforms
in the late 90's but now it's no longer used. See RFC 1931. for more
information.
drarp-reply, drarp-rep, dr
Dynamic RARP Reply (type 6). A DRARP reply is
a message sent in response to a RARP request to provide network layer
address.
drarp-error, drarp-err, de
DRARP Error (type 7). DRARP Error messages are
usually sent in response to DRARP requests to inform of some error. In DRARP
Error messages, the Target Protocol Address field is used to carry an error
code (usually in the first byte). The error code is intended to tell why no
target protocol address is being returned. For more information see RFC
1931.
inarp-request, inarp, i
Inverse ARP Request (type 8). InARP requests
are used to translate a link layer address to a network layer address. It is
similar to RARP request but in this case, the sender of the InARP request
wants to know the network layer address of another node, not its own address.
InARP is mainly used in Frame Relay and ATM networks. For more information see
RFC 2390..
inarp-reply, inarp-rep, ir
Inverse ARP Reply (type 9). InARP reply
messages are sent in response to InARP requests to provide the network layer
address associated with the host that has a given link layer address.
arp-nak, an
ARP NAK (type 10). ARP NAK messages are an
extension to the ATMARP protocol and they are used to improve the robustness
of the ATMARP server mechanism. With ARP NAK, a client can determine the
difference between a catastrophic server failure and an ATMARP table lookup
failure. See RFC 1577. for more information.
IPV4 OPTIONS¶
-S addr, --source-ip addr (Source IP Address) .Sets the source IP address. This option lets
you specify a custom IP address to be used as source IP address in sent
packets. This allows spoofing the sender of the packets. addr can be an
IPv4 address or a hostname.
--dest-ip addr (Destination IP Address) .
Adds a target to Nping's target list. This
option is provided for consistency but its use is deprecated in favor of plain
target specifications. See the section called “TARGET
SPECIFICATION”.
--tos tos (Type of Service) .
Sets the IP TOS field. The TOS field is used
to carry information to provide quality of service features. It is normally
used to support a technique called Differentiated Services. See RFC 2474. for
more information. tos must be a number in the range
[0–255].
--id id (Identification) .
Sets the IPv4 Identification field. The
Identification field is a 16-bit value that is common to all fragments
belonging to a particular message. The value is used by the receiver to
reassemble the original message from the fragments received. id must be
a number in the range [0–65535].
--df (Don't Fragment) .
Sets the Don't Fragment bit in sent packets.
When an IP datagram has its DF flag set, intermediate devices are not allowed
to fragment it so if it needs to travel across a network with a MTU smaller
that datagram length the datagram will have to be dropped. Normally an ICMP
Destination Unreachable message is generated and sent back to the
sender.
--mf (More Fragments) .
Sets the More Fragments bit in sent packets.
The MF flag is set to indicate the receiver that the current datagram is a
fragment of some larger datagram. When set to zero it indicates that the
current datagram is either the last fragment in the set or that it is the only
fragment.
--ttl hops (Time To Live) .
Sets the IPv4 Time-To-Live (TTL) field in sent
packets to the given value. The TTL field specifies how long the datagram is
allowed to exist on the network. It was originally intended to represent a
number of seconds but it actually represents the number of hops a packet can
traverse before being dropped. The TTL tries to avoid a situation in which
undeliverable datagrams keep being forwarded from one router to another
endlessly. hops must be a number in the range [0–255].
--badsum-ip (Invalid IP checksum) .
Asks Nping to use an invalid IP checksum for
packets sent to target hosts. Note that some systems (like most Linux
kernels), may fix the checksum before placing the packet on the wire, so even
if Nping shows the incorrect checksum in its output, the packets may be
transparently corrected by the kernel.
--ip-options S|R [route]|L [route]|T|U ..., --ip-options
hex string (IP Options) .
The IP protocol offers several options which
may be placed in packet headers. Unlike the ubiquitous TCP options, IP options
are rarely seen due to practicality and security concerns. In fact, many
Internet routers block the most dangerous options such as source routing. Yet
options can still be useful in some cases for determining and manipulating the
network route to target machines. For example, you may be able to use the
record route option to determine a path to a target even when more traditional
traceroute-style approaches fail. Or if your packets are being dropped by a
certain firewall, you may be able to specify a different route with the strict
or loose source routing options.
