nping - man pages section 1: User Commands

Language:

nping (1)

Name

nping - Network packet generation tool / ping utility

Synopsis

nping [Options] {targets}

Description

Nping Reference Guide NPING(1)

NAME
nping - Network packet generation tool / ping utility

SYNOPSIS
nping [Options] {targets}

DESCRIPTION
Nping is an open-source tool for network packet generation,
response analysis and response time measurement. Nping
allows users to generate network packets of a wide range of
protocols, letting them tune virtually any field of the
protocol headers. While Nping can be used as a simple ping
utility to detect active hosts, it can also be used as a raw
packet generator for network stack stress tests, ARP
poisoning, Denial of Service attacks, route tracing, and
other purposes.

Additionally, Nping offers a special mode of operation
called the "Echo Mode", that lets users see how the
generated probes change in transit, revealing the
differences between the transmitted packets and the packets
received at the other end. See section "Echo Mode" for
details.

The output from Nping is a list of the packets that are
being sent and received. The level of detail depends on the
options used.

A typical Nping execution is shown in Example 1. The only
Nping arguments used in this example are -c, to specify the
number of times to target each host, --tcp to specify TCP
Probe Mode, -p 80,433 to specify the target ports; and then
the two target hostnames.

Example 1. A representative Nping execution

# nping -c 1 --tcp -p 80,433 scanme.nmap.org google.com

Starting Nping ( http://nmap.org/nping )
SENT (0.0120s) TCP 96.16.226.135:50091 > 64.13.134.52:80 S ttl=64 id=52072 iplen=40 seq=1077657388 win=1480
RCVD (0.1810s) TCP 64.13.134.52:80 > 96.16.226.135:50091 SA ttl=53 id=0 iplen=44 seq=4158134847 win=5840 <mss 1460>
SENT (1.0140s) TCP 96.16.226.135:50091 > 74.125.45.100:80 S ttl=64 id=13932 iplen=40 seq=1077657388 win=1480
RCVD (1.1370s) TCP 74.125.45.100:80 > 96.16.226.135:50091 SA ttl=52 id=52913 iplen=44 seq=2650443864 win=5720 <mss 1430>
SENT (2.0140s) TCP 96.16.226.135:50091 > 64.13.134.52:433 S ttl=64 id=8373 iplen=40 seq=1077657388 win=1480
SENT (3.0140s) TCP 96.16.226.135:50091 > 74.125.45.100:433 S ttl=64 id=23624 iplen=40 seq=1077657388 win=1480

Nping Last change: 11/29/2012 1

Nping Reference Guide NPING(1)

OPTIONS SUMMARY
This options summary is printed when Nping is run with no
arguments. It helps people remember the most common options,
but is no substitute for the in-depth documentation in the
rest of this manual. Some obscure options aren't even
included here.

Nping 0.5.59BETA1 ( http://nmap.org/nping )
Usage: nping [Probe mode] [Options] {target specification}

TARGET SPECIFICATION:
Targets may be specified as hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
PROBE MODES:
--tcp-connect : Unprivileged TCP connect probe mode.
--tcp : TCP probe mode.
--udp : UDP probe mode.
--icmp : ICMP probe mode.
--arp : ARP/RARP probe mode.
--tr, --traceroute : Traceroute mode (can only be used with
TCP/UDP/ICMP modes).
TCP CONNECT MODE:
-p, --dest-port <port spec> : Set destination port(s).
-g, --source-port <portnumber> : Try to use a custom source port.
TCP PROBE MODE:
-g, --source-port <portnumber> : Set source port.
-p, --dest-port <port spec> : Set destination port(s).
--seq <seqnumber> : Set sequence number.
--flags <flag list> : Set TCP flags (ACK,PSH,RST,SYN,FIN...)
--ack <acknumber> : Set ACK number.
--win <size> : Set window size.
--badsum : Use a random invalid checksum.
UDP PROBE MODE:
-g, --source-port <portnumber> : Set source port.
-p, --dest-port <port spec> : Set destination port(s).
--badsum : Use a random invalid checksum.
ICMP PROBE MODE:
--icmp-type <type> : ICMP type.
--icmp-code <code> : ICMP code.
--icmp-id <id> : Set identifier.
--icmp-seq <n> : Set sequence number.
--icmp-redirect-addr <addr> : Set redirect address.
--icmp-param-pointer <pnt> : Set parameter problem pointer.
--icmp-advert-lifetime <time> : Set router advertisement lifetime.
--icmp-advert-entry <IP,pref> : Add router advertisement entry.
--icmp-orig-time <timestamp> : Set originate timestamp.
--icmp-recv-time <timestamp> : Set receive timestamp.

Nping Last change: 11/29/2012 2

Nping Reference Guide NPING(1)

--icmp-trans-time <timestamp> : Set transmit timestamp.
ARP/RARP PROBE MODE:
--arp-type <type> : Type: ARP, ARP-reply, RARP, RARP-reply.
--arp-sender-mac <mac> : Set sender MAC address.
--arp-sender-ip <addr> : Set sender IP address.
--arp-target-mac <mac> : Set target MAC address.
--arp-target-ip <addr> : Set target IP address.
IPv4 OPTIONS:
-S, --source-ip : Set source IP address.
--dest-ip <addr> : Set destination IP address (used as an
alternative to {target specification} ).
--tos <tos> : Set type of service field (8bits).
--id <id> : Set identification field (16 bits).
--df : Set Don't Fragment flag.
--mf : Set More Fragments flag.
--ttl <hops> : Set time to live [0-255].
--badsum-ip : Use a random invalid checksum.
--ip-options <S|R [route]|L [route]|T|U ...> : Set IP options
--ip-options <hex string> : Set IP options
--mtu <size> : Set MTU. Packets get fragmented if MTU is
small enough.
IPv6 OPTIONS:
-6, --IPv6 : Use IP version 6.
--dest-ip : Set destination IP address (used as an
alternative to {target specification}).
--hop-limit : Set hop limit (same as IPv4 TTL).
--traffic-class <class> : : Set traffic class.
--flow <label> : Set flow label.
ETHERNET OPTIONS:
--dest-mac <mac> : Set destination mac address. (Disables
ARP resolution)
--source-mac <mac> : Set source MAC address.
--ether-type <type> : Set EtherType value.
PAYLOAD OPTIONS:
--data <hex string> : Include a custom payload.
--data-string <text> : Include a custom ASCII text.
--data-length <len> : Include len random bytes as payload.
ECHO CLIENT/SERVER:
--echo-client <passphrase> : Run Nping in client mode.
--echo-server <passphrase> : Run Nping in server mode.
--echo-port <port> : Use custom <port> to listen or connect.
--no-crypto : Disable encryption and authentication.
--once : Stop the server after one connection.
--safe-payloads : Erase application data in echoed packets.
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m, 0.25h).
--delay <time> : Adjust delay between probes.
--rate <rate> : Send num packets per second.
MISC:
-h, --help : Display help information.
-V, --version : Display current version number.

Nping Last change: 11/29/2012 3

Nping Reference Guide NPING(1)

-c, --count <n> : Stop after <n> rounds.
-e, --interface <name> : Use supplied network interface.
-H, --hide-sent : Do not display sent packets.
-N, --no-capture : Do not try to capture replies.
--privileged : Assume user is fully privileged.
--unprivileged : Assume user lacks raw socket privileges.
--send-eth : Send packets at the raw ethernet layer.
--send-ip : Send packets using raw IP sockets.
--bpf-filter <filter spec> : Specify custom BPF filter.
OUTPUT:
-v : Increment verbosity level by one.
-v[level] : Set verbosity level. E.g: -v4
-d : Increment debugging level by one.
-d[level] : Set debugging level. E.g: -d3
-q : Decrease verbosity level by one.
-q[N] : Decrease verbosity level N times
--quiet : Set verbosity and debug level to minimum.
--debug : Set verbosity and debug to the max level.
EXAMPLES:
nping scanme.nmap.org
nping --tcp -p 80 --flags rst --ttl 2 192.168.1.1
nping --icmp --icmp-type time --delay 500ms 192.168.254.254
nping --echo-server "public" -e wlan0 -vvv
nping --echo-client "public" echo.nmap.org --tcp -p1-1024 --flags ack

SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES

TARGET SPECIFICATION
Everything on the Nping command line that isn't an option or
an option argument is treated as a target host
specification. Nping uses the same syntax for target
specifications that Nmap does. The simplest case is a single
target given by IP address or hostname.

