hping2.8

网络流量生成工具,开源软件,也可以作为网络流量检测软件使用

this option. Also note that using hping you are able to use record route
even if target host filter ICMP. Record route is an IP option, not
an ICMP option, so you can use record route option even in TCP and UDP
mode.
.SH ICMP RELATED OPTIONS
.TP
.I -C --icmptype type
Set icmp type, default is
.B ICMP echo request
(implies --icmp)
.TP
.I -K --icmpcode code
Set icmp code, default is 0. (implies --icmp)
.TP
.I --icmp-ipver
Set IP version of IP header contained into ICMP data, default is 4.
.TP
.I --icmp-iphlen
Set IP header length of IP header contained into ICMP data, default is 5 (5 word of 32 bits).
.TP
.I --icmp-iplen
Set IP packet length of IP header contained into ICMP data, default is the real
length.
.TP
.I --icmp-ipid
Set IP id of IP header contained into ICMP data, default is random.
.TP
.I --icmp-ipproto
Set IP protocol of IP header contained into ICMP data, default is TCP.
.TP
.I --icmp-cksum
Set ICMP checksum, for default is the valid checksum.
.TP
.I --icmp-ts
Alias for --icmptype 13 (to send ICMP timestamp requests)
.TP
.I --icmp-addr
Alias for --icmptype 17 (to send ICMP address mask requests)
.SH TCP/UDP RELATED OPTIONS
.TP
.I -s --baseport source port
hping2 uses source port in order to guess replies sequence number. It
starts with a base source port number, and increase this number for each
packet sent. When packet is received sequence number can be computed as
.I replies.dest.port - base.source.port.
Default base source port is random, using this option you are able to
set different number. If you need that source port not be increased for
each sent packet use the
.I -k --keep
option.
.TP
.I -p --destport [+][+]dest port
Set destination port, default is 0. If '+' character precedes dest port
number (i.e. +1024) destination port will be increased for each reply
received. If double '+' precedes dest port number (i.e. ++1024), destination
port will be increased for each packet sent.
By default destination port can be modified interactively using
.B CTRL+z.
.TP
.I --keep
keep still source port, see
.I --baseport
for more information.
.TP
.I -w --win
Set TCP window size. Default is 64.
.TP
.I -O --tcpoff
Set fake tcp data offset. Normal data offset is tcphdrlen / 4.
.TP
.I -M --tcpseq
Set the TCP sequence number.
.TP
.I -L --tcpack
Set the TCP ack.
.TP
.I -Q --seqnum
This option can be used in order to collect sequence numbers generated
by target host. This can be useful when you need to analyze whether
TCP sequence number is predictable. Output example:

.B #hping2 win98 --seqnum -p 139 -S -i u1 -I eth0
.nf
HPING uaz (eth0 192.168.4.41): S set, 40 headers + 0 data bytes
2361294848 +2361294848
2411626496 +50331648
2545844224 +134217728
2713616384 +167772160
2881388544 +167772160
3049160704 +167772160
3216932864 +167772160
3384705024 +167772160
3552477184 +167772160
3720249344 +167772160
3888021504 +167772160
4055793664 +167772160
4223565824 +167772160
.fi