The most powerful way to specify IP options is to simply pass in hexadecimal
data as the argument to --ip-options. Precede each hex byte value with
\x. You may repeat certain characters by following them with an asterisk and
then the number of times you wish them to repeat. For example,
\x01\x07\x04\x00*4 is the same as \x01\x07\x04\x00\x00\x00\x00.
Note that if you specify a number of bytes that is not a multiple of four, an
incorrect IP header length will be set in the IP packet. The reason for this
is that the IP header length field can only express multiples of four. In
those cases, the length is computed by dividing the header length by 4 and
rounding down. This will affect the way the header that follows the IP header
is interpreted, showing bogus information in Nping or in the output of any
sniffer. Although this kind of situation might be useful for some stack stress
tests, users would normally want to specify explicit padding, so the correct
header length is set.
Nping also offers a shortcut mechanism for specifying options. Simply pass the
letter R, T, or U to request record-route, record-timestamp, or both options
together, respectively. Loose or strict source routing may be specified with
an L or S followed by a space and then a space-separated list of IP addresses.
For more information and examples of using IP options with Nping, see the
mailing list post at
http://seclists.org/nmap-dev/2006/q3/0052.html.
--mtu size (Maximum Transmission Unit) .
This option sets a fictional MTU in Nping so
IP datagrams larger than size are fragmented before transmission.
size must be specified in bytes and corresponds to the number of octets
that can be carried on a single link-layer frame.
IPV6 OPTIONS¶
-6, --ipv6 (Use IPv6) .Tells Nping to use IP version 6 instead of the
default IPv4. It is generally a good idea to specify this option as early as
possible in the command line so Nping can parse it soon and know in advance
that the rest of the parameters refer to IPv6. The command syntax is the same
as usual except that you also add the -6 option. Of course, you must
use IPv6 syntax if you specify an address rather than a hostname. An address
might look like 3ffe:7501:4819:2000:210:f3ff:fe03:14d0, so hostnames
are recommended.
While IPv6 hasn't exactly taken the world by storm, it gets significant use in
some (usually Asian) countries and most modern operating systems support it.
To use Nping with IPv6, both the source and target of your packets must be
configured for IPv6. If your ISP (like most of them) does not allocate IPv6
addresses to you, free tunnel brokers are widely available and work fine with
Nping. You can use the free IPv6 tunnel broker service at
http://www.tunnelbroker.net.
Please note that IPv6 support is still highly experimental and many modes and
options may not work with it.
-S addr, --source-ip addr (Source IP
Address) .
Sets the source IP address. This option lets
you specify a custom IP address to be used as source IP address in sent
packets. This allows spoofing the sender of the packets. addr can be an
IPv6 address or a hostname.
--dest-ip addr (Destination IP Address) .
Adds a target to Nping's target list. This
option is provided for consistency but its use is deprecated in favor of plain
target specifications. See the section called “TARGET
SPECIFICATION”.
--flow label (Flow Label) .
Sets the IPv6 Flow Label. The Flow Label field
is 20 bits long and is intended to provide certain quality-of-service
properties for real-time datagram delivery. However, it has not been widely
adopted, and not all routers or endpoints support it. Check RFC 2460. for more
information. label must be an integer in the range
[0–1048575].
--traffic-class class (Traffic Class) .
Sets the IPv6 Traffic Class. This field is
similar to the TOS field in IPv4, and is intended to provide the
Differentiated Services method, enabling scalable service discrimination in
the Internet without the need for per-flow state and signaling at every hop.
Check RFC 2474. for more information. class must be an integer in the
range [0–255].
--hop-limit hops (Hop Limit) .
Sets the IPv6 Hop Limit field in sent packets
to the given value. The Hop Limit field specifies how long the datagram is
allowed to exist on the network. It represents the number of hops a packet can
traverse before being dropped. As with the TTL in IPv4, IPv6 Hop Limit tries
to avoid a situation in which undeliverable datagrams keep being forwarded
from one router to another endlessly. hops must be a number in the
range [0–255].