Nping supports CIDR-style. addressing. You can append
/numbits to an IPv4 address or hostname and Nping will send
probes to every IP address for which the first numbits are
the same as for the reference IP or hostname given. For
example, 192.168.10.0/24 would send probes to the 256 hosts
between 192.168.10.0 (binary: 11000000 10101000 00001010
00000000) and 192.168.10.255 (binary: 11000000 10101000
00001010 11111111), inclusive. 192.168.10.40/24 would ping
exactly the same targets. Given that the host
scanme.nmap.org. is at the IP address 64.13.134.52, the
specification scanme.nmap.org/16 would send probes to the
65,536 IP addresses between 64.13.0.0 and 64.13.255.255. The
smallest allowed value is /0, which targets the whole
Internet. The largest value is /32, which targets just the
named host or IP address because all address bits are fixed.

Nping Last change: 11/29/2012 4

Nping Reference Guide NPING(1)

CIDR notation is short but not always flexible enough. For
example, you might want to send probes to 192.168.0.0/16 but
skip any IPs ending with .0 or .255 because they may be used
as subnet network and broadcast addresses. Nping supports
this through octet range addressing. Rather than specify a
normal IP address, you can specify a comma-separated list of
numbers or ranges for each octet. For example,
192.168.0-255.1-254 will skip all addresses in the range
that end in .0 or .255, and 192.168.3-5,7.1 will target the
four addresses 192.168.3.1, 192.168.4.1, 192.168.5.1, and
192.168.7.1. Either side of a range may be omitted; the
default values are 0 on the left and 255 on the right. Using
- by itself is the same as 0-255, but remember to use 0- in
the first octet so the target specification doesn't look
like a command-line option. Ranges need not be limited to
the final octets: the specifier 0-.-.13.37 will send probes
to all IP addresses on the Internet ending in .13.37. This
sort of broad sampling can be useful for Internet surveys
and research.

IPv6 addresses can only be specified by their fully
qualified IPv6 address or hostname. CIDR and octet ranges
aren't supported for IPv6 because they are rarely useful.

Nping accepts multiple host specifications on the command
line, and they don't need to be the same type. The command
nping scanme.nmap.org 192.168.0.0/8 10.0.0,1,3-7.- does what
you would expect.

OPTION SPECIFICATION
Nping is designed to be very flexible and fit a wide variety
of needs. As with most command-line tools, its behavior can
be adjusted using command-line options. These general
principles apply to option arguments, unless stated
otherwise.

Options that take integer numbers can accept values
specified in decimal, octal or hexadecimal base. When a
number starts with 0x, it will be treated as hexadecimal;
when it simply starts with 0, it will be treated as octal.
Otherwise, Nping will assume the number has been specified
in base 10. Virtually all numbers that can be supplied from
the command line are unsigned so, as a general rule, the
minimum value is zero. Users may also specify the word
random or rand to make Nping generate a random value within
the expected range.

IP addresses may be given as IPv4 addresses (e.g.
192.168.1.1), IPv6 addresses (e.g.
2001:db8:85a3::8e4c:760:7146), or hostnames, which will be
resolved using the default DNS server configured in the host
system.

Nping Last change: 11/29/2012 5

Nping Reference Guide NPING(1)

Options that take MAC addresses accept the usual
colon-separated 6 hex byte format (e.g. 00:50:56:d4:01:98).
Hyphens may also be used instead of colons (e.g.
00-50-56-c0-00-08). The special word random or rand sets a
random address and the word broadcast or bcast sets
ff:ff:ff:ff:ff:ff.

GENERAL OPERATION
Unlike other ping and packet generation tools, Nping
supports multiple target host and port specifications. While
this provides great flexibility, it is not obvious how Nping
handles situations where there is more than one host and/or
more than one port to send probes to. This section explains
how Nping behaves in these cases.

When multiple target hosts are specified, Nping rotates
among them in round-robin fashion. This gives slow hosts
more time to send their responses before another probe is
sent to them. Ports are also scheduled using round robin.
So, unless only one port is specified, Nping never sends two
probes to the same target host and port consecutively.

The loop around targets is the "inner loop" and the loop
around ports is the "outer loop". All targets will be sent a
probe for a given port before moving on to the next port.
Between probes, Nping waits a configurable amount of time
called the "inter-probe delay", which is controlled by the
--delay option. These examples show how it works.

# nping --tcp -c 2 1.1.1.1 -p 100-102

Starting Nping ( http://nmap.org/nping )
SENT (0.0210s) TCP 192.168.1.77 > 1.1.1.1:100
SENT (1.0230s) TCP 192.168.1.77 > 1.1.1.1:101
SENT (2.0250s) TCP 192.168.1.77 > 1.1.1.1:102
SENT (3.0280s) TCP 192.168.1.77 > 1.1.1.1:100
SENT (4.0300s) TCP 192.168.1.77 > 1.1.1.1:101
SENT (5.0320s) TCP 192.168.1.77 > 1.1.1.1:102

# nping --tcp -c 2 1.1.1.1 2.2.2.2 3.3.3.3 -p 8080

Starting Nping ( http://nmap.org/nping )
SENT (0.0230s) TCP 192.168.0.21 > 1.1.1.1:8080
SENT (1.0240s) TCP 192.168.0.21 > 2.2.2.2:8080
SENT (2.0260s) TCP 192.168.0.21 > 3.3.3.3:8080
SENT (3.0270s) TCP 192.168.0.21 > 1.1.1.1:8080
SENT (4.0290s) TCP 192.168.0.21 > 2.2.2.2:8080
SENT (5.0310s) TCP 192.168.0.21 > 3.3.3.3:8080

# nping --tcp -c 1 --delay 500ms 1.1.1.1 2.2.2.2 3.3.3.3 -p 137-139

Starting Nping ( http://nmap.org/nping )

Nping Last change: 11/29/2012 6

Nping Reference Guide NPING(1)

SENT (0.0230s) TCP 192.168.0.21 > 1.1.1.1:137
SENT (0.5250s) TCP 192.168.0.21 > 2.2.2.2:137
SENT (1.0250s) TCP 192.168.0.21 > 3.3.3.3:137
SENT (1.5280s) TCP 192.168.0.21 > 1.1.1.1:138
SENT (2.0280s) TCP 192.168.0.21 > 2.2.2.2:138
SENT (2.5310s) TCP 192.168.0.21 > 3.3.3.3:138
SENT (3.0300s) TCP 192.168.0.21 > 1.1.1.1:139
SENT (3.5330s) TCP 192.168.0.21 > 2.2.2.2:139
SENT (4.0330s) TCP 192.168.0.21 > 3.3.3.3:139

PROBE MODES
Nping supports a wide variety of protocols. Although in some
cases Nping can automatically determine the mode from the
options used, it is generally a good idea to specify it
explicitly.

--tcp-connect (TCP Connect mode) .
TCP connect mode is the default mode when a user does
not have raw packet privileges. Instead of writing raw
packets as most other modes do, Nping asks the
underlying operating system to establish a connection
with the target machine and port by issuing the connect
system call. This is the same high-level system call
that web browsers, P2P clients, and most other
network-enabled applications use to establish a
connection. It is part of a programming interface known
as the Berkeley Sockets API. Rather than read raw packet
responses off the wire, Nping uses this API to obtain
status information on each connection attempt. For this
reason, you will not be able to see the contents of the
packets that are sent or received but only status
information about the TCP connection establishment
taking place.

--tcp (TCP mode) .
TCP is the mode that lets users create and send any kind
of TCP packet. TCP packets are sent embedded in IP
packets that can also be tuned. This mode can be used
for many different purposes. For example you could try
to discover open ports by sending TCP SYN messages
without completing the three-way handshake. This
technique is often referred to as half-open scanning,
because you don't open a full TCP connection. You send a
SYN packet, as if you are going to open a real
connection and then wait for a response. A SYN/ACK
indicates the port is open, while a RST indicates it's
closed. If no response is received one could assume that
some intermediate network device is filtering the
responses. Another use could be to see how a remote
TCP/IP stack behaves when it receives a
non-RFC-compliant packet, like one with both SYN and RST
flags set. One could also do some evil by creating

Nping Last change: 11/29/2012 7

Nping Reference Guide NPING(1)

custom RST packets using an spoofed IP address with the
intent of closing an active TCP connection.

--udp (UDP mode) .
UDP mode can have two different behaviours. Under normal
circumstances, it lets users create custom IP/UDP
packets. However, if Nping is run by a user without raw
packet privileges and no changes to the default protocol
headers are requested, then Nping enters the
unprivileged UDP mode which basically sends UDP packets
to the specified target hosts and ports using the sendto
system call. Note that in this unprivileged mode it is
not possible to see low-level header information of the
packets on the wire but only status information about
the amount of bytes that are being transmitted and
received. UDP mode can be used to interact with any
UDP-based server. Examples are DNS servers, streaming
servers, online gaming servers, and port
knocking/single-packet. authorization daemons.

