CentOS 7.0 - man page for nping (centos section 1)

Linux & Unix Commands - Search Man Pages

Man Page or Keyword Search:   man
Select Man Page Set:       apropos Keyword Search (sections above)


NPING(1)			      Nping Reference Guide				 NPING(1)

NAME
       nping - Network packet generation tool / ping utility

SYNOPSIS
       nping [Options] {targets}

DESCRIPTION
       Nping is an open-source tool for network packet generation, response analysis and response
       time measurement. Nping allows users to generate network packets of a wide range of
       protocols, letting them tune virtually any field of the protocol headers. While Nping can
       be used as a simple ping utility to detect active hosts, it can also be used as a raw
       packet generator for network stack stress tests, ARP poisoning, Denial of Service attacks,
       route tracing, and other purposes.

       Additionally, Nping offers a special mode of operation called the "Echo Mode", that lets
       users see how the generated probes change in transit, revealing the differences between
       the transmitted packets and the packets received at the other end. See section "Echo Mode"
       for details.

       The output from Nping is a list of the packets that are being sent and received. The level
       of detail depends on the options used.

       A typical Nping execution is shown in Example 1. The only Nping arguments used in this
       example are -c, to specify the number of times to target each host, --tcp to specify TCP
       Probe Mode, -p 80,433 to specify the target ports; and then the two target hostnames.

       Example 1. A representative Nping execution

	   # nping -c 1 --tcp -p 80,433 scanme.nmap.org google.com

	   Starting Nping ( http://nmap.org/nping )
	   SENT (0.0120s) TCP 96.16.226.135:50091 > 64.13.134.52:80 S ttl=64 id=52072 iplen=40	seq=1077657388 win=1480
	   RCVD (0.1810s) TCP 64.13.134.52:80 > 96.16.226.135:50091 SA ttl=53 id=0 iplen=44  seq=4158134847 win=5840 <mss 1460>
	   SENT (1.0140s) TCP 96.16.226.135:50091 > 74.125.45.100:80 S ttl=64 id=13932 iplen=40  seq=1077657388 win=1480
	   RCVD (1.1370s) TCP 74.125.45.100:80 > 96.16.226.135:50091 SA ttl=52 id=52913 iplen=44  seq=2650443864 win=5720 <mss 1430>
	   SENT (2.0140s) TCP 96.16.226.135:50091 > 64.13.134.52:433 S ttl=64 id=8373 iplen=40	seq=1077657388 win=1480
	   SENT (3.0140s) TCP 96.16.226.135:50091 > 74.125.45.100:433 S ttl=64 id=23624 iplen=40  seq=1077657388 win=1480

	   Statistics for host scanme.nmap.org (64.13.134.52):
	    |  Probes Sent: 2 | Rcvd: 1 | Lost: 1  (50.00%)
	    |_ Max rtt: 169.720ms | Min rtt: 169.720ms | Avg rtt: 169.720ms
	   Statistics for host google.com (74.125.45.100):
	    |  Probes Sent: 2 | Rcvd: 1 | Lost: 1  (50.00%)
	    |_ Max rtt: 122.686ms | Min rtt: 122.686ms | Avg rtt: 122.686ms
	   Raw packets sent: 4 (160B) | Rcvd: 2 (92B) | Lost: 2 (50.00%)
	   Tx time: 3.00296s | Tx bytes/s: 53.28 | Tx pkts/s: 1.33
	   Rx time: 3.00296s | Rx bytes/s: 30.64 | Rx pkts/s: 0.67
	   Nping done: 2 IP addresses pinged in 4.01 seconds

OPTIONS SUMMARY
       This options summary is printed when Nping is run with no arguments. It helps people
       remember the most common options, but is no substitute for the in-depth documentation in
       the rest of this manual. Some obscure options aren't even included here.

	   Nping 0.5.59BETA1 ( http://nmap.org/nping )
	   Usage: nping [Probe mode] [Options] {target specification}