ETHERNET OPTIONS¶
In most cases Nping sends packets at the raw IP level. This means that Nping creates its own IP packets and transmits them through a raw socket. However, in some cases it may be necessary to send packets at the raw Ethernet level. This happens, for example, when Nping is run under Windows (as Microsoft has disabled raw socket support since Windows XP SP2), or when Nping is asked to send ARP packets. Since in some cases it is necessary to construct ethernet frames, Nping offers some options to manipulate the different fields. --dest-mac mac (Ethernet Destination MAC Address) .This option sets the destination MAC address
that should be set in outgoing Ethernet frames. This is useful in case Nping
can't determine the next hop's MAC address or when you want to route probes
through a router other than the configured default gateway. The MAC address
should have the usual format of six colon-separated bytes, e.g.
00:50:56:d4:01:98. Alternatively, hyphens may be used instead of colons. Use
the word random or rand to generate a random address, and broadcast or bcast
to use ff:ff:ff:ff:ff:ff. If you set up a bogus destination MAC address your
probes may not reach the intended targets.
--source-mac mac (Ethernet Source MAC Address) .
This option sets the source MAC address that
should be set in outgoing Ethernet frames. This is useful in case Nping can't
determine your network interface MAC address or when you want to inject
traffic into the network while hiding your network card's real address. The
syntax is the same as for --dest-mac. If you set up a bogus source MAC address
you may not receive probe replies.
--ether-type type (Ethertype) .
This option sets the Ethertype field of the
ethernet frame. The Ethertype is used to indicate which protocol is
encapsulated in the payload. type can be supplied in two different
ways. You can use the official numbers listed by the IEEE[3] (e.g.
--ether-type 0x0800 for IP version 4), or one of the mnemonics from the
section called “Ethernet Types”.
Ethernet Types¶
These identifiers may be used as mnemonics for the Ethertype numbers given to the --arp-type. option. ipv4, ip, 4Internet Protocol version 4 (type
0x0800).
ipv6, 6
Internet Protocol version 6 (type
0x86DD).
arp
Address Resolution Protocol (type
0x0806).
rarp
Reverse Address Resolution Protocol (type
0x8035).
frame-relay, frelay, fr
Frame Relay (type 0x0808).
ppp
Point-to-Point Protocol (type 0x880B).
gsmp
General Switch Management Protocol (type
0x880C).
mpls
Multiprotocol Label Switching (type
0x8847).
mps-ual, mps
Multiprotocol Label Switching with
Upstream-assigned Label (type 0x8848).
mcap
Multicast Channel Allocation Protocol (type
0x8861).
pppoe-discovery, pppoe-d
PPP over Ethernet Discovery Stage (type
0x8863).
pppoe-session, pppoe-s
PPP over Ethernet Session Stage (type
0x8864).
ctag
Customer VLAN Tag Type (type 0x8100).
epon
Ethernet Passive Optical Network (type
0x8808).
pbnac
Port-based network access control (type
0x888E).
stag
Service VLAN tag identifier (type
0x88A8).
ethexp1
Local Experimental Ethertype 1 (type
0x88B5).
ethexp2
Local Experimental Ethertype 2 (type
0x88B6).
ethoui
OUI Extended Ethertype (type 0x88B7).
preauth
Pre-Authentication (type 0x88C7).
lldp
Link Layer Discovery Protocol (type
0x88CC).
mac-security, mac-sec, macsec
Media Access Control Security (type
0x88E5).
mvrp
Multiple VLAN Registration Protocol (type
0x88F5).
mmrp
Multiple Multicast Registration Protocol (type
0x88F6).
frrr
Fast Roaming Remote Request (type
0x890D).
PAYLOAD OPTIONS¶
--data hex string (Append custom binary data to sent packets) .This option lets you include binary data as
payload in sent packets. hex string may be specified in any of the
following formats: 0xAABBCCDDEEFF ..., AABBCCDDEEFF ... or
\xAA\xBB\xCC\xDD\xEE\xFF .... Examples of use are --data
0xdeadbeef and --data \xCA\xFE\x09. Note that if you specify a
number like 0x00ff no byte-order conversion is performed. Make sure you
specify the information in the byte order expected by the receiver.
--data-string string (Append custom string to sent packets)
.
This option lets you include a regular string
as payload in sent packets. string can contain any string. However,
note that some characters may depend on your system's locale and the receiver
may not see the same information. Also, make sure you enclose the string in
double quotes and escape any special characters from the shell. Example:
--data-string "Jimmy Jazz...".
--data-length len (Append random data to sent packets) .