--icmp (ICMP mode) .
ICMP mode is the default mode when the user runs Nping
with raw packet privileges. Any kind of ICMP message can
be created. The default ICMP type is Echo, i.e., ping.
ICMP mode can be used for many different purposes, from
a simple request for a timestamp or a netmask to the
transmission of fake destination unreachable messages,
custom redirects, and router advertisements.

--arp (ARP/RARP mode) .
ARP lets you create and send a few different ARP-related
packets. These include ARP, RARP, DRARP, and InARP
requests and replies. This mode can ban be used to
perform low-level host discovery, and conduct ARP-cache
poisoning attacks.

--traceroute (Traceroute mode) .
Traceroute is not a mode by itself but a complement to
TCP, UDP, and ICMP modes. When this option is specified
Nping will set the IP TTL value of the first probe to 1.
When the next router receives the packet it will drop it
due to the expiration of the TTL and it will generate an
ICMP destination unreachable message. The next probe
will have a TTL of 2 so now the first router will
forward the packet while the second router will be the
one that drops the packet and generates the ICMP
message. The third probe will have a TTL value of 3 and
so on. By examining the source addresses of all those
ICMP Destination Unreachable messages it is possible to
determine the path that the probes take until they reach
their final destination.

Nping Last change: 11/29/2012 8

Nping Reference Guide NPING(1)

TCP CONNECT MODE
-p port_spec, --dest-port port_spec (Target ports) .
This option specifies which ports you want to try to
connect to. It can be a single port, a comma-separated
list of ports (e.g. 80,443,8080), a range (e.g.
1-1023), and any combination of those (e.g.
21-25,80,443,1024-2048). The beginning and/or end values
of a range may be omitted, causing Nping to use 1 and
65535, respectively. So you can specify -p- to target
ports from 1 through 65535. Using port zero is allowed
if you specify it explicitly.

-g portnumber, --source-port portnumber (Spoof source port)
.
This option asks Nping to use the specified port as
source port for the TCP connections. Note that this
might not work on all systems or may require root
privileges. Specified value must be an integer in the
range [0-65535].

TCP MODE
-p port_spec, --dest-port port_spec (Target ports)
This option specifies which destination ports you want
to send probes to. It can be a single port, a
comma-separated list of ports (e.g. 80,443,8080), a
range (e.g. 1-1023), and any combination of those (e.g.
21-25,80,443,1024-2048). The beginning and/or end values
of a range may be omitted, causing Nping to use 1 and
65535, respectively. So you can specify -p- to target
ports from 1 through 65535. Using port zero is allowed
if you specify it explicitly.

-g portnumber, --source-port portnumber (Spoof source port)
This option asks Nping to use the specified port as
source port for the TCP connections. Note that this
might not work on all systems or may require root
privileges. Specified value must be an integer in the
range [0-65535].

--seq seqnumber (Sequence Number) .
Specifies the TCP sequence number. In SYN packets this
is the initial sequence number (ISN). In a normal
transmission this corresponds to the sequence number of
the first byte of data in the segment. seqnumber must
be a number in the range [0-4294967295].

--flags flags (TCP Flags) .
This option specifies which flags should be set in the
TCP packet. flags may be specified in three different
ways:

1. As a comma-separated list of flags, e.g. --flags

Nping Last change: 11/29/2012 9

Nping Reference Guide NPING(1)

syn,ack,rst

2. As a list of one-character flag initials, e.g.
--flags SAR tells Nping to set flags SYN, ACK, and
RST.

3. As an 8-bit hexadecimal number, where the supplied
number is the exact value that will be placed in the
flags field of the TCP header. The number should
start with the prefix 0x and should be in the range
[0x00-0xFF], e.g. --flags 0x20 sets the URG flag as
0x20 corresponds to binary 00100000 and the URG flag
is represented by the third bit.

There are 8 possible flags to set: CWR, ECN, URG, ACK,
PSH, RST, SYN, and FIN. The special value ALL means to
set all flags. NONE means to set no flags. It is
important that if you don't want any flag to be set, you
request it explicitly because in some cases the SYN flag
may be set by default. Here is a brief description of
the meaning of each flag:

CWR (Congestion Window Reduced) .
Set by an ECN-Capable sender when it reduces its
congestion window (due to a retransmit timeout, a
fast retransmit or in response to an ECN
notification.

ECN (Explicit Congestion Notification) .
During the three-way handshake it indicates that
sender is capable of performing explicit congestion
notification. Normally it means that a packet with
the IP Congestion Experienced flag set was received
during normal transmission. See RFC 3168. for more
information.

URG (Urgent) .
Segment is urgent and the urgent pointer field
carries valid information.

ACK (Acknowledgement) .
The segment carries an acknowledgement and the value
of the acknowledgement number field is valid and
contains the next sequence number that is expected
from the receiver.

PSH (Push) .
The data in this segment should be immediately
pushed to the application layer on arrival.

RST (Reset) .
There was some problem and the sender wants to abort

Nping Last change: 11/29/2012 10

Nping Reference Guide NPING(1)

the connection.

SYN (Synchronize) .
The segment is a request to synchronize sequence
numbers and establish a connection. The sequence
number field contains the sender's initial sequence
number.

FIN (Finish) .
The sender wants to close the connection.

--win size (Window Size) .
Specifies the TCP window size, this is, the number of
octets the sender of the segment is willing to accept
from the receiver at one time. This is usually the size
of the reception buffer that the OS allocates for a
given connection. size must be a number in the range
[0-65535].

--badsum (Invalid Checksum) .
Asks Nping to use an invalid TCP checksum for the
packets sent to target hosts. Since virtually all host
IP stacks properly drop these packets, any responses
received are likely coming from a firewall or an IDS
that didn't bother to verify the checksum. For more
details on this technique, see blue]-
http://nmap.org/p60-12.html].

UDP MODE
-p port_spec, --dest-port port_spec (Target ports) .
This option specifies which ports you want UDP datagrams
to be sent to. It can be a single port, a
comma-separated list of ports (e.g. 80,443,8080), a
range (e.g. 1-1023), and any combination of those (e.g.
21-25,80,443,1024-2048). The beginning and/or end values
of a range may be omitted, causing Nping to use 1 and
65535, respectively. So you can specify -p- to target
ports from 1 through 65535. Using port zero is allowed
if you specify it explicitly.

-g portnumber, --source-port portnumber (Spoof source port)
.
This option asks Nping to use the specified port as
source port for the transmitted datagrams. Note that
this might not work on all systems or may require root
privileges. Specified value must be an integer in the
range [0-65535].

--badsum (Invalid Checksum)
Asks Nping to use an invalid UDP checksum for the
packets sent to target hosts. Since virtually all host
IP stacks properly drop these packets, any responses

Nping Last change: 11/29/2012 11

Nping Reference Guide NPING(1)

received are likely coming from a firewall or an IDS
that didn't bother to verify the checksum. For more
details on this technique, see blue]-
http://nmap.org/p60-12.html].

ICMP MODE
--icmp-type type (ICMP type) .
This option specifies which type of ICMP messages should
be generated. type can be supplied in two different
ways. You can use the blue]official type numbers
assigned by IANA][1] (e.g. --icmp-type 8 for ICMP Echo
Request), or you can use any of the mnemonics listed in
the section called "ICMP Types".

--icmp-code code (ICMP code) .
This option specifies which ICMP code should be included
in the generated ICMP messages. code can be supplied in
two different ways. You can use the blue]official code
numbers assigned by IANA][1] (e.g. --icmp-code 1 for
Fragment Reassembly Time Exceeded), or you can use any
of the mnemonics listed in the section called "ICMP
Codes".

--icmp-id id (ICMP identifier) .
This option specifies the value of the identifier used
in some of the ICMP messages. In general it is used to
match request and reply messages. id must be a number
in the range [0-65535].

--icmp-seq seq (ICMP sequence) .
This option specifies the value of the sequence number
field used in some ICMP messages. In general it is used
to match request and reply messages. id must be a
number in the range [0-65535].

--icmp-redirect-addr addr (ICMP Redirect address) .
This option sets the address field in ICMP Redirect
messages. In other words, it sets the IP address of the
router that should be used when sending IP datagrams to
the original destination. addr can be either an IPv4
address or a hostname.

--icmp-param-pointer pointer (ICMP Parameter Problem
pointer) .
This option specifies the pointer that indicates the
location of the problem in ICMP Parameter Problem
messages. pointer should be a number in the range
[0-255]. Normally this option is only used when ICMP
code is set to 0 ("Pointer indicates the error").