The first column reports the sequence number, the second difference
between current and last sequence number. As you can see target host's sequence
numbers are predictable.
.TP
.I -b --badcksum
send packets with a bad UDP/TCP checksum
.TP
.I --tcp-timestamp
enable the TCP timestamp option, and try to guess the timestamp update
frequency and the remote system uptime.
.TP
.I -F --fin
set FIN tcp flag.
.TP
.I -S --syn
set SYN tcp flag.
.TP
.I -R --rst
set RST tcp flag.
.TP
.I -P --push
set PUSH tcp flag.
.TP
.I -A --ack
set ACK tcp flag.
.TP
.I -U --urg
set URG tcp flag.
.TP
.I -X --xmas
set Xmas tcp flag.
.TP
.I -Y --ymas
set Ymas tcp flag.
.SH COMMON OPTIONS
.TP
.I -d --data data size
set packet body size. Warning, using --data 40 hping2 will not generate
0 byte packets but protocol_header+40 bytes. hping2 will display
packet size information as first line output, like this:
.B HPING www.yahoo.com (ppp0 204.71.200.67): NO FLAGS are set, 40 headers + 40 data bytes
.TP
.I -E --file filename
Use
.B filename
contents to fill packet's data.
.TP
.I -e --sign signature
Fill first
.I signature length
bytes of data with
.I signature.
If
.I signature length
is bigger than data size an error message will be displayed.
This option can be used safely with
.I --file filename
option, remainder data space will be filled using
.I filename
.TP
.I -j --dump
Dump received packets in hex.
.TP
.I -J --print
Dump received packets's printable characters.
.TP
.I -B --safe
Enable safe protocol, using this option lost packets in file transfers
will be resent. For example in order to send file /etc/passwd from host
A to host B you may use the following:
.nf
.I [host_a]
.B # hping2 host_b --udp -p 53 -d 100 --sign signature --safe --file /etc/passwd
.I [host_b]
.B # hping2 host_a --listen signature --safe --icmp
.fi
.TP
.I -u --end
If you are using
.I --file filename
option, tell you when EOF has been reached. Moreover prevent that other end
accept more packets. Please, for more information see the
.B HPING2-HOWTO.
.TP
.I -T --traceroute
Traceroute mode. Using this option hping2 will increase ttl for each
.B ICMP time to live 0 during transit
received. Try
.B hping2 host --traceroute.
This option implies --bind and --ttl 1. You can override the ttl of 1
using the --ttl option. Since 2.0.0 stable it prints RTT information.
.TP
.I --tr-keep-ttl
Keep the TTL fixed in traceroute mode, so you can monitor just one hop
in the route. For example, to monitor how the 5th hop changes or
how its RTT changes you can try
.B hping2 host --traceroute --ttl 5 --tr-keep-ttl.
.TP
.I --tr-stop
If this option is specified hping will exit once the first packet
that isn't an ICMP time exceeded is received. This better emulates
the traceroute behavior.
.TP
.I --tr-no-rtt
Don't show RTT information in traceroute mode. The ICMP time exceeded RTT
information aren't even calculated if this option is set.
.TP
.I --tcpexitcode
Exit with last received packet tcp->th_flag as exit code. Useful for scripts
that need, for example, to known if the port 999 of some host reply with
SYN/ACK or with RST in response to SYN, i.e. the service is up or down.
.SH TCP OUTPUT FORMAT
The standard TCP output format is the following:

len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms

.B len
is the size, in bytes, of the data captured from the data link layer
excluding the data link header size. This may not match the IP datagram
size due to low level transport layer padding.

.B ip
is the source ip address.

.B flags
are the TCP flags, R for RESET, S for SYN, A for ACK, F for FIN,
P for PUSH, U for URGENT, X for not standard 0x40, Y for not standard
0x80.

If the reply contains
.B DF
the IP header has the don't fragment bit set.

.B seq
is the sequence number of the packet, obtained using the source
port for TCP/UDP packets, the sequence field for ICMP packets.

.B id
is the IP ID field.

.B win
is the TCP window size.

.B rtt
is the round trip time in milliseconds.

If you run hping using the
.B -V
command line switch it will display additional information about the
packet, example:

len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms
tos=0 iplen=40 seq=0 ack=1223672061 sum=e61d urp=0 

.B tos
is the type of service field of the IP header.

.B iplen
is the IP total len field

.B seq and ack
are the sequence and acknowledge 32bit numbers in the TCP header.

.B sum
is the TCP header checksum value

.B urp
is the TCP urgent pointer value

.SH UDP OUTPUT FORMAT

The standard output format is:

len=46 ip=192.168.1.1 seq=0 ttl=64 id=0 rtt=6.0 ms

The field meaning is just the same as the TCP output meaning of the
same fields.

.SH ICMP OUTPUT FORMAT

An example of ICMP output is:

ICMP Port Unreachable from ip=192.168.1.1 name=nano.marmoc.net

It is very simple to understand. It starts with the string "ICMP"
followed by the description of the ICMP error, Port Unreachable
in the example. The ip field is the IP source address of the IP
datagram containing the ICMP error, the name field is just the
numerical address resolved to a name (a dns PTR request) or UNKNOWN if the
resolution failed.

The ICMP Time exceeded during transit or reassembly format is a bit
different:

TTL 0 during transit from ip=192.168.1.1 name=nano.marmoc.net

TTL 0 during reassembly from ip=192.70.106.25 name=UNKNOWN   

The only difference is the description of the error, it starts with
TTL 0.

.SH AUTHOR
Salvatore Sanfilippo <antirez@invece.org>, with the help of the people mentioned in AUTHORS file and at http://www.hping.org/authors.html
.SH BUGS
Even using the --end and --safe options to transfer files the final packet
will be padded with 0x00 bytes.
.PP
Data is read without care about alignment, but alignment is enforced
in the data structures.
This will not be a problem under i386 but, while usually the TCP/IP
headers are naturally aligned, may create problems with different
processors and bogus packets if there is some unaligned access around
the code (hopefully none).
.PP
On solaris hping does not work on the loopback interface. This seems
a solaris problem, as stated in the tcpdump-workers mailing list,
so the libpcap can't do nothing to handle it properly.
.SH SEE ALSO
ping(8), traceroute(8), ifconfig(8), nmap(1)