hping2.8

网络流量生成工具,开源软件,也可以作为网络流量检测软件使用

.TH HPING2 8 "2001 Aug 14"
.SH NAME
hping2 \- send (almost) arbitrary TCP/IP packets to network hosts
.SH SYNOPSIS
.B hping2
[
.B \-hvnqVDzZ012WrfxykQbFSRPAUXYjJBuTG
] [
.B \-c
.I count
] [
.B \-i
.I wait
] [
.B \-\-fast
] [
.B \-I
.I interface
] [
.B \-9
.I signature
] [
.B \-a
.I host
] [
.B \-t
.I ttl
] [
.B \-N
.I ip id
] [
.B \-H
.I ip protocol
] [
.B \-g
.I fragoff
] [
.B \-m
.I mtu
] [
.B \-o
.I tos
] [
.B \-C
.I icmp type
] [
.B \-K
.I icmp code
] [
.B \-s
.I source port
] [
.B \-p[+][+]
.I dest port
] [
.B \-w
.I tcp window
] [
.B \-O
.I tcp offset
] [
.B \-M
.I tcp sequence number
] [
.B \-L
.I tcp ack
] [
.B \-d
.I data size
] [
.B \-E
.I filename
] [
.B \-e
.I signature
] [
.B \-\-icmp\-ipver
.I version
] [
.B \-\-icmp\-iphlen
.I length
] [
.B \-\-icmp\-iplen
.I length
] [
.B \-\-icmp\-ipid
.I id
] [
.B \-\-icmp\-ipproto
.I protocol
] [
.B \-\-icmp\-cksum
.I checksum
] [
.B \-\-icmp\-ts
] [
.B \-\-icmp\-addr
] [
.B \-\-tcpexitcode
] [
.B \-\-tcp-timestamp
] [
.B \-\-tr-stop
] [
.B \-\-tr-keep-ttl
] [
.B \-\-tr-no-rtt
]
hostname
.br
.ad
.SH DESCRIPTION
hping2 is a network tool able to send custom TCP/IP packets and to
display target replies like ping program does with ICMP replies. hping2
handle fragmentation, arbitrary packets body and size and can be used in
order to transfer files encapsulated under supported protocols. Using
hping2 you are able to perform at least the following stuff:

 - Test firewall rules
 - Advanced port scanning
 - Test net performance using different protocols,
   packet size, TOS (type of service) and fragmentation.
 - Path MTU discovery
 - Transferring files between even really fascist firewall
   rules.
 - Traceroute-like under different protocols.
 - Firewalk-like usage.
 - Remote OS fingerprinting.
 - TCP/IP stack auditing.
 - A lot of others.

.I It's also a good didactic tool to learn TCP/IP.
hping2 is developed and maintained by antirez@invece.org and is
licensed under GPL version 2. Development is open so you can send
me patches, suggestion and affronts without inhibitions.
.SH HPING SITE
primary site at
.B http://www.hping.org
You can found both the stable release and the instruction
to download the latest source code at http://www.hping.org/download.html
.SH BASE OPTIONS
.TP
.I -h --help
Show an help screen on standard output, so you can pipe to less.
.TP
.I -v --version
Show version information and API used to access to data link layer,
.I linux sock packet
or
.I libpcap
.TP
.I -c --count count
Stop after sending (and receiving)
.I count
response packets. After last packet was send hping2 wait COUNTREACHED_TIMEOUT
seconds target host replies. You are able to tune COUNTREACHED_TIMEOUT editing
hping2.h
.TP
.I -i --interval
Wait
the specified number of seconds or micro seconds between sending each packet.
--interval X set
.I wait
to X seconds, --interval uX set
.I wait
to X micro seconds.
The default is to wait
one second between each packet. Using hping2 to transfer files tune this
option is really important in order to increase transfer rate. Even using
hping2 to perform idle/spoofing scanning you should tune this option, see
.B HPING2-HOWTO
for more information.
.TP
.I --fast
Alias for -i u10000. Hping will send 10 packets for second.
.TP
.I -n --numeric
Numeric output only, No attempt will be made to lookup symbolic names for host addresses.
.TP
.I -q --quiet
Quiet output. Nothing is displayed except the summary lines at
startup time and when finished.
.TP
.I -I --interface interface name
By default on linux and BSD systems hping2 uses default routing interface.
In other systems or when there is no default route
hping2 uses the first non-loopback interface.
However you are able to force hping2 to use the interface you need using
this option. Note: you don't need to specify the whole name, for
example -I et will match eth0 ethernet0 myet1 et cetera. If no interfaces
match hping2 will try to use lo.
.TP
.I -V --verbose
Enable verbose output. TCP replies will be shown as follows:

len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms
tos=0 iplen=40 seq=0 ack=1380893504 sum=2010 urp=0 
.TP
.I -D --debug
Enable debug mode, it's useful when you experience some problem with
hping2. When debug mode is enabled you will get more information about
.B interface detection, data link layer access, interface settings, options
.B parsing, fragmentation, HCMP protocol
and other stuff.
.TP
.I -z --bind
bind CTRL+Z to
.B time to live (TTL)
so you will able to increment/decrement ttl of outgoing packets pressing
CTRL+Z once or twice.
.TP
.I -Z --unbind
unbind CTRL+Z so you will able to stop hping2
.SH PROTOCOL SELECTION
Default protocol is TCP, by default hping2 will send tcp headers to target
host's port 0 with a winsize of 64 without any tcp flag on. Often this
is the best way to do an 'hide ping', useful when target is behind
a firewall that drop ICMP. Moreover a tcp null-flag to port 0 has a good
probability of not being logged.
.TP
.I -0 --rawip
RAW IP mode, in this mode hping2 will send IP header with data
appended with --signature and/or --file, see also --ipproto that
allows you to set the ip protocol field.
.TP
.I -1 --icmp
ICMP mode, by default hping2 will send ICMP echo-request, you can set
other ICMP type/code using
.B --icmptype --icmpcode
options.
.TP
.I -2 --udp
UDP mode, by default hping2 will send udp to target host's port 0.
UDP header tunable options are the following:
.B --baseport, --destport, --keep.
.TP
.I -9 --listen signature
HPING2 listen mode, using this option hping2 waits for packet that contain
.I signature
and dump from
.I signature
end to packet's end. For example if hping2 --listen TEST reads a packet
that contain
.B 234-09sdflkjs45-TESThello_world
it will display
.B hello_world.
.SH IP RELATED OPTIONS
.TP
.I -a --spoof hostname
Use this option in order to set a fake IP source address, this option
ensures that target will not gain your real address. However replies
will be sent to spoofed address, so you will can't see them. In order
to see how it's possible to perform spoofed/idle scanning see the
.B HPING2-HOWTO.
.TP
.I -t --ttl time to live
Using this option you can set
.B TTL (time to live)
of outgoing packets, it's likely that you will use this with
.B --traceroute
or
.B --bind
options. If in doubt try `
.B hping2 some.host.com -t 1 --traceroute
\'.
.TP
.I -N --id
Set ip->id field. Default id is random but if fragmentation is turned on
and id isn't specified it will be
.B getpid() & 0xFF
, to implement a better solution is in TODO list.
.TP
.I -H --ipproto
Set the ip protocol in RAW IP mode.
.TP
.I -W --winid
Windows* id has different byte ordering, if this option is enable
hping2 will properly display windows reply ids.
.TP
.I -r --rel
Display id increments instead of id. See the
.B HPING2-HOWTO
for more information. Increments aren't computed as id[N]-id[N-1] but
using packet loss compensation. See relid.c for more information.
.TP
.I -f --frag
Split packets in more fragments, this may be useful in order to test
IP stacks fragmentation performance and to test if some
packet filter is so weak that can be passed using tiny fragments
(anachronistic). Default 'virtual mtu' is 16 bytes. see also
.I --mtu
option.
.TP
.I -x --morefrag
Set more fragments IP flag, use this option if you want that target
host send an
.B ICMP time-exceeded during reassembly.
.TP
.I -y --dontfrag
Set don't fragment IP flag, this can be used to perform
.B MTU path discovery.
.TP
.I -g --fragoff fragment offset value
Set the fragment offset
.TP
.I -m --mtu mtu value
Set different 'virtual mtu' than 16 when fragmentation is enabled. If
packets size is greater that 'virtual mtu' fragmentation is automatically
turned on.
.TP
.I -o --tos hex_tos
Set
.B Type Of Service (TOS)
, for more information try
.B --tos help
.TP
.I -G --rroute
Record route. Includes the RECORD_ROUTE option in each packet sent and
displays the route buffer of returned packets. Note that the IP header
is only large enough for nine such routes. Many hosts ignore or discard