--icmp-advert-lifetime ttl (ICMP Router Advertisement
Lifetime) .

Nping Last change: 11/29/2012 12

Nping Reference Guide NPING(1)

This option specifies the router advertisement lifetime,
this is, the number of seconds the information carried
in an ICMP Router Advertisement can be considered valid
for. ttl must be a positive integer in the range
[0-65535].

--icmp-advert-entry addr,pref (ICMP Router Advertisement
Entry) .
This option adds a Router Advertisement entry to an ICMP
Router Advertisement message. The parameter must be two
values separated by a comma. addr is the router's IP
and can be specified either as an IP address in
dot-decimal notation or as a hostname. pref is the
preference level for the specified IP. It must be a
number in the range [0-4294967295]. An example is
--icmp-advert-entry 192.168.128.1,3.

--icmp-orig-time timestamp (ICMP Originate Timestamp) .
This option sets the Originate Timestamp in ICMP
Timestamp messages. The Originate Timestamp is expressed
as the number of milliseconds since midnight UTC and it
corresponds to the time the sender last touched the
Timestamp message before its transmission. timestamp
can be specified as a regular time (e.g. 10s, 3h,
1000ms), or the special string now. You can add or
subtract values from now, for example --icmp-orig-time
now-2s, --icmp-orig-time now+1h, --icmp-orig-time
now+200ms.

--icmp-recv-time timestamp (ICMP Receive Timestamp) .
This option sets the Receive Timestamp in ICMP Timestamp
messages. The Receive Timestamp is expressed as the
number of milliseconds since midnight UTC and it
corresponds to the time the echoer first touched the
Timestamp message on receipt. timestamp is as with
--icmp-orig-time.

--icmp-trans-time timestamp (ICMP Transmit Timestamp) .
This option sets the Transmit Timestamp in ICMP
Timestamp messages. The Transmit Timestamp is expressed
as the number of milliseconds since midnight UTC and it
corresponds to the time the echoer last touched the
Timestamp message before its transmission. timestamp is
as with --icmp-orig-time.

ICMP Types
These identifiers may be used as mnemonics for the ICMP type
numbers given to the --icmp-type. option. In general there
are three forms of each identifier: the full name (e.g.
destination-unreachable), the short name (e.g. dest-unr),
or the initials (e.g. du). In ICMP types that request
something, the word "request" is omitted.

Nping Last change: 11/29/2012 13

Nping Reference Guide NPING(1)

echo-reply, echo-rep, er
Echo Reply (type 0). This message is sent in response to
an Echo Request message.

destination-unreachable, dest-unr, du
Destination Unreachable (type 3). This message indicates
that a datagram could not be delivered to its
destination.

source-quench, sour-que, sq
Source Quench (type 4). This message is used by a
congested IP device to tell other device that is sending
packets too fast and that it should slow down.

redirect, redi, r
Redirect (type 5). This message is normally used by
routers to inform a host that there is a better route to
use for sending datagrams. See also the
--icmp-redirect-addr option.

echo-request, echo, e
Echo Request (type 8). This message is used to test the
connectivity of another device on a network.

router-advertisement, rout-adv, ra
Router Advertisement (type 9). This message is used by
routers to let hosts know of their existence and
capabilities. See also the --icmp-advert-lifetime
option.

router-solicitation, rout-sol, rs
Router Solicitation (type 10). This message is used by
hosts to request Router Advertisement messages from any
listening routers.

time-exceeded, time-exc, te
Time Exceeded (type 11). This message is generated by
some intermediate device (normally a router) to indicate
that a datagram has been discarded before reaching its
destination because the IP TTL expired.

parameter-problem, member-pro, pp
Parameter Problem (type 12). This message is used when a
device finds a problem with a parameter in an IP header
and it cannot continue processing it. See also the
--icmp-param-pointer option.

timestamp, time, tm
Timestamp Request (type 13). This message is used to
request a device to send a timestamp value for
propagation time calculation and clock synchronization.
See also the --icmp-orig-time, --icmp-recv-time, and

Nping Last change: 11/29/2012 14

Nping Reference Guide NPING(1)

--icmp-trans-time.

timestamp-reply, time-rep, tr
Timestamp Reply (type 14). This message is sent in
response to a Timestamp Request message.

information, info, i
Information Request (type 15). This message is now
obsolete but it was originally used to request
configuration information from another device.

information-reply, info-rep, ir
Information Reply (type 16). This message is now
obsolete but it was originally sent in response to an
Information Request message to provide configuration
information.

mask-request, mask, m
Address Mask Request (type 17). This message is used to
ask a device to send its subnet mask.

mask-reply, mask-rep, mr
Address Mask Reply (type 18). This message contains a
subnet mask and is sent in response to a Address Mask
Request message.

traceroute, trace, tc
Traceroute (type 30). This message is normally sent by
an intermediate device when it receives an IP datagram
with a traceroute option. ICMP Traceroute messages are
still experimental, see RFC 1393. for more information.

ICMP Codes
These identifiers may be used as mnemonics for the ICMP code
numbers given to the --icmp-code. option. They are listed
by the ICMP type they correspond to.

Destination Unreachable

network-unreachable, netw-unr, net
Code 0. Datagram could not be delivered to its
destination network (probably due to some routing
problem).

host-unreachable, host-unr, host
Code 1. Datagram was delivered to the destination
network but it was impossible to reach the specified
host (probably due to some routing problem).

protocol-unreachable, prot-unr, proto
Code 2. The protocol specified in the Protocol field
of the IP datagram is not supported by the host to

Nping Last change: 11/29/2012 15

Nping Reference Guide NPING(1)

which the datagram was delivered.

port-unreachable, port-unr, port
Code 3. The TCP/UDP destination port was invalid.

needs-fragmentation, need-fra, frag
Code 4. Datagram had the DF bit set but it was too
large for the MTU of the next physical network so it
had to be dropped.

source-route-failed, sour-rou, routefail
Code 5. IP datagram had a Source Route option but a
router couldn't pass it to the next hop.

network-unknown, netw-unk, net?
Code 6. Destination network is unknown. This code is
never used. Instead, Network Unreachable is used.

host-unknown, host-unk, host?
Code 7. Specified host is unknown. Usually generated
by a router local to the destination host to inform
of a bad address.

host-isolated, host-iso, isolated
Code 8. Source Host Isolated. Not used.

network-prohibited, netw-pro, !net
Code 9. Communication with destination network is
administratively prohibited (source device is not
allowed to send packets to the destination network).

host-prohibited, host-pro, !host
Code 10. Communication with destination host is
administratively prohibited. (The source device is
allowed to send packets to the destination network
but not to the destination device.)

network-tos, unreachable-network-tos, netw-tos, tosnet
Code 11. Destination network unreachable because it
cannot provide the type of service specified in the
IP TOS field.

host-tos, unreachable-host-tos, toshost
Code 12. Destination host unreachable because it
cannot provide the type of service specified in the
IP TOS field.

communication-prohibited, comm-pro, !comm
Code 13. Datagram could not be forwarded due to
filtering that blocks the message based on its
contents.

Nping Last change: 11/29/2012 16

Nping Reference Guide NPING(1)

host-precedence-violation, precedence-violation,
prec-vio, violation
Code 14. Precedence value in the IP TOS field is not
permitted.

precedence-cutoff, prec-cut, cutoff
Code 15. Precedence value in the IP TOS field is
lower than the minimum allowed for the network.

Redirect

redirect-network, redi-net, net
Code 0. Redirect all future datagrams with the same
destination network as the original datagram, to the
router specified in the Address field. The use of
this code is prohibited by RFC 1812..

redirect-host, redi-host, host
Code 1. Redirect all future datagrams with the same
destination host as the original datagram, to the
router specified in the Address field.

redirect-network-tos, redi-ntos, redir-ntos
Code 2. Redirect all future datagrams with the same
destination network and IP TOS value as the original
datagram, to the router specified in the Address
field. The use of this code is prohibited by RFC
1812.

redirect-host-tos, redi-htos, redir-htos
Code 3. Redirect all future datagrams with the same
destination host and IP TOS value as the original
datagram, to the router specified in the Address
field.

Router Advertisement

normal-advertisement, norm-adv, normal, zero, default,
def
Code 0. Normal router advertisement. In Mobile IP:
Mobility agent can act as a router for IP datagrams
not related to mobile nodes.

not-route-common-traffic, not-rou, mobile-ip, !route,
!commontraffic
Code 16. Used for Mobile IP. The mobility agent does
not route common traffic. All foreign agents must
forward to a default router any datagrams received
from a registered mobile node

Time Exceeded

Nping Last change: 11/29/2012 17

Nping Reference Guide NPING(1)

ttl-exceeded-in-transit, ttl-exc, ttl-transit
Code 0. IP Time To Live expired during transit.

fragment-reassembly-time-exceeded, frag-exc, frag-time
Code 1. Fragment reassembly time has been exceeded.