	   TARGET SPECIFICATION:
	     Targets may be specified as hostnames, IP addresses, networks, etc.
	     Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
	   PROBE MODES:
	     --tcp-connect		      : Unprivileged TCP connect probe mode.
	     --tcp			      : TCP probe mode.
	     --udp			      : UDP probe mode.
	     --icmp			      : ICMP probe mode.
	     --arp			      : ARP/RARP probe mode.
	     --tr, --traceroute 	      : Traceroute mode (can only be used with
						TCP/UDP/ICMP modes).
	   TCP CONNECT MODE:
	      -p, --dest-port <port spec>     : Set destination port(s).
	      -g, --source-port <portnumber>  : Try to use a custom source port.
	   TCP PROBE MODE:
	      -g, --source-port <portnumber>  : Set source port.
	      -p, --dest-port <port spec>     : Set destination port(s).
	      --seq <seqnumber> 	      : Set sequence number.
	      --flags <flag list>	      : Set TCP flags (ACK,PSH,RST,SYN,FIN...)
	      --ack <acknumber> 	      : Set ACK number.
	      --win <size>		      : Set window size.
	      --badsum			      : Use a random invalid checksum.
	   UDP PROBE MODE:
	      -g, --source-port <portnumber>  : Set source port.
	      -p, --dest-port <port spec>     : Set destination port(s).
	      --badsum			      : Use a random invalid checksum.
	   ICMP PROBE MODE:
	     --icmp-type <type> 	      : ICMP type.
	     --icmp-code <code> 	      : ICMP code.
	     --icmp-id <id>		      : Set identifier.
	     --icmp-seq <n>		      : Set sequence number.
	     --icmp-redirect-addr <addr>      : Set redirect address.
	     --icmp-param-pointer <pnt>       : Set parameter problem pointer.
	     --icmp-advert-lifetime <time>    : Set router advertisement lifetime.
	     --icmp-advert-entry <IP,pref>    : Add router advertisement entry.
	     --icmp-orig-time  <timestamp>    : Set originate timestamp.
	     --icmp-recv-time  <timestamp>    : Set receive timestamp.
	     --icmp-trans-time <timestamp>    : Set transmit timestamp.
	   ARP/RARP PROBE MODE:
	     --arp-type <type>		      : Type: ARP, ARP-reply, RARP, RARP-reply.
	     --arp-sender-mac <mac>	      : Set sender MAC address.
	     --arp-sender-ip  <addr>	      : Set sender IP address.
	     --arp-target-mac <mac>	      : Set target MAC address.
	     --arp-target-ip  <addr>	      : Set target IP address.
	   IPv4 OPTIONS:
	     -S, --source-ip		      : Set source IP address.
	     --dest-ip <addr>		      : Set destination IP address (used as an
						alternative to {target specification} ).
	     --tos <tos>		      : Set type of service field (8bits).
	     --id  <id> 		      : Set identification field (16 bits).
	     --df			      : Set Don't Fragment flag.
	     --mf			      : Set More Fragments flag.
	     --ttl <hops>		      : Set time to live [0-255].
	     --badsum-ip		      : Use a random invalid checksum.
	     --ip-options <S|R [route]|L [route]|T|U ...> : Set IP options
	     --ip-options <hex string>			  : Set IP options
	     --mtu <size>		      : Set MTU. Packets get fragmented if MTU is
						small enough.
	   IPv6 OPTIONS:
	     -6, --IPv6 		      : Use IP version 6.
	     --dest-ip			      : Set destination IP address (used as an
						alternative to {target specification}).
	     --hop-limit		      : Set hop limit (same as IPv4 TTL).
	     --traffic-class <class> :	      : Set traffic class.
	     --flow <label>		      : Set flow label.
	   ETHERNET OPTIONS:
	     --dest-mac <mac>		      : Set destination mac address. (Disables
						ARP resolution)
	     --source-mac <mac> 	      : Set source MAC address.
	     --ether-type <type>	      : Set EtherType value.
	   PAYLOAD OPTIONS:
	     --data <hex string>	      : Include a custom payload.
	     --data-string <text>	      : Include a custom ASCII text.
	     --data-length <len>	      : Include len random bytes as payload.
	   ECHO CLIENT/SERVER:
	     --echo-client <passphrase>       : Run Nping in client mode.
	     --echo-server <passphrase>       : Run Nping in server mode.
	     --echo-port <port> 	      : Use custom <port> to listen or connect.
	     --no-crypto		      : Disable encryption and authentication.
	     --once			      : Stop the server after one connection.
	     --safe-payloads		      : Erase application data in echoed packets.
	   TIMING AND PERFORMANCE:
	     Options which take <time> are in seconds, or append 'ms' (milliseconds),
	     's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m, 0.25h).
	     --delay <time>		      : Adjust delay between probes.
	     --rate  <rate>		      : Send num packets per second.
	   MISC:
	     -h, --help 		      : Display help information.
	     -V, --version		      : Display current version number.
	     -c, --count <n>		      : Stop after <n> rounds.
	     -e, --interface <name>	      : Use supplied network interface.
	     -H, --hide-sent		      : Do not display sent packets.
	     -N, --no-capture		      : Do not try to capture replies.
	     --privileged		      : Assume user is fully privileged.
	     --unprivileged		      : Assume user lacks raw socket privileges.
	     --send-eth 		      : Send packets at the raw ethernet layer.
	     --send-ip			      : Send packets using raw IP sockets.
	     --bpf-filter <filter spec>       : Specify custom BPF filter.
	   OUTPUT:
	     -v 			      : Increment verbosity level by one.
	     -v[level]			      : Set verbosity level. E.g: -v4
	     -d 			      : Increment debugging level by one.
	     -d[level]			      : Set debugging level. E.g: -d3
	     -q 			      : Decrease verbosity level by one.
	     -q[N]			      : Decrease verbosity level N times
	     --quiet			      : Set verbosity and debug level to minimum.
	     --debug			      : Set verbosity and debug to the max level.
	   EXAMPLES:
	     nping scanme.nmap.org
	     nping --tcp -p 80 --flags rst --ttl 2 192.168.1.1
	     nping --icmp --icmp-type time --delay 500ms 192.168.254.254
	     nping --echo-server "public" -e wlan0 -vvv
	     nping --echo-client "public" echo.nmap.org --tcp -p1-1024 --flags ack

	   SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES

TARGET SPECIFICATION
       Everything on the Nping command line that isn't an option or an option argument is treated
       as a target host specification. Nping uses the same syntax for target specifications that
       Nmap does. The simplest case is a single target given by IP address or hostname.

       Nping supports CIDR-style.  addressing. You can append /numbits to an IPv4 address or
       hostname and Nping will send probes to every IP address for which the first numbits are
       the same as for the reference IP or hostname given. For example, 192.168.10.0/24 would
       send probes to the 256 hosts between 192.168.10.0 (binary: 11000000 10101000 00001010
       00000000) and 192.168.10.255 (binary: 11000000 10101000 00001010 11111111), inclusive.
       192.168.10.40/24 would ping exactly the same targets. Given that the host scanme.nmap.org.
       is at the IP address 64.13.134.52, the specification scanme.nmap.org/16 would send probes
       to the 65,536 IP addresses between 64.13.0.0 and 64.13.255.255. The smallest allowed value
       is /0, which targets the whole Internet. The largest value is /32, which targets just the
       named host or IP address because all address bits are fixed.