This option lets you include len random
bytes of data as payload in sent packets. len must be an integer in the
range [0–65400]. However, values higher than 1400 are not recommended
because it may not be possible to transmit packets due to network MTU
limitations.
ECHO MODE¶
The "Echo Mode" is a novel technique implemented by Nping which lets users see how network packets change in transit, from the host where they originated to the target machine. Basically, the Echo mode turns Nping into two different pieces: the Echo server and the Echo client. The Echo server is a network service that has the ability to capture packets from the network and send a copy ("echo them") to the originating client through a side TCP channel. The Echo client is the part that generates such network packets, transmits them to the server, and receives their echoed version through a side TCP channel that it has previously established with the Echo server. This scheme lets the client see the differences between the packets that it sends and what is actually received by the server. By having the server send back copies of the received packets through the side channel, things like NAT devices become immediately apparent to the client because it notices the changes in the source IP address (and maybe even source port). Other devices like those that perform traffic shaping, changing TCP window sizes or adding TCP options transparently between hosts, turn up too. The Echo mode is also useful for troubleshooting routing and firewall issues. Among other things, it can be used to determine if the traffic generated by the Nping client is being dropped in transit and never gets to its destination or if the responses are the ones that don't get back to it. Internally, client and server communicate over an encrypted and authenticated channel, using the Nping Echo Protocol (NEP), whose technical specification can be found in http://nmap.org/svn/nping/docs/EchoProtoRFC.txt The following paragraphs describe the different options available in Nping's Echo mode. --ec passphrase, --echo-client passphrase (Run Echo client) .This option tells Nping to run as an Echo
client. passphrase is a sequence of ASCII characters that is used used
to generate the cryptographic keys needed for encryption and authentication in
a given session. The passphrase should be a secret that is also known by the
server, and it may contain any number of printable ASCII characters.
Passphrases that contain whitespace or special characters must be enclosed in
double quotes.
When running Nping as an Echo client, most options from the regular raw probe
modes apply. The client may be configured to send specific probes using flags
like --tcp, --icmp or --udp. Protocol header fields may
be manipulated normally using the appropriate options (e.g. --ttl,
--seq, --icmp-type, etc.). The only exceptions are ARP-related
flags, which are not supported in Echo mode, as protocols like ARP are closely
related to the data link layer and its probes can't pass through different
network segments.
--es passphrase, --echo-server
passphrase (Run Echo server) .
This option tells Nping to run as an Echo
server. passphrase is a sequence of ASCII characters that is used used
to generate the cryptographic keys needed for encryption and authentication in
a given session. The passphrase should be a secret that is also known by the
clients, and it may contain any number of printable ASCII characters.
Passphrases that contain whitespace or special characters must be enclosed in
double quotes. Note that although it is not recommended, it is possible to use
empty passphrases, supplying --echo-server "". However, if
what you want is to set up an open Echo server, it is better to use option
--no-crypto. See below for details.
--ep port, --echo-port port (Set Echo
TCP port number) .
This option asks Nping to use the specified
TCP port number for the Echo side channel connection. If this option is used
with --echo-server, it specifies the port on which the server listens
for connections. If it is used with --echo-client, it specifies the
port to connect to on the remote host. By default, port number 9929 is
used.
--nc, --no-crypto (Disable encryption and authentication) .
This option asks Nping not to use any
cryptographic operations during an Echo session. In practical terms, this
means that the Echo side channel session data will be transmitted in the
clear, and no authentication will be performed by the server or client during
the session establishment phase. When --no-crypto is used, the
passphrase supplied with --echo-server or --echo-client is
ignored.
This option must be specified if Nping was compiled without openSSL support.
Note that, for technical reasons, a passphrase still needs to be supplied
after the --echo-client or --echo-server flags, even though it will be
ignored.
The --no-crypto flag might be useful when setting up a public Echo server,
because it allows users to connect to the Echo server without the need for any
passphrase or shared secret. However, it is strongly recommended to not use
--no-crypto unless absolutely necessary. Public Echo servers should be
configured to use the passphrase "public" or the empty passphrase
(--echo-server "") as the use of cryptography does not only provide
confidentiality and authentication but also message integrity.
--once (Serve one client and quit) .
This option asks the Echo server to quit after
serving one client. This is useful when only a single Echo session wants to be
established as it eliminates the need to access the remote host to shutdown
the server.