Parameter Problem

pointer-indicates-error, poin-ind, pointer
Code 0. The pointer field indicates the location of
the problem. See the --icmp-param-pointer option.

missing-required-option, miss-option, option-missing
Code 1. IP datagram was expected to have an option
that is not present.

bad-length, bad-len, badlen
Code 2. The length of the IP datagram is incorrect.

ARP MODE
--arp-type type (ICMP Type) .
This option specifies which type of ARP messages should
be generated. type can be supplied in two different
ways. You can use the blue]official numbers assigned by
IANA][2] (e.g. --arp-type 1 for ARP Request), or you
can use one of the mnemonics from the section called
"ARP Types".

--arp-sender-mac mac (Sender MAC address) .
This option sets the Sender Hardware Address field of
the ARP header. Although ARP supports many types of link
layer addresses, currently Nping only supports MAC
addresses. mac must be specified using the traditional
MAC notation (e.g. 00:0a:8a:32:f4:ae). You can also use
hyphens as separators (e.g. 00-0a-8a-32-f4-ae).

--arp-sender-ip addr (Sender IP address) .
This option sets the Sender IP field of the ARP header.
addr can be given as an IPv4 address or a hostname.

--arp-target-mac mac (target MAC address) .
This option sets the Target Hardware Address field of
the ARP header.

--arp-target-ip addr (target ip address) .
This option sets the Target IP field of the ARP header.

ARP Types
These identifiers may be used as mnemonics for the ARP type
numbers given to the --arp-type. option.

Nping Last change: 11/29/2012 18

Nping Reference Guide NPING(1)

arp-request, arp, a
ARP Request (type 1). ARP requests are used to translate
network layer addresses (normally IP addresses) to link
layer addresses (usually MAC addresses). Basically, and
ARP request is a broadcasted message that asks the host
in the same network segment that has a given IP address
to provide its MAC address.

arp-reply, arp-rep, ar
ARP Reply (type 2). An ARP reply is a message that a
host sends in response to an ARP request to provide its
link layer address.

rarp-request, rarp, r
RARP Requests (type 3). RARP requests are used to
translate a link layer address (normally a MAC address)
to a network layer address (usually an IP address).
Basically a RARP request is a broadcasted message sent
by a host that wants to know his own IP address because
it doesn't have any. It was the first protocol designed
to solve the bootstrapping problem. However, RARP is now
obsolete and DHCP is used instead. For more information
about RARP see RFC 903..

rarp-reply, rarp-rep, rr
RARP Reply (type 4). A RARP reply is a message sent in
response to a RARP request to provide an IP address to
the host that sent the RARP request in the first place.

drarp-request, drarp, d
Dynamic RARP Request (type 5). Dynamic RARP is an
extension to RARP used to obtain or assign a network
layer address from a fixed link layer address. DRARP was
used mainly in Sun Microsystems platforms in the late
90's but now it's no longer used. See RFC 1931. for
more information.

drarp-reply, drarp-rep, dr
Dynamic RARP Reply (type 6). A DRARP reply is a message
sent in response to a RARP request to provide network
layer address.

drarp-error, drarp-err, de
DRARP Error (type 7). DRARP Error messages are usually
sent in response to DRARP requests to inform of some
error. In DRARP Error messages, the Target Protocol
Address field is used to carry an error code (usually in
the first byte). The error code is intended to tell why
no target protocol address is being returned. For more
information see RFC 1931.

Nping Last change: 11/29/2012 19

Nping Reference Guide NPING(1)

inarp-request, inarp, i
Inverse ARP Request (type 8). InARP requests are used to
translate a link layer address to a network layer
address. It is similar to RARP request but in this case,
the sender of the InARP request wants to know the
network layer address of another node, not its own
address. InARP is mainly used in Frame Relay and ATM
networks. For more information see RFC 2390..

inarp-reply, inarp-rep, ir
Inverse ARP Reply (type 9). InARP reply messages are
sent in response to InARP requests to provide the
network layer address associated with the host that has
a given link layer address.

arp-nak, an
ARP NAK (type 10). ARP NAK messages are an extension to
the ATMARP protocol and they are used to improve the
robustness of the ATMARP server mechanism. With ARP NAK,
a client can determine the difference between a
catastrophic server failure and an ATMARP table lookup
failure. See RFC 1577. for more information.

IPV4 OPTIONS
-S addr, --source-ip addr (Source IP Address) .
Sets the source IP address. This option lets you specify
a custom IP address to be used as source IP address in
sent packets. This allows spoofing the sender of the
packets. addr can be an IPv4 address or a hostname.

--dest-ip addr (Destination IP Address) .
Adds a target to Nping's target list. This option is
provided for consistency but its use is deprecated in
favor of plain target specifications. See the section
called "TARGET SPECIFICATION".

--tos tos (Type of Service) .
Sets the IP TOS field. The TOS field is used to carry
information to provide quality of service features. It
is normally used to support a technique called
Differentiated Services. See RFC 2474. for more
information. tos must be a number in the range [0-255].

--id id (Identification) .
Sets the IPv4 Identification field. The Identification
field is a 16-bit value that is common to all fragments
belonging to a particular message. The value is used by
the receiver to reassemble the original message from the
fragments received. id must be a number in the range
[0-65535].

Nping Last change: 11/29/2012 20

Nping Reference Guide NPING(1)

--df (Don't Fragment) .
Sets the Don't Fragment bit in sent packets. When an IP
datagram has its DF flag set, intermediate devices are
not allowed to fragment it so if it needs to travel
across a network with a MTU smaller that datagram length
the datagram will have to be dropped. Normally an ICMP
Destination Unreachable message is generated and sent
back to the sender.

--md (More Fragments) .
Sets the More Fragments bit in sent packets. The MF flag
is set to indicate the receiver that the current
datagram is a fragment of some larger datagram. When set
to zero it indicates that the current datagram is either
the last fragment in the set or that it is the only
fragment.

--ttl hops (Time To Live) .
Sets the IPv4 Time-To-Live (TTL) field in sent packets
to the given value. The TTL field specifies how long the
datagram is allowed to exist on the network. It was
originally intended to represent a number of seconds but
it actually represents the number of hops a packet can
traverse before being dropped. The TTL tries to avoid a
situation in which undeliverable datagrams keep being
forwarded from one router to another endlessly. hops
must be a number in the range [0-255].

--badsum-ip (Invalid IP checksum) .
Asks Nping to use an invalid IP checksum for packets
sent to target hosts. Note that some systems (like most
Linux kernels), may fix the checksum before placing the
packet on the wire, so even if Nping shows the incorrect
checksum in its output, the packets may be transparently
corrected by the kernel.

--ip-options S|R [route]|L [route]|T|U ..., --ip-options hex
string (IP Options) .
The IP protocol offers several options which may be
placed in packet headers. Unlike the ubiquitous TCP
options, IP options are rarely seen due to practicality
and security concerns. In fact, many Internet routers
block the most dangerous options such as source routing.
Yet options can still be useful in some cases for
determining and manipulating the network route to target
machines. For example, you may be able to use the record
route option to determine a path to a target even when
more traditional traceroute-style approaches fail. Or if
your packets are being dropped by a certain firewall,
you may be able to specify a different route with the
strict or loose source routing options.

Nping Last change: 11/29/2012 21

Nping Reference Guide NPING(1)

The most powerful way to specify IP options is to simply
pass in hexadecimal data as the argument to
--ip-options. Precede each hex byte value with \x. You
may repeat certain characters by following them with an
asterisk and then the number of times you wish them to
repeat. For example, \x01\x07\x04\x00*4 is the same as
\x01\x07\x04\x00\x00\x00\x00.

Note that if you specify a number of bytes that is not a
multiple of four, an incorrect IP header length will be
set in the IP packet. The reason for this is that the IP
header length field can only express multiples of four.
In those cases, the length is computed by dividing the
header length by 4 and rounding down. This will affect
the way the header that follows the IP header is
interpreted, showing bogus information in Nping or in
the output of any sniffer. Although this kind of
situation might be useful for some stack stress tests,
users would normally want to specify explicit padding,
so the correct header length is set.

Nping also offers a shortcut mechanism for specifying
options. Simply pass the letter R, T, or U to request
record-route, record-timestamp, or both options
together, respectively. Loose or strict source routing
may be specified with an L or S followed by a space and
then a space-separated list of IP addresses.