       CIDR notation is short but not always flexible enough. For example, you might want to send
       probes to 192.168.0.0/16 but skip any IPs ending with .0 or .255 because they may be used
       as subnet network and broadcast addresses. Nping supports this through octet range
       addressing. Rather than specify a normal IP address, you can specify a comma-separated
       list of numbers or ranges for each octet. For example, 192.168.0-255.1-254 will skip all
       addresses in the range that end in .0 or .255, and 192.168.3-5,7.1 will target the four
       addresses 192.168.3.1, 192.168.4.1, 192.168.5.1, and 192.168.7.1. Either side of a range
       may be omitted; the default values are 0 on the left and 255 on the right. Using - by
       itself is the same as 0-255, but remember to use 0- in the first octet so the target
       specification doesn't look like a command-line option. Ranges need not be limited to the
       final octets: the specifier 0-.-.13.37 will send probes to all IP addresses on the
       Internet ending in .13.37. This sort of broad sampling can be useful for Internet surveys
       and research.

       IPv6 addresses can only be specified by their fully qualified IPv6 address or hostname.
       CIDR and octet ranges aren't supported for IPv6 because they are rarely useful.

       Nping accepts multiple host specifications on the command line, and they don't need to be
       the same type. The command nping scanme.nmap.org 192.168.0.0/8 10.0.0,1,3-7.- does what
       you would expect.

OPTION SPECIFICATION
       Nping is designed to be very flexible and fit a wide variety of needs. As with most
       command-line tools, its behavior can be adjusted using command-line options. These general
       principles apply to option arguments, unless stated otherwise.

       Options that take integer numbers can accept values specified in decimal, octal or
       hexadecimal base. When a number starts with 0x, it will be treated as hexadecimal; when it
       simply starts with 0, it will be treated as octal. Otherwise, Nping will assume the number
       has been specified in base 10. Virtually all numbers that can be supplied from the command
       line are unsigned so, as a general rule, the minimum value is zero. Users may also specify
       the word random or rand to make Nping generate a random value within the expected range.

       IP addresses may be given as IPv4 addresses (e.g.  192.168.1.1), IPv6 addresses (e.g.
       2001:db8:85a3::8e4c:760:7146), or hostnames, which will be resolved using the default DNS
       server configured in the host system.

       Options that take MAC addresses accept the usual colon-separated 6 hex byte format (e.g.
       00:50:56:d4:01:98). Hyphens may also be used instead of colons (e.g.  00-50-56-c0-00-08).
       The special word random or rand sets a random address and the word broadcast or bcast sets
       ff:ff:ff:ff:ff:ff.

GENERAL OPERATION
       Unlike other ping and packet generation tools, Nping supports multiple target host and
       port specifications. While this provides great flexibility, it is not obvious how Nping
       handles situations where there is more than one host and/or more than one port to send
       probes to. This section explains how Nping behaves in these cases.

       When multiple target hosts are specified, Nping rotates among them in round-robin fashion.
       This gives slow hosts more time to send their responses before another probe is sent to
       them. Ports are also scheduled using round robin. So, unless only one port is specified,
       Nping never sends two probes to the same target host and port consecutively.

       The loop around targets is the "inner loop" and the loop around ports is the "outer loop".
       All targets will be sent a probe for a given port before moving on to the next port.
       Between probes, Nping waits a configurable amount of time called the "inter-probe delay",
       which is controlled by the --delay option. These examples show how it works.

	       # nping --tcp -c 2 1.1.1.1 -p 100-102

	       Starting Nping ( http://nmap.org/nping )
	       SENT (0.0210s) TCP 192.168.1.77 > 1.1.1.1:100
	       SENT (1.0230s) TCP 192.168.1.77 > 1.1.1.1:101
	       SENT (2.0250s) TCP 192.168.1.77 > 1.1.1.1:102
	       SENT (3.0280s) TCP 192.168.1.77 > 1.1.1.1:100
	       SENT (4.0300s) TCP 192.168.1.77 > 1.1.1.1:101
	       SENT (5.0320s) TCP 192.168.1.77 > 1.1.1.1:102

	       # nping --tcp -c 2 1.1.1.1 2.2.2.2 3.3.3.3 -p 8080

	       Starting Nping ( http://nmap.org/nping )
	       SENT (0.0230s) TCP 192.168.0.21 > 1.1.1.1:8080
	       SENT (1.0240s) TCP 192.168.0.21 > 2.2.2.2:8080
	       SENT (2.0260s) TCP 192.168.0.21 > 3.3.3.3:8080
	       SENT (3.0270s) TCP 192.168.0.21 > 1.1.1.1:8080
	       SENT (4.0290s) TCP 192.168.0.21 > 2.2.2.2:8080
	       SENT (5.0310s) TCP 192.168.0.21 > 3.3.3.3:8080

	       # nping --tcp -c 1 --delay 500ms 1.1.1.1 2.2.2.2 3.3.3.3 -p 137-139

	       Starting Nping ( http://nmap.org/nping )
	       SENT (0.0230s) TCP 192.168.0.21 > 1.1.1.1:137
	       SENT (0.5250s) TCP 192.168.0.21 > 2.2.2.2:137
	       SENT (1.0250s) TCP 192.168.0.21 > 3.3.3.3:137
	       SENT (1.5280s) TCP 192.168.0.21 > 1.1.1.1:138
	       SENT (2.0280s) TCP 192.168.0.21 > 2.2.2.2:138
	       SENT (2.5310s) TCP 192.168.0.21 > 3.3.3.3:138
	       SENT (3.0300s) TCP 192.168.0.21 > 1.1.1.1:139
	       SENT (3.5330s) TCP 192.168.0.21 > 2.2.2.2:139
	       SENT (4.0330s) TCP 192.168.0.21 > 3.3.3.3:139

PROBE MODES
       Nping supports a wide variety of protocols. Although in some cases Nping can automatically
       determine the mode from the options used, it is generally a good idea to specify it
       explicitly.