--safe-payloads (Zero application data before echoing a packet) .
This option asks the Echo server to erase any
application layer data found in client packets before echoing them. When the
option is enabled, the Echo server parses the packets received from Echo
clients and tries to determine if they contain data beyond the transport
layer. If such data is found, it is overwritten with zeroes before
transmitting the packets to the appropriate Echo client.
Echo servers can handle multiple simultaneous clients running multiple echo
sessions in parallel. In order to determine which packet needs to be echoed to
which client and through which session, the Echo server uses an heuristic
algorithm. Although we have taken every security measure that we could think
of to prevent that a client receives an echoed packet that it did not
generate, there is always a risk that our algorithm makes a mistake and
delivers a packet to the wrong client. The --safe-payloads option is useful
for public echo servers or critical deployments where that kind of mistake
cannot be afforded.
The following examples illustrate how Nping's Echo mode can be used to discover
intermediate devices.
Example 2. Discovering NAT devices
# nping --echo-client "public" echo.nmap.org --udp
Starting Nping ( http://nmap.org/nping )
SENT (1.0970s) UDP 10.1.20.128:53 > 178.79.165.17:40125 ttl=64 id=32523 iplen=28
CAPT (1.1270s) UDP 80.38.10.21:45657 > 178.79.165.17:40125 ttl=54 id=32523 iplen=28
RCVD (1.1570s) ICMP 178.79.165.17 > 10.1.20.128 Port unreachable (type=3/code=3) ttl=49 id=16619 iplen=56
[...]
SENT (5.1020s) UDP 10.1.20.128:53 > 178.79.165.17:40125 ttl=64 id=32523 iplen=28
CAPT (5.1335s) UDP 80.38.10.21:45657 > 178.79.165.17:40125 ttl=54 id=32523 iplen=28
RCVD (5.1600s) ICMP 178.79.165.17 > 10.1.20.128 Port unreachable (type=3/code=3) ttl=49 id=16623 iplen=56
Max rtt: 60.628ms | Min rtt: 58.378ms | Avg rtt: 59.389ms
Raw packets sent: 5 (140B) | Rcvd: 5 (280B) | Lost: 0 (0.00%)| Echoed: 5 (140B)
Tx time: 4.00459s | Tx bytes/s: 34.96 | Tx pkts/s: 1.25
Rx time: 5.00629s | Rx bytes/s: 55.93 | Rx pkts/s: 1.00
Nping done: 1 IP address pinged in 6.18 seconds
# nping --echo-client "public" echo.nmap.org --tcp -p80
Starting Nping ( http://nmap.org/nping )
SENT (1.2160s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40 seq=567704200 win=1480
RCVD (1.2180s) TCP 178.79.165.17:80 > 10.0.1.77:41659 SA ttl=128 id=13177 iplen=44 seq=3647106954 win=16384 <mss 1460>
SENT (2.2150s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40 seq=567704200 win=1480
SENT (3.2180s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40 seq=567704200 win=1480
SENT (4.2190s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40 seq=567704200 win=1480
SENT (5.2200s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40 seq=567704200 win=1480
Max rtt: 2.062ms | Min rtt: 2.062ms | Avg rtt: 2.062ms
Raw packets sent: 5 (200B) | Rcvd: 1 (46B) | Lost: 4 (80.00%)| Echoed: 0 (0B)
Tx time: 4.00504s | Tx bytes/s: 49.94 | Tx pkts/s: 1.25
Rx time: 5.00618s | Rx bytes/s: 9.19 | Rx pkts/s: 0.20
Nping done: 1 IP address pinged in 6.39 seconds
TIMING AND PERFORMANCE OPTIONS¶
--delay time (Delay between probes) .This option lets you control for how long will
Nping wait before sending the next probe. Like in many other ping tools, the
default delay is one second. time must be a positive integer or
floating point number. By default it is specified in seconds, however you can
give an explicit unit by appending ms for milliseconds, s for seconds, m for
minutes, or h for hours (e.g. 2.5s, 45m, 2h).
--rate rate (Send probes at a given rate) .
This option specifies the number of probes
that Nping should send per second. This option and --delay are
inverses; --rate 20 is the same as --delay 0.05. If both options
are used, only the last one in the parameter list counts.