For more information and examples of using IP options
with Nping, see the mailing list post at blue]-
http://seclists.org/nmap-dev/2006/q3/0052.html].

--mtu size (Maximum Transmission Unit) .
This option sets a fictional MTU in Nping so IP
datagrams larger than size are fragmented before
transmission. size must be specified in bytes and
corresponds to the number of octets that can be carried
on a single link-layer frame.

IPV6 OPTIONS
-6, --ipv6 (Use IPv6) .
Tells Nping to use IP version 6 instead of the default
IPv4. It is generally a good idea to specify this option
as early as possible in the command line so Nping can
parse it soon and know in advance that the rest of the
parameters refer to IPv6. The command syntax is the same
as usual except that you also add the -6 option. Of
course, you must use IPv6 syntax if you specify an
address rather than a hostname. An address might look
like 3ffe:7501:4819:2000:210:f3ff:fe03:14d0, so
hostnames are recommended.

Nping Last change: 11/29/2012 22

Nping Reference Guide NPING(1)

While IPv6 hasn't exactly taken the world by storm, it
gets significant use in some (usually Asian) countries
and most modern operating systems support it. To use
Nping with IPv6, both the source and target of your
packets must be configured for IPv6. If your ISP (like
most of them) does not allocate IPv6 addresses to you,
free tunnel brokers are widely available and work fine
with Nping. You can use the free IPv6 tunnel broker
service at blue]http://www.tunnelbroker.net].

Please note that IPv6 support is still highly
experimental and many modes and options may not work
with it.

-S addr, --source-ip addr (Source IP Address) .
Sets the source IP address. This option lets you specify
a custom IP address to be used as source IP address in
sent packets. This allows spoofing the sender of the
packets. addr can be an IPv6 address or a hostname.

--flow label (Flow Label) .
Sets the IPv6 Flow Label. The Flow Label field is 20
bits long and is intended to provide certain
quality-of-service properties for real-time datagram
delivery. However, it has not been widely adopted, and
not all routers or endpoints support it. Check RFC 2460.
for more information. label must be an integer in the
range [0-1048575].

--traffic-class class (Traffic Class) .
Sets the IPv6 Traffic Class. This field is similar to
the TOS field in IPv4, and is intended to provide the
Differentiated Services method, enabling scalable
service discrimination in the Internet without the need
for per-flow state and signaling at every hop. Check RFC
2474. for more information. class must be an integer
in the range [0-255].

--hop-limit hops (Hop Limit) .
Sets the IPv6 Hop Limit field in sent packets to the
given value. The Hop Limit field specifies how long the
datagram is allowed to exist on the network. It
represents the number of hops a packet can traverse
before being dropped. As with the TTL in IPv4, IPv6 Hop
Limit tries to avoid a situation in which undeliverable
datagrams keep being forwarded from one router to

Nping Last change: 11/29/2012 23

Nping Reference Guide NPING(1)

another endlessly. hops must be a number in the range
[0-255].

ETHERNET OPTIONS
In most cases Nping sends packets at the raw IP level. This
means that Nping creates its own IP packets and transmits
them through a raw socket. However, in some cases it may be
necessary to send packets at the raw Ethernet level. This
happens, for example, when Nping is run under Windows (as
Microsoft has disabled raw socket support since Windows XP
SP2), or when Nping is asked to send ARP packets. Since in
some cases it is necessary to construct ethernet frames,
Nping offers some options to manipulate the different
fields.

--dest-mac mac (Ethernet Destination MAC Address) .
This option sets the destination MAC address that should
be set in outgoing Ethernet frames. This is useful in
case Nping can't determine the next hop's MAC address or
when you want to route probes through a router other
than the configured default gateway. The MAC address
should have the usual format of six colon-separated
bytes, e.g. 00:50:56:d4:01:98. Alternatively, hyphens
may be used instead of colons. Use the word random or
rand to generate a random address, and broadcast or
bcast to use ff:ff:ff:ff:ff:ff. If you set up a bogus
destination MAC address your probes may not reach the
intended targets.

--source-mac mac (Ethernet Source MAC Address) .
This option sets the source MAC address that should be
set in outgoing Ethernet frames. This is useful in case
Nping can't determine your network interface MAC address
or when you want to inject traffic into the network
while hiding your network card's real address. The
syntax is the same as for --dest-mac. If you set up a
bogus source MAC address you may not receive probe
replies.

--ether-type type (Ethertype) .
This option sets the Ethertype field of the ethernet
frame. The Ethertype is used to indicate which protocol
is encapsulated in the payload. type can be supplied in
two different ways. You can use the blue]official
numbers listed by the IEEE][3] (e.g. --ether-type
0x0800 for IP version 4), or one of the mnemonics from
the section called "Ethernet Types".

Ethernet Types
These identifiers may be used as mnemonics for the Ethertype
numbers given to the --arp-type. option.

Nping Last change: 11/29/2012 24

Nping Reference Guide NPING(1)

ipv4, ip, 4
Internet Protocol version 4 (type 0x0800).

ipv6, 6
Internet Protocol version 6 (type 0x86DD).

arp
Address Resolution Protocol (type 0x0806).

rarp
Reverse Address Resolution Protocol (type 0x8035).

frame-relay, frelay, fr
Frame Relay (type 0x0808).

ppp
Point-to-Point Protocol (type 0x880B).

gsmp
General Switch Management Protocol (type 0x880C).

mpls
Multiprotocol Label Switching (type 0x8847).

mps-ual, mps
Multiprotocol Label Switching with Upstream-assigned
Label (type 0x8848).

mcap
Multicast Channel Allocation Protocol (type 0x8861).

pppoe-discovery, pppoe-d
PPP over Ethernet Discovery Stage (type 0x8863).

pppoe-session, pppoe-s
PPP over Ethernet Session Stage (type 0x8864).

ctag
Customer VLAN Tag Type (type 0x8100).

epon
Ethernet Passive Optical Network (type 0x8808).

pbnac
Port-based network access control (type 0x888E).

stag
Service VLAN tag identifier (type 0x88A8).

ethexp1
Local Experimental Ethertype 1 (type 0x88B5).

Nping Last change: 11/29/2012 25

Nping Reference Guide NPING(1)

ethexp2
Local Experimental Ethertype 2 (type 0x88B6).

ethoui
OUI Extended Ethertype (type 0x88B7).

preauth
Pre-Authentication (type 0x88C7).

lldp
Link Layer Discovery Protocol (type 0x88CC).

mac-security, mac-sec, macsec
Media Access Control Security (type 0x88E5).

mvrp
Multiple VLAN Registration Protocol (type 0x88F5).

mmrp
Multiple Multicast Registration Protocol (type 0x88F6).

frrr
Fast Roaming Remote Request (type 0x890D).

PAYLOAD OPTIONS
--data hex string (Append custom binary data to sent
packets) .
This option lets you include binary data as payload in
sent packets. hex string may be specified in any of the
following formats: 0xAABBCCDDEEFF..., AABBCCDDEEFF...
or \xAA\xBB\xCC\xDD\xEE\xFF.... Examples of use are
--data 0xdeadbeef and --data \xCA\xFE\x09. Note that if
you specify a number like 0x00ff no byte-order
conversion is performed. Make sure you specify the
information in the byte order expected by the receiver.

--data-string string (Append custom string to sent packets)
.
This option lets you include a regular string as payload
in sent packets. string can contain any string.
However, note that some characters may depend on your
system's locale and the receiver may not see the same
information. Also, make sure you enclose the string in
double quotes and escape any special characters from the
shell. Example: --data-string "Jimmy Jazz...".

--data-length len (Append random data to sent packets) .
This option lets you include len random bytes of data as
payload in sent packets. len must be an integer in the
range [0-65400]. However, values higher than 1400 are
not recommended because it may not be possible to
transmit packets due to network MTU limitations.

Nping Last change: 11/29/2012 26

Nping Reference Guide NPING(1)

ECHO MODE
The "Echo Mode" is a novel technique implemented by Nping
which lets users see how network packets change in transit,
from the host where they originated to the target machine.
Basically, the Echo mode turns Nping into two different
pieces: the Echo server and the Echo client. The Echo server
is a network service that has the ability to capture packets
from the network and send a copy ("echo them") to the
originating client through a side TCP channel. The Echo
client is the part that generates such network packets,
transmits them to the server, and receives their echoed
version through a side TCP channel that it has previously
established with the Echo server.

This scheme lets the client see the differences between the
packets that it sends and what is actually received by the
server. By having the server send back copies of the
received packets through the side channel, things like NAT
devices become immediately apparent to the client because it
notices the changes in the source IP address (and maybe even
source port). Other devices like those that perform traffic
shaping, changing TCP window sizes or adding TCP options
transparently between hosts, turn up too.