       --tcp-connect (TCP Connect mode) .
	   TCP connect mode is the default mode when a user does not have raw packet privileges.
	   Instead of writing raw packets as most other modes do, Nping asks the underlying
	   operating system to establish a connection with the target machine and port by issuing
	   the connect system call. This is the same high-level system call that web browsers,
	   P2P clients, and most other network-enabled applications use to establish a
	   connection. It is part of a programming interface known as the Berkeley Sockets API.
	   Rather than read raw packet responses off the wire, Nping uses this API to obtain
	   status information on each connection attempt. For this reason, you will not be able
	   to see the contents of the packets that are sent or received but only status
	   information about the TCP connection establishment taking place.

       --tcp (TCP mode) .
	   TCP is the mode that lets users create and send any kind of TCP packet. TCP packets
	   are sent embedded in IP packets that can also be tuned. This mode can be used for many
	   different purposes. For example you could try to discover open ports by sending TCP
	   SYN messages without completing the three-way handshake. This technique is often
	   referred to as half-open scanning, because you don't open a full TCP connection. You
	   send a SYN packet, as if you are going to open a real connection and then wait for a
	   response. A SYN/ACK indicates the port is open, while a RST indicates it's closed. If
	   no response is received one could assume that some intermediate network device is
	   filtering the responses. Another use could be to see how a remote TCP/IP stack behaves
	   when it receives a non-RFC-compliant packet, like one with both SYN and RST flags set.
	   One could also do some evil by creating custom RST packets using an spoofed IP address
	   with the intent of closing an active TCP connection.

       --udp (UDP mode) .
	   UDP mode can have two different behaviours. Under normal circumstances, it lets users
	   create custom IP/UDP packets. However, if Nping is run by a user without raw packet
	   privileges and no changes to the default protocol headers are requested, then Nping
	   enters the unprivileged UDP mode which basically sends UDP packets to the specified
	   target hosts and ports using the sendto system call. Note that in this unprivileged
	   mode it is not possible to see low-level header information of the packets on the wire
	   but only status information about the amount of bytes that are being transmitted and
	   received. UDP mode can be used to interact with any UDP-based server. Examples are DNS
	   servers, streaming servers, online gaming servers, and port knocking/single-packet.
	   authorization daemons.

       --icmp (ICMP mode) .
	   ICMP mode is the default mode when the user runs Nping with raw packet privileges. Any
	   kind of ICMP message can be created. The default ICMP type is Echo, i.e., ping. ICMP
	   mode can be used for many different purposes, from a simple request for a timestamp or
	   a netmask to the transmission of fake destination unreachable messages, custom
	   redirects, and router advertisements.

       --arp (ARP/RARP mode) .
	   ARP lets you create and send a few different ARP-related packets. These include ARP,
	   RARP, DRARP, and InARP requests and replies. This mode can ban be used to perform
	   low-level host discovery, and conduct ARP-cache poisoning attacks.

       --traceroute (Traceroute mode) .
	   Traceroute is not a mode by itself but a complement to TCP, UDP, and ICMP modes. When
	   this option is specified Nping will set the IP TTL value of the first probe to 1. When
	   the next router receives the packet it will drop it due to the expiration of the TTL
	   and it will generate an ICMP destination unreachable message. The next probe will have
	   a TTL of 2 so now the first router will forward the packet while the second router
	   will be the one that drops the packet and generates the ICMP message. The third probe
	   will have a TTL value of 3 and so on. By examining the source addresses of all those
	   ICMP Destination Unreachable messages it is possible to determine the path that the
	   probes take until they reach their final destination.

TCP CONNECT MODE
       -p port_spec, --dest-port port_spec (Target ports) .
	   This option specifies which ports you want to try to connect to. It can be a single
	   port, a comma-separated list of ports (e.g.	80,443,8080), a range (e.g.  1-1023), and
	   any combination of those (e.g.  21-25,80,443,1024-2048). The beginning and/or end
	   values of a range may be omitted, causing Nping to use 1 and 65535, respectively. So
	   you can specify -p- to target ports from 1 through 65535. Using port zero is allowed
	   if you specify it explicitly.

       -g portnumber, --source-port portnumber (Spoof source port) .
	   This option asks Nping to use the specified port as source port for the TCP
	   connections. Note that this might not work on all systems or may require root
	   privileges. Specified value must be an integer in the range [0-65535].

TCP MODE
       -p port_spec, --dest-port port_spec (Target ports)
	   This option specifies which destination ports you want to send probes to. It can be a
	   single port, a comma-separated list of ports (e.g.  80,443,8080), a range (e.g.
	   1-1023), and any combination of those (e.g.	21-25,80,443,1024-2048). The beginning
	   and/or end values of a range may be omitted, causing Nping to use 1 and 65535,
	   respectively. So you can specify -p- to target ports from 1 through 65535. Using port
	   zero is allowed if you specify it explicitly.

       -g portnumber, --source-port portnumber (Spoof source port)
	   This option asks Nping to use the specified port as source port for the TCP
	   connections. Note that this might not work on all systems or may require root
	   privileges. Specified value must be an integer in the range [0-65535].

       --seq seqnumber (Sequence Number) .
	   Specifies the TCP sequence number. In SYN packets this is the initial sequence number
	   (ISN). In a normal transmission this corresponds to the sequence number of the first
	   byte of data in the segment.  seqnumber must be a number in the range [0-4294967295].

       --flags flags (TCP Flags) .
	   This option specifies which flags should be set in the TCP packet.  flags may be
	   specified in three different ways:

	    1. As a comma-separated list of flags, e.g.  --flags syn,ack,rst

	    2. As a list of one-character flag initials, e.g.  --flags SAR tells Nping to set
	       flags SYN, ACK, and RST.

	    3. As an 8-bit hexadecimal number, where the supplied number is the exact value that
	       will be placed in the flags field of the TCP header. The number should start with
	       the prefix 0x and should be in the range [0x00-0xFF], e.g.  --flags 0x20 sets the
	       URG flag as 0x20 corresponds to binary 00100000 and the URG flag is represented by
	       the third bit.