MISCELLANEOUS OPTIONS¶
-h, --help (Display help) .Displays help information and exits.
-V, --version (Display version) .
Displays the program's version number and
quits.
-c rounds, --count rounds (Stop after
a given number of rounds) .
This option lets you specify the number of
times that Nping should loop over target hosts (and in some cases target
ports). Nping calls these “rounds”. In a basic execution with only
one target (and only one target port in TCP/UDP modes), the number of rounds
matches the number of probes sent to the target host. However, in more complex
executions where Nping is run against multiple targets and multiple ports, the
number of rounds is the number of times that Nping sends a complete set of
probes that covers all target IPs and all target ports. For example, if Nping
is asked to send TCP SYN packets to hosts 192.168.1.0-255 and ports 80 and
433, then 256 × 2 = 512 packets are sent in one round. So if
you specify -c 100, Nping will loop over the different target hosts and
ports 100 times, sending a total of 256 × 2 × 100 = 51200
packets. By default Nping runs for 5 rounds. If a value of 0 is specified,
Nping will run continuously.
-e name, --interface name (Set the
network interface to be used) .
This option tells Nping what interface should
be used to send and receive packets. Nping should be able to detect this
automatically, but it will tell you if it cannot. name must be the name
of an existing network interface with an assigned IP address.
--privileged (Assume that the user is fully privileged) .
Tells Nping to simply assume that it is
privileged enough to perform raw socket sends, packet sniffing, and similar
operations that usually require special privileges. By default Nping quits if
such operations are requested by a user that has no root or administrator
privileges. This option may be useful on Linux, BSD or similar systems that
can be configured to allow unprivileged users to perform raw-packet
transmissions. The NPING_PRIVILEGED. environment variable may be set as
an alternative to using --privileged.
--unprivileged (Assume that the user lacks raw socket privileges) .
This option is the opposite of
--privileged. It tells Nping to treat the user as lacking network raw
socket and sniffing privileges. This is useful for testing, debugging, or when
the raw network functionality of your operating system is somehow broken. The
NPING_UNPRIVILEGED. environment variable may be set as an alternative
to using --unprivileged.
--send-eth (Use raw ethernet sending) .
Asks Nping to send packets at the raw ethernet
(data link) layer rather than the higher IP (network) layer. By default, Nping
chooses the one which is generally best for the platform it is running on. Raw
sockets (IP layer) are generally most efficient for Unix machines, while
ethernet frames are required for Windows operation since Microsoft disabled
raw socket support. Nping still uses raw IP packets despite this option when
there is no other choice (such as non-ethernet connections).
--send-ip (Send at raw IP level) .
Asks Nping to send packets via raw IP sockets
rather than sending lower level ethernet frames. It is the complement to the
--send-eth option.
--bpf-filter filter spec --filter filter
spec (Set custom BPF filter) .
This option lets you use a custom BPF filter.
By default Nping chooses a filter that is intended to capture most common
responses to the particular probes that are sent. For example, when sending
TCP packets, the filter is set to capture packets whose destination port
matches the probe's source port or ICMP error messages that may be generated
by the target or any intermediate device as a result of the probe. If for some
reason you expect strange packets in response to sent probes or you just want
to sniff a particular kind of traffic, you can specify a custom filter using
the BPF syntax used by tools like tcpdump.. See the documentation at
http://www.tcpdump.org/ for more information.
-H, --hide-sent (Do not display sent packets) .
This option tells Nping not to print
information about sent packets. This can be useful when using very short
inter-probe delays (i.e., when flooding), because printing information to the
standard output has a computational cost and disabling it can probably speed
things up a bit. Also, it may be useful when using Nping to detect active
hosts or open ports (e.g. sending probes to all TCP ports in a /24 subnet). In
that case, users may not want to see thousands of sent probes but just the
replies generated by active hosts.
-N, --no-capture (Do not attempt to capture replies) .
This option tells Nping to skip packet
capture. This means that packets in response to sent probes will not be
processed or displayed. This can be useful when doing flooding and network
stack stress tests. Note that when this option is specified, most of the
statistics shown at the end of the execution will be useless. This option does
not work with TCP Connect mode.