The Echo mode is also useful for troubleshooting routing and
firewall issues. Among other things, it can be used to
determine if the traffic generated by the Nping client is
being dropped in transit and never gets to its destination
or if the responses are the ones that don't get back to it.

Internally, client and server communicate over an encrypted
and authenticated channel, using the Nping Echo Protocol
(NEP), whose technical specification can be found in blue]-
http://nmap.org/svn/nping/docs/EchoProtoRFC.txt]

The following paragraphs describe the different options
available in Nping's Echo mode.

--ec passphrase, --echo-client passphrase (Run Echo client)
.
This option tells Nping to run as an Echo client.
passphrase is a sequence of ASCII characters that is
used used to generate the cryptographic keys needed for
encryption and authentication in a given session. The
passphrase should be a secret that is also known by the
server, and it may contain any number of printable ASCII
characters. Passphrases that contain whitespace or
special characters must be enclosed in double quotes.

When running Nping as an Echo client, most options from
the regular raw probe modes apply. The client may be
configured to send specific probes using flags like

Nping Last change: 11/29/2012 27

Nping Reference Guide NPING(1)

--tcp, --icmp or --udp. Protocol header fields may be
manipulated normally using the appropriate options (e.g.
--ttl, --seq, --icmp-type, etc.). The only exceptions
are ARP-related flags, which are not supported in Echo
mode, as protocols like ARP are closely related to the
data link layer and its probes can't pass through
different network segments.

--es passphrase, --echo-server passphrase (Run Echo server)
.
This option tells Nping to run as an Echo server.
passphrase is a sequence of ASCII characters that is
used used to generate the cryptographic keys needed for
encryption and authentication in a given session. The
passphrase should be a secret that is also known by the
clients, and it may contain any number of printable
ASCII characters. Passphrases that contain whitespace or
special characters must be enclosed in double quotes.
Note that although it is not recommended, it is possible
to use empty passphrases, supplying --echo-server "".
However, if what you want is to set up an open Echo
server, it is better to use option --no-crypto. See
below for details.

--ep port, --echo-port port (Set Echo TCP port number) .
This option asks Nping to use the specified TCP port
number for the Echo side channel connection. If this
option is used with --echo-server, it specifies the port
on which the server listens for connections. If it is
used with --echo-client, it specifies the port to
connect to on the remote host. By default, port number
9929 is used.

--nc, --no-crypto (Disable encryption and authentication) .
This option asks Nping not to use any cryptographic
operations during an Echo session. In practical terms,
this means that the Echo side channel session data will
be transmitted in the clear, and no authentication will
be performed by the server or client during the session
establishment phase. When --no-crypto is used, the
passphrase supplied with --echo-server or --echo-client
is ignored.

This option must be specified if Nping was compiled
without openSSL support. Note that, for technical
reasons, a passphrase still needs to be supplied after
the --echo-client or --echo-server flags, even though it
will be ignored.

The --no-crypto flag might be useful when setting up a
public Echo server, because it allows users to connect
to the Echo server without the need for any passphrase

Nping Last change: 11/29/2012 28

Nping Reference Guide NPING(1)

or shared secret. However, it is strongly recommended to
not use --no-crypto unless absolutely necessary. Public
Echo servers should be configured to use the passphrase
"public" or the empty passphrase (--echo-server "") as
the use of cryptography does not only provide
confidentiality and authentication but also message
integrity.

--once (Serve one client and quit) .
This option asks the Echo server to quit after serving
one client. This is useful when only a single Echo
session wants to be established as it eliminates the
need to access the remote host to shutdown the server.

--safe-payloads (Zero application data before echoing a
packet) .
This option asks the Echo server to erase any
application layer data found in client packets before
echoing them. When the option is enabled, the Echo
server parses the packets received from Echo clients and
tries to determine if they contain data beyond the
transport layer. If such data is found, it is
overwritten with zeroes before transmitting the packets
to the appropriate Echo client.

Echo servers can handle multiple simultaneous clients
running multiple echo sessions in parallel. In order to
determine which packet needs to be echoed to which
client and through which session, the Echo server uses
an heuristic algorithm. Although we have taken every
security measure that we could think of to prevent that
a client receives an echoed packet that it did not
generate, there is always a risk that our algorithm
makes a mistake and delivers a packet to the wrong
client. The --safe-payloads option is useful for public
echo servers or critical deployments where that kind of
mistake cannot be afforded.

The following examples illustrate how Nping's Echo mode can
be used to discover intermediate devices.

Example 2. Discovering NAT devices

# nping --echo-client "public" echo.nmap.org --udp

Starting Nping ( http://nmap.org/nping )
SENT (1.0970s) UDP 10.1.20.128:53 > 178.79.165.17:40125 ttl=64 id=32523 iplen=28
CAPT (1.1270s) UDP 80.38.10.21:45657 > 178.79.165.17:40125 ttl=54 id=32523 iplen=28
RCVD (1.1570s) ICMP 178.79.165.17 > 10.1.20.128 Port unreachable (type=3/code=3) ttl=49 id=16619 iplen=56
[...]
SENT (5.1020s) UDP 10.1.20.128:53 > 178.79.165.17:40125 ttl=64 id=32523 iplen=28
CAPT (5.1335s) UDP 80.38.10.21:45657 > 178.79.165.17:40125 ttl=54 id=32523 iplen=28

Nping Last change: 11/29/2012 29

Nping Reference Guide NPING(1)

RCVD (5.1600s) ICMP 178.79.165.17 > 10.1.20.128 Port unreachable (type=3/code=3) ttl=49 id=16623 iplen=56

The output clearly shows the presence of a NAT device in the
client's local network. Note how the captured packet (CAPT)
differs from the SENT packet: the source address for the
original packets is in the reserved 10.0.0.0/8 range, while
the address seen by the server is 80.38.10.21, the Internet
side address of the NAT device. The source port was also
modified by the device. The line starting with RCVD
corresponds to the responses generated by the TCP/IP stack
of the machine where the Echo server is run.

Example 3. Discovering a transparent proxy

# nping --echo-client "public" echo.nmap.org --tcp -p80

Starting Nping ( http://nmap.org/nping )
SENT (1.2160s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40 seq=567704200 win=1480
RCVD (1.2180s) TCP 178.79.165.17:80 > 10.0.1.77:41659 SA ttl=128 id=13177 iplen=44 seq=3647106954 win=16384 <mss 1460>
SENT (2.2150s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40 seq=567704200 win=1480
SENT (3.2180s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40 seq=567704200 win=1480
SENT (4.2190s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40 seq=567704200 win=1480
SENT (5.2200s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40 seq=567704200 win=1480

In this example, the output is a bit more tricky. The
absence of error messages shows that the Echo client has
successfully established an Echo session with the server.
However, no CAPT packets can be seen in the output. This
means that none of the transmitted packets reached the
server. Interestingly, a TCP SYN-ACK packet was received in
response to the first TCP-SYN packet (and also, it is known
that the target host does not have port 80 open). This
behavior reveals the presence of a transparent web proxy
cache server (which in this case is an old MS ISA server).

TIMING AND PERFORMANCE OPTIONS
--delay time (Delay between probes) .
This option lets you control for how long will Nping

Nping Last change: 11/29/2012 30

Nping Reference Guide NPING(1)

wait before sending the next probe. Like in many other
ping tools, the default delay is one second. time must
be a positive integer or floating point number. By
default it is specified in seconds, however you can give
an explicit unit by appending ms for milliseconds, s for
seconds, m for minutes, or h for hours (e.g. 2.5s, 45m,
2h).

--rate rate (Send probes at a given rate) .
This option specifies the number of probes that Nping
should send per second. This option and --delay are
inverses; --rate 20 is the same as --delay 0.05. If both
options are used, only the last one in the parameter
list counts.

MISCELLANEOUS OPTIONS
-h, --help (Display help) .
Displays help information and exits.

-V, --version (Display version) .
Displays the program's version number and quits.

-c rounds, --count rounds (Stop after a given number of
rounds) .
This option lets you specify the number of times that
Nping should loop over target hosts (and in some cases
target ports). Nping calls these "rounds". In a basic
execution with only one target (and only one target port
in TCP/UDP modes), the number of rounds matches the
number of probes sent to the target host. However, in
more complex executions where Nping is run against
multiple targets and multiple ports, the number of
rounds is the number of times that Nping sends a
complete set of probes that covers all target IPs and
all target ports. For example, if Nping is asked to send
TCP SYN packets to hosts 192.168.1.0-255 and ports 80
and 433, then 256 x 2 = 512 packets are sent in one
round. So if you specify -c 100, Nping will loop over
the different target hosts and ports 100 times, sending
a total of 256 x 2 x 100 = 51200 packets. By default
Nping runs for 5 rounds. If a value of 0 is specified,
Nping will run continuously.