	   There are 8 possible flags to set: CWR, ECN, URG, ACK, PSH, RST, SYN, and FIN. The
	   special value ALL means to set all flags.  NONE means to set no flags. It is important
	   that if you don't want any flag to be set, you request it explicitly because in some
	   cases the SYN flag may be set by default. Here is a brief description of the meaning
	   of each flag:

	   CWR (Congestion Window Reduced) .
	       Set by an ECN-Capable sender when it reduces its congestion window (due to a
	       retransmit timeout, a fast retransmit or in response to an ECN notification.

	   ECN (Explicit Congestion Notification) .
	       During the three-way handshake it indicates that sender is capable of performing
	       explicit congestion notification. Normally it means that a packet with the IP
	       Congestion Experienced flag set was received during normal transmission. See RFC
	       3168.  for more information.

	   URG (Urgent) .
	       Segment is urgent and the urgent pointer field carries valid information.

	   ACK (Acknowledgement) .
	       The segment carries an acknowledgement and the value of the acknowledgement number
	       field is valid and contains the next sequence number that is expected from the
	       receiver.

	   PSH (Push) .
	       The data in this segment should be immediately pushed to the application layer on
	       arrival.

	   RST (Reset) .
	       There was some problem and the sender wants to abort the connection.

	   SYN (Synchronize) .
	       The segment is a request to synchronize sequence numbers and establish a
	       connection. The sequence number field contains the sender's initial sequence
	       number.

	   FIN (Finish) .
	       The sender wants to close the connection.

       --win size (Window Size) .
	   Specifies the TCP window size, this is, the number of octets the sender of the segment
	   is willing to accept from the receiver at one time. This is usually the size of the
	   reception buffer that the OS allocates for a given connection.  size must be a number
	   in the range [0-65535].

       --badsum (Invalid Checksum) .
	   Asks Nping to use an invalid TCP checksum for the packets sent to target hosts. Since
	   virtually all host IP stacks properly drop these packets, any responses received are
	   likely coming from a firewall or an IDS that didn't bother to verify the checksum. For
	   more details on this technique, see http://nmap.org/p60-12.html.

UDP MODE
       -p port_spec, --dest-port port_spec (Target ports) .
	   This option specifies which ports you want UDP datagrams to be sent to. It can be a
	   single port, a comma-separated list of ports (e.g.  80,443,8080), a range (e.g.
	   1-1023), and any combination of those (e.g.	21-25,80,443,1024-2048). The beginning
	   and/or end values of a range may be omitted, causing Nping to use 1 and 65535,
	   respectively. So you can specify -p- to target ports from 1 through 65535. Using port
	   zero is allowed if you specify it explicitly.

       -g portnumber, --source-port portnumber (Spoof source port) .
	   This option asks Nping to use the specified port as source port for the transmitted
	   datagrams. Note that this might not work on all systems or may require root
	   privileges. Specified value must be an integer in the range [0-65535].

       --badsum (Invalid Checksum)
	   Asks Nping to use an invalid UDP checksum for the packets sent to target hosts. Since
	   virtually all host IP stacks properly drop these packets, any responses received are
	   likely coming from a firewall or an IDS that didn't bother to verify the checksum. For
	   more details on this technique, see http://nmap.org/p60-12.html.

ICMP MODE
       --icmp-type type (ICMP type) .
	   This option specifies which type of ICMP messages should be generated.  type can be
	   supplied in two different ways. You can use the official type numbers assigned by
	   IANA[1] (e.g.  --icmp-type 8 for ICMP Echo Request), or you can use any of the
	   mnemonics listed in the section called "ICMP Types".

       --icmp-code code (ICMP code) .
	   This option specifies which ICMP code should be included in the generated ICMP
	   messages.  code can be supplied in two different ways. You can use the official code
	   numbers assigned by IANA[1] (e.g.  --icmp-code 1 for Fragment Reassembly Time
	   Exceeded), or you can use any of the mnemonics listed in the section called "ICMP
	   Codes".

       --icmp-id id (ICMP identifier) .
	   This option specifies the value of the identifier used in some of the ICMP messages.
	   In general it is used to match request and reply messages.  id must be a number in the
	   range [0-65535].

       --icmp-seq seq (ICMP sequence) .
	   This option specifies the value of the sequence number field used in some ICMP
	   messages. In general it is used to match request and reply messages.  id must be a
	   number in the range [0-65535].

       --icmp-redirect-addr addr (ICMP Redirect address) .
	   This option sets the address field in ICMP Redirect messages. In other words, it sets
	   the IP address of the router that should be used when sending IP datagrams to the
	   original destination.  addr can be either an IPv4 address or a hostname.

       --icmp-param-pointer pointer (ICMP Parameter Problem pointer) .
	   This option specifies the pointer that indicates the location of the problem in ICMP
	   Parameter Problem messages.	pointer should be a number in the range [0-255]. Normally
	   this option is only used when ICMP code is set to 0 ("Pointer indicates the error").

       --icmp-advert-lifetime ttl (ICMP Router Advertisement Lifetime) .
	   This option specifies the router advertisement lifetime, this is, the number of
	   seconds the information carried in an ICMP Router Advertisement can be considered
	   valid for.  ttl must be a positive integer in the range [0-65535].

       --icmp-advert-entry addr,pref (ICMP Router Advertisement Entry) .
	   This option adds a Router Advertisement entry to an ICMP Router Advertisement message.
	   The parameter must be two values separated by a comma.  addr is the router's IP and
	   can be specified either as an IP address in dot-decimal notation or as a hostname.
	   pref is the preference level for the specified IP. It must be a number in the range
	   [0-4294967295]. An example is --icmp-advert-entry 192.168.128.1,3.

       --icmp-orig-time timestamp (ICMP Originate Timestamp) .
	   This option sets the Originate Timestamp in ICMP Timestamp messages. The Originate
	   Timestamp is expressed as the number of milliseconds since midnight UTC and it
	   corresponds to the time the sender last touched the Timestamp message before its
	   transmission.  timestamp can be specified as a regular time (e.g.  10s, 3h, 1000ms),
	   or the special string now. You can add or subtract values from now, for example
	   --icmp-orig-time now-2s, --icmp-orig-time now+1h, --icmp-orig-time now+200ms.

       --icmp-recv-time timestamp (ICMP Receive Timestamp) .
	   This option sets the Receive Timestamp in ICMP Timestamp messages. The Receive
	   Timestamp is expressed as the number of milliseconds since midnight UTC and it
	   corresponds to the time the echoer first touched the Timestamp message on receipt.
	   timestamp is as with --icmp-orig-time.

       --icmp-trans-time timestamp (ICMP Transmit Timestamp) .
	   This option sets the Transmit Timestamp in ICMP Timestamp messages. The Transmit
	   Timestamp is expressed as the number of milliseconds since midnight UTC and it
	   corresponds to the time the echoer last touched the Timestamp message before its
	   transmission.  timestamp is as with --icmp-orig-time.

   ICMP Types
       These identifiers may be used as mnemonics for the ICMP type numbers given to the
       --icmp-type.  option. In general there are three forms of each identifier: the full name
       (e.g.  destination-unreachable), the short name (e.g.  dest-unr), or the initials (e.g.
       du). In ICMP types that request something, the word "request" is omitted.

       echo-reply, echo-rep, er
	   Echo Reply (type 0). This message is sent in response to an Echo Request message.

       destination-unreachable, dest-unr, du
	   Destination Unreachable (type 3). This message indicates that a datagram could not be
	   delivered to its destination.

       source-quench, sour-que, sq
	   Source Quench (type 4). This message is used by a congested IP device to tell other
	   device that is sending packets too fast and that it should slow down.

       redirect, redi, r
	   Redirect (type 5). This message is normally used by routers to inform a host that
	   there is a better route to use for sending datagrams. See also the
	   --icmp-redirect-addr option.

       echo-request, echo, e
	   Echo Request (type 8). This message is used to test the connectivity of another device
	   on a network.

       router-advertisement, rout-adv, ra
	   Router Advertisement (type 9). This message is used by routers to let hosts know of
	   their existence and capabilities. See also the --icmp-advert-lifetime option.

       router-solicitation, rout-sol, rs
	   Router Solicitation (type 10). This message is used by hosts to request Router
	   Advertisement messages from any listening routers.

       time-exceeded, time-exc, te
	   Time Exceeded (type 11). This message is generated by some intermediate device
	   (normally a router) to indicate that a datagram has been discarded before reaching its
	   destination because the IP TTL expired.

       parameter-problem, member-pro, pp
	   Parameter Problem (type 12). This message is used when a device finds a problem with a
	   parameter in an IP header and it cannot continue processing it. See also the
	   --icmp-param-pointer option.

       timestamp, time, tm
	   Timestamp Request (type 13). This message is used to request a device to send a
	   timestamp value for propagation time calculation and clock synchronization. See also
	   the --icmp-orig-time, --icmp-recv-time, and --icmp-trans-time.

       timestamp-reply, time-rep, tr
	   Timestamp Reply (type 14). This message is sent in response to a Timestamp Request
	   message.

       information, info, i
	   Information Request (type 15). This message is now obsolete but it was originally used
	   to request configuration information from another device.

       information-reply, info-rep, ir
	   Information Reply (type 16). This message is now obsolete but it was originally sent
	   in response to an Information Request message to provide configuration information.

       mask-request, mask, m
	   Address Mask Request (type 17). This message is used to ask a device to send its
	   subnet mask.

       mask-reply, mask-rep, mr
	   Address Mask Reply (type 18). This message contains a subnet mask and is sent in
	   response to a Address Mask Request message.

       traceroute, trace, tc
	   Traceroute (type 30). This message is normally sent by an intermediate device when it
	   receives an IP datagram with a traceroute option. ICMP Traceroute messages are still
	   experimental, see RFC 1393.	for more information.

   ICMP Codes
       These identifiers may be used as mnemonics for the ICMP code numbers given to the
       --icmp-code.  option. They are listed by the ICMP type they correspond to.

       Destination Unreachable
	   network-unreachable, netw-unr, net
	       Code 0. Datagram could not be delivered to its destination network (probably due
	       to some routing problem).

	   host-unreachable, host-unr, host
	       Code 1. Datagram was delivered to the destination network but it was impossible to
	       reach the specified host (probably due to some routing problem).

	   protocol-unreachable, prot-unr, proto
	       Code 2. The protocol specified in the Protocol field of the IP datagram is not
	       supported by the host to which the datagram was delivered.

	   port-unreachable, port-unr, port
	       Code 3. The TCP/UDP destination port was invalid.

	   needs-fragmentation, need-fra, frag
	       Code 4. Datagram had the DF bit set but it was too large for the MTU of the next
	       physical network so it had to be dropped.

	   source-route-failed, sour-rou, routefail
	       Code 5. IP datagram had a Source Route option but a router couldn't pass it to the
	       next hop.

	   network-unknown, netw-unk, net?
	       Code 6. Destination network is unknown. This code is never used. Instead, Network
	       Unreachable is used.

	   host-unknown, host-unk, host?
	       Code 7. Specified host is unknown. Usually generated by a router local to the
	       destination host to inform of a bad address.

	   host-isolated, host-iso, isolated
	       Code 8. Source Host Isolated. Not used.

	   network-prohibited, netw-pro, !net
	       Code 9. Communication with destination network is administratively prohibited
	       (source device is not allowed to send packets to the destination network).

	   host-prohibited, host-pro, !host
	       Code 10. Communication with destination host is administratively prohibited. (The
	       source device is allowed to send packets to the destination network but not to the
	       destination device.)

	   network-tos, unreachable-network-tos, netw-tos, tosnet
	       Code 11. Destination network unreachable because it cannot provide the type of
	       service specified in the IP TOS field.

	   host-tos, unreachable-host-tos, toshost
	       Code 12. Destination host unreachable because it cannot provide the type of
	       service specified in the IP TOS field.

	   communication-prohibited, comm-pro, !comm
	       Code 13. Datagram could not be forwarded due to filtering that blocks the message
	       based on its contents.

	   host-precedence-violation, precedence-violation, prec-vio, violation
	       Code 14. Precedence value in the IP TOS field is not permitted.

	   precedence-cutoff, prec-cut, cutoff
	       Code 15. Precedence value in the IP TOS field is lower than the minimum allowed
	       for the network.

       Redirect
	   redirect-network, redi-net, net
	       Code 0. Redirect all future datagrams with the same destination network as the
	       original datagram, to the router specified in the Address field. The use of this
	       code is prohibited by RFC 1812..

	   redirect-host, redi-host, host
	       Code 1. Redirect all future datagrams with the same destination host as the
	       original datagram, to the router specified in the Address field.

	   redirect-network-tos, redi-ntos, redir-ntos
	       Code 2. Redirect all future datagrams with the same destination network and IP TOS
	       value as the original datagram, to the router specified in the Address field. The
	       use of this code is prohibited by RFC 1812.

	   redirect-host-tos, redi-htos, redir-htos
	       Code 3. Redirect all future datagrams with the same destination host and IP TOS
	       value as the original datagram, to the router specified in the Address field.

       Router Advertisement
	   normal-advertisement, norm-adv, normal, zero, default, def
	       Code 0. Normal router advertisement. In Mobile IP: Mobility agent can act as a
	       router for IP datagrams not related to mobile nodes.

	   not-route-common-traffic, not-rou, mobile-ip, !route, !commontraffic
	       Code 16. Used for Mobile IP. The mobility agent does not route common traffic. All
	       foreign agents must forward to a default router any datagrams received from a
	       registered mobile node

       Time Exceeded
	   ttl-exceeded-in-transit, ttl-exc, ttl-transit
	       Code 0. IP Time To Live expired during transit.

	   fragment-reassembly-time-exceeded, frag-exc, frag-time
	       Code 1. Fragment reassembly time has been exceeded.

       Parameter Problem
	   pointer-indicates-error, poin-ind, pointer
	       Code 0. The pointer field indicates the location of the problem. See the
	       --icmp-param-pointer option.

	   missing-required-option, miss-option, option-missing
	       Code 1. IP datagram was expected to have an option that is not present.

	   bad-length, bad-len, badlen
	       Code 2. The length of the IP datagram is incorrect.

ARP MODE
       --arp-type type (ICMP Type) .
	   This option specifies which type of ARP messages should be generated.  type can be
	   supplied in two different ways. You can use the official numbers assigned by IANA[2]
	   (e.g.  --arp-type 1 for ARP Request), or you can use one of the mnemonics from the
	   section called "ARP Types".

       --arp-sender-mac mac (Sender MAC address) .
	   This option sets the Sender Hardware Address field of the ARP header. Although ARP
	   supports many types of link layer addresses, currently Nping only supports MAC
	   addresses.  mac must be specified using the traditional MAC notation (e.g.
	   00:0a:8a:32:f4:ae). You can also use hyphens as separators (e.g.  00-0a-8a-32-f4-ae).

       --arp-sender-ip addr (Sender IP address) .
	   This option sets the Sender IP field of the ARP header.  addr can be given as an IPv4
	   address or a hostname.

       --arp-target-mac mac (target MAC address) .
	   This option sets the Target Hardware Address field of the ARP header.

       --arp-target-ip addr (target ip address) .
	   This option sets the Target IP field of the ARP header.

   ARP Types
       These identifiers may be used as mnemonics for the ARP type numbers given to the
       --arp-type.  option.

       arp-request, arp, a
	   ARP Request (type 1). ARP requests are used to translate network layer addresses
	   (normally IP addresses) to link layer addresses (usually MAC addresses). Basically,
	   and ARP request is a broadcasted message that asks the host in the same network
	   segment that has a given IP address to provide its MAC address.

       arp-reply, arp-rep, ar
	   ARP Reply (type 2). An ARP reply is a message that a host sends in response to an ARP
	   request to provide its link layer address.

       rarp-request, rarp, r
	   RARP Requests (type 3). RARP requests are used to translate a link layer address
	   (normally a MAC address) to a network layer address (usually an IP address). Basically
	   a RARP request is a broadcasted message sent by a host that wants to know his own IP
	   address because it doesn't have any. It was the first protocol designed to solve the
	   bootstrapping problem. However, RARP is now obsolete and DHCP is used instead. For
	   more information about RARP see RFC 903..

       rarp-reply, rarp-rep, rr
	   RARP Reply (type 4). A RARP reply is a message sent in response to a RARP request to
	   provide an IP address to the host that sent the RARP request in the first place.

       drarp-request, drarp, d
	   Dynamic RARP Request (type 5). Dynamic RARP is an extension to RARP used to obtain or
	   assign a network layer address from a fixed link layer address. DRARP was used mainly
	   in Sun Microsystems platforms in the late 90's but now it's no longer used. See RFC
	   1931.  for more information.

       drarp-reply, drarp-rep, dr
	   Dynamic RARP Reply (type 6). A DRARP reply is a message sent in response to a RARP
	   request to provide network layer address.

       drarp-error, drarp-err, de
	   DRARP Error (type 7). DRARP Error messages are usually sent in response to DRARP
	   requests to inform of some error. In DRARP Error messages, the Target Protocol Address
	   field is used to carry an error code (usually in the first byte). The error code is
	   intended to tell why no target protocol address is being returned. For more
	   information see RFC 1931.

       inarp-request, inarp, i
	   Inverse ARP Request (type 8). InARP requests are used to translate a link layer
	   address to a network layer address. It is similar to RARP request but in this case,
	   the sender of the InARP request wants to know the network layer address of another
	   node, not its own address. InARP is mainly used in Frame Relay and ATM networks. For
	   more information see RFC 2390..

       inarp-reply, inarp-rep, ir
	   Inverse ARP Reply (type 9). InARP reply messages are sent in response to InARP
	   requests to provide the network layer address associated with the host that has a
	   given link layer address.

       arp-nak, an
	   ARP NAK (type 10). ARP NAK messages are an extension to the ATMARP protocol and they
	   are used to improve the robustness of the ATMARP server mechanism. With ARP NAK, a
	   client can determine the difference between a catastrophic server failure and an
	   ATMARP table lookup failure. See RFC 1577.  for more information.

IPV4 OPTIONS
       -S addr, --source-ip addr (Source IP Address) .
	   Sets the source IP address. This option lets you specify a custom IP address to be
	   used as source IP address in sent packets. This allows spoofing the sender of the
	   packets.  addr can be an IPv4 address or a hostname.

       --dest-ip addr (Destination IP Address) .
	   Adds a target to Nping's target list. This option is provided for consistency but its
	   use is deprecated in favor of plain target specifications. See the section called
	   "TARGET SPECIFICATION".

       --tos tos (Type of Service) .
	   Sets the IP TOS field. The TOS field is used to carry information to provide quality
	   of service features. It is normally used to support a technique called Differentiated
	   Services. See RFC 2474.  for more information.  tos must be a number in the range
	   [0-255].

       --id id (Identification) .
	   Sets the IPv4 Identification field. The Identification field is a 16-bit value that is
	   common to all fragments belonging to a particular message. The value is used by the
	   receiver to reassemble the original message from the fragments received.  id must be a
	   number in the range [0-65535].

       --df (Don't Fragment) .
	   Sets the Don't Fragment bit in sent packets. When an IP datagram has its DF flag set,
	   intermediate devices are not allowed to fragment it so if it needs to travel across a
	   network with a MTU smaller that datagram length the datagram will have to be dropped.
	   Normally an ICMP Destination Unreachable message is generated and sent back to the
	   sender.

       --mf (More Fragments) .
	   Sets the More Fragments bit in sent packets. The MF flag is set to indicate the
	   receiver that the current datagram is a fragment of some larger datagram. When set to
	   zero it indicates that the current datagram is either the last fragment in the set or
	   that it is the only fragment.

       --ttl hops (Time To Live) .
	   Sets the IPv4 Time-To-Live (TTL) field in sent packets to the given value. The TTL
	   field specifies how long the datagram is allowed to exist on the network. It was
	   originally intended to represent a number of seconds but it actually represents the
	   number of hops a packet can traverse before being dropped. The TTL tries to avoid a
	   situation in which undeliverable datagrams keep being forwarded from one router to
	   another endlessly.  hops must be a number in the range [0-255].

       --badsum-ip (Invalid IP checksum) .
	   Asks Nping to use an invalid IP checksum for packets sent to target hosts. Note that
	   some systems (like most Linux kernels), may fix the checksum before placing the packet
	   on the wire, so even if Nping shows the incorrect checksum in its output, the packets
	   may be transparently corrected by the kernel.

       --ip-options S|R [route]|L [route]|T|U ..., --ip-options hex string (IP Options) .
	   The IP protocol offers several options which may be placed in packet headers. Unlike
	   the ubiquitous TCP options, IP options are rarely seen due to practicality and
	   security concerns. In fact, many Internet routers block the most dangerous options
	   such as source routing. Yet options can still be useful in some cases for determining
	   and manipulating the network route to target machines. For example, you may be able to
	   use the record route option to determine a path to a target even when more traditional
	   traceroute-style approaches fail. Or if your packets are being dropped by a certain
	   firewall, you may be able to specify a different route with the strict or loose source
	   routing options.

	   The most powerful way to specify IP options is to simply pass in hexadecimal data as
	   the argument to --ip-options. Precede each hex byte value with \x. You may repeat
	   certain characters by following them with an asterisk and then the number of times you
	   wish them to repeat. For example, \x01\x07\x04\x00*4 is the same as
	   \x01\x07\x04\x00\x00\x00\x00.

	   Note that if you specify a number of bytes that is not a multiple of four, an
	   incorrect IP header length will be set in the IP packet. The reason for this is that
	   the IP header length field can only express multiples of four. In those cases, the
	   length is computed by dividing the header length by 4 and rounding down. This will
	   affect the way the header that follows the IP header is interpreted, showing bogus
	   information in Nping or in the output of any sniffer. Although this kind of situation
	   might be useful for some stack stress tests, users would normally want to specify
	   explicit padding, so the correct header length is set.

	   Nping also offers a shortcut mechanism for specifying options. Simply pass the letter
	   R, T, or U to request record-route, record-timestamp, or both options together,
	   respectively. Loose or strict source routing may be specified with an L or S followed
	   by a space and then a space-separated list of IP addresses.

	   For more information and examples of using IP options with Nping, see the mailing list
	   post at http://seclists.org/