OUTPUT OPTIONS¶
-v[level], --verbose [level] (Increase or set verbosity level) .Increases the verbosity level, causing Nping
to print more information during its execution. There are 9 levels of
verbosity (-4 to 4). Every instance of -v increments the verbosity
level by one (from its default value, level 0). Every instance of option
-q decrements the verbosity level by one. Alternatively you can specify
the level directly, as in -v3 or -v-1. These are the available
levels:
Level −4
-q[level], --reduce-verbosity [level]
(Decrease verbosity level) .
No output at all. In some circumstances you
may not want Nping to produce any output (like when one of your work mates is
watching over your shoulder). In that case level −4 can be useful
because although you won't see any response packets, probes will still be
sent.
Level −3
Like level −4 but displays fatal error
messages so you can actually see if Nping is running or it failed due to some
error.
Level −2
Like level −3 but also displays warnings
and recoverable errors.
Level −1
Displays traditional run-time information
(version, start time, statistics, etc.) but does not display sent or received
packets.
Level 0
This is the default verbosity level. It
behaves like level −1 but also displays sent and received packets and
some other important information.
Level 1
Like level 0 but it displays detailed
information about timing, flags, protocol details, etc.
Level 2
Like level 1 but displays very detailed
information about sent and received packets and other interesting
information.
Level 3
Like level 2 but also displays the raw
hexadecimal dump of sent and received packets.
Level 4 and higher
Same as level 3.
Decreases the verbosity level, causing Nping
to print less information during its execution.
-d[level] (Increase or set debugging level) .
When even verbose mode doesn't provide
sufficient data for you, debugging is available to flood you with much more!
As with the -v, debugging is enabled with a command-line flag -d
and the debug level can be increased by specifying it multiple times. There
are 7 debugging levels (0 to 6). Every instance of -d increments
debugging level by one. Provide an argument to -d to set the level
directly; for example -d4.
Debugging output is useful when you suspect a bug in Nping, or if you are simply
confused as to what Nping is doing and why. As this feature is mostly intended
for developers, debug lines aren't always self-explanatory. You may get
something like
If you don't understand a line, your only recourses are to ignore it, look it up
in the source code, or request help from the development list (nmap-dev). Some
lines are self-explanatory, but the messages become more obscure as the debug
level is increased. These are the available levels:
Level 0
NSOCK (1.0000s) Callback: TIMER SUCCESS for EID 12; tcpconnect_event_handler(): Received callback of type TIMER with status SUCCESS
Level 0. No debug information at all. This is
the default level.
Level 1
In this level, only very important or
high-level debug information will be printed.
Level 2
Like level 1 but also displays important or
medium-level debug information
Level 3
Like level 2 but also displays regular and
low-level debug information.
Level 4
Like level 3 but also displays messages only a
real Nping freak would want to see.
Level 5
Like level 4 but it enables basic debug
information related to external libraries like Nsock..
Level 6
Like level 5 but it enables full, very
detailed, debug information related to external libraries like Nsock.
BUGS¶
Like its author, Nping isn't perfect. But you can help make it better by sending bug reports or even writing patches. If Nping doesn't behave the way you expect, first upgrade to the latest Nmap version available from http://nmap.org/download.html. If the problem persists, do some research to determine whether it has already been discovered and addressed. Try searching for the error message on our search page at http://insecure.org/search.html or at Google. Also try browsing the nmap-dev archives at http://seclists.org/. Read this full manual page as well. If nothing comes out of this, mail a bug report to <dev@nmap.org>. Please include everything you have learned about the problem, as well as what version of Nping you are running and what operating system version it is running on. Problem reports and Nping usage questions sent to <dev@nmap.org> are far more likely to be answered than those sent to Fyodor directly. If you subscribe to the nmap-dev list before posting, your message will bypass moderation and get through more quickly. Subscribe at http://nmap.org/mailman/listinfo/dev. Code patches to fix bugs are even better than bug reports. Basic instructions for creating patch files with your changes are available at https://svn.nmap.org/nmap/HACKING. Patches may be sent to nmap-dev (recommended) or to any of the authors listed in the next section directly.AUTHORS¶
Luis MartinGarcia <luis.mgarc@gmail.com> ( http://aldabaknocking.com) Fyodor <fyodor@nmap.org> ( http://insecure.org)NOTES¶
- 1.
- official type numbers assigned by IANA
- 2.
- official numbers assigned by IANA
- 3.
- official numbers listed by the IEEE
| 07/28/2013 | Nping |