-e name, --interface name (Set the network interface to be
used) .
This option tells Nping what interface should be used to
send and receive packets. Nping should be able to detect
this automatically, but it will tell you if it cannot.
name must be the name of an existing network interface
with an assigned IP address.

Nping Last change: 11/29/2012 31

Nping Reference Guide NPING(1)

--privileged (Assume that the user is fully privileged) .
Tells Nping to simply assume that it is privileged
enough to perform raw socket sends, packet sniffing, and
similar operations that usually require special
privileges. By default Nping quits if such operations
are requested by a user that has no root or
administrator privileges. This option may be useful on
Linux, BSD or similar systems that can be configured to
allow unprivileged users to perform raw-packet
transmissions. The NPING_PRIVILEGED. environment
variable may be set as an alternative to using
--privileged.

--unprivileged (Assume that the user lacks raw socket
privileges) .
This option is the opposite of --privileged. It tells
Nping to treat the user as lacking network raw socket
and sniffing privileges. This is useful for testing,
debugging, or when the raw network functionality of your
operating system is somehow broken. The
NPING_UNPRIVILEGED. environment variable may be set as
an alternative to using --unprivileged.

--send-eth (Use raw ethernet sending) .
Asks Nping to send packets at the raw ethernet (data
link) layer rather than the higher IP (network) layer.
By default, Nping chooses the one which is generally
best for the platform it is running on. Raw sockets (IP
layer) are generally most efficient for Unix machines,
while ethernet frames are required for Windows operation
since Microsoft disabled raw socket support. Nping still
uses raw IP packets despite this option when there is no
other choice (such as non-ethernet connections).

--send-ip (Send at raw IP level) .
Asks Nping to send packets via raw IP sockets rather
than sending lower level ethernet frames. It is the
complement to the --send-eth option.

--bpf-filter filter spec --filter filter spec (Set custom
BPF filter) .
This option lets you use a custom BPF filter. By default
Nping chooses a filter that is intended to capture most
common responses to the particular probes that are sent.
For example, when sending TCP packets, the filter is set
to capture packets whose destination port matches the
probe's source port or ICMP error messages that may be
generated by the target or any intermediate device as a
result of the probe. If for some reason you expect
strange packets in response to sent probes or you just
want to sniff a particular kind of traffic, you can
specify a custom filter using the BPF syntax used by

Nping Last change: 11/29/2012 32

Nping Reference Guide NPING(1)

tools like tcpdump.. See the documentation at blue]-
http://www.tcpdump.org/] for more information.

-H, --hide-sent (Do not display sent packets) .
This option tells Nping not to print information about
sent packets. This can be useful when using very short
inter-probe delays (i.e., when flooding), because
printing information to the standard output has a
computational cost and disabling it can probably speed
things up a bit. Also, it may be useful when using Nping
to detect active hosts or open ports (e.g. sending
probes to all TCP ports in a /24 subnet). In that case,
users may not want to see thousands of sent probes but
just the replies generated by active hosts.

-N, --no-capture (Do not attempt to capture replies) .
This option tells Nping to skip packet capture. This
means that packets in response to sent probes will not
be processed or displayed. This can be useful when doing
flooding and network stack stress tests. Note that when
this option is specified, most of the statistics shown
at the end of the execution will be useless. This option
does not work with TCP Connect mode.

OUTPUT OPTIONS
-v[level], --verbose [level] (Increase or set verbosity
level) .
Increases the verbosity level, causing Nping to print
more information during its execution. There are 9
levels of verbosity (-4 to 4). Every instance of -v
increments the verbosity level by one (from its default
value, level 0). Every instance of option -q decrements
the verbosity level by one. Alternatively you can
specify the level directly, as in -v3 or -v-1. These are
the available levels:

Level 4
No output at all. In some circumstances you may not
want Nping to produce any output (like when one of
your work mates is watching over your shoulder). In
that case level 4 can be useful because although you
won't see any response packets, probes will still be
sent.

Level 3
Like level 4 but displays fatal error messages so
you can actually see if Nping is running or it
failed due to some error.

Level 2
Like level 3 but also displays warnings and
recoverable errors.

Nping Last change: 11/29/2012 33

Nping Reference Guide NPING(1)

Level 1
Displays traditional run-time information (version,
start time, statistics, etc.) but does not display
sent or received packets.

Level 0
This is the default verbosity level. It behaves like
level 1 but also displays sent and received packets
and some other important information.

Level 1
Like level 0 but it displays detailed information
about timing, flags, protocol details, etc.

Level 2
Like level 1 but displays very detailed information
about sent and received packets and other
interesting information.

Level 3
Like level 2 but also displays the raw hexadecimal
dump of sent and received packets.

Level 4 and higher
Same as level 3.

-q[level], --reduce-verbosity [level] (Decrease verbosity
level) .
Decreases the verbosity level, causing Nping to print
less information during its execution.

-d[level] (Increase or set debugging level) .
When even verbose mode doesn't provide sufficient data
for you, debugging is available to flood you with much
more! As with the -v, debugging is enabled with a
command-line flag -d and the debug level can be
increased by specifying it multiple times. There are 7
debugging levels (0 to 6). Every instance of -d
increments debugging level by one. Provide an argument
to -d to set the level directly; for example -d4.

Debugging output is useful when you suspect a bug in
Nping, or if you are simply confused as to what Nping is
doing and why. As this feature is mostly intended for
developers, debug lines aren't always self-explanatory.
You may get something like

NSOCK (1.0000s) Callback: TIMER SUCCESS for EID 12; tcpconnect_event_handler(): Received callback of type TIMER with status SUCCESS

If you don't understand a line, your only recourses are
to ignore it, look it up in the source code, or request
help from the development list (nmap-dev). Some lines

Nping Last change: 11/29/2012 34

Nping Reference Guide NPING(1)

are self-explanatory, but the messages become more
obscure as the debug level is increased. These are the
available levels:

Level 0
Level 0. No debug information at all. This is the
default level.

Level 1
In this level, only very important or high-level
debug information will be printed.

Level 2
Like level 1 but also displays important or
medium-level debug information

Level 3
Like level 2 but also displays regular and low-level
debug information.

Level 4
Like level 3 but also displays messages only a real
Nping freak would want to see.

Level 5
Like level 4 but it enables basic debug information
related to external libraries like Nsock..

Level 6
Like level 5 but it enables full, very detailed,
debug information related to external libraries like
Nsock.

BUGS
Like its author, Nping isn't perfect. But you can help make
it better by sending bug reports or even writing patches. If
Nping doesn't behave the way you expect, first upgrade to
the latest Nmap version available from blue]-
http://nmap.org/download.html]. If the problem persists, do
some research to determine whether it has already been
discovered and addressed. Try searching for the error
message on our search page at blue]-
http://insecure.org/search.html] or at Google. Also try
browsing the nmap-dev archives at blue]-
http://seclists.org/]. Read this full manual page as well.
If nothing comes out of this, mail a bug report to
[email protected]. Please include everything you have
learned about the problem, as well as what version of Nping
you are running and what operating system version it is
running on. Problem reports and Nping usage questions sent
to [email protected] are far more likely to be answered
than those sent to Fyodor directly. If you subscribe to the

Nping Last change: 11/29/2012 35

Nping Reference Guide NPING(1)

nmap-dev list before posting, your message will bypass
moderation and get through more quickly. Subscribe at blue]-
http://cgi.insecure.org/mailman/listinfo/nmap-dev].

Code patches to fix bugs are even better than bug reports.
Basic instructions for creating patch files with your
changes are available at blue]-
https://svn.nmap.org/nmap/HACKING]. Patches may be sent to
nmap-dev (recommended) or to any of the authors listed in
the next section directly.

AUTHORS
Luis MartinGarcia [email protected] (blue]-
http://aldabaknocking.com])

Fyodor [email protected] (blue]http://insecure.org])

ATTRIBUTES
See attributes(5) for descriptions of the following
attributes:

2. official numbers assigned by IANA
http://www.iana.org/assignments/arp-parameters/

3. official numbers listed by the IEEE
http://standards.ieee.org/regauth/ethertype/eth.txt

This software was built from source available at
https://java.net/projects/solaris-userland. The original
community source was downloaded from
http://nmap.org/dist/nmap-6.25.tgz

Further information about this software can be found on the
open source community website at http://nmap.org/.

Nping Last change: 11/29/2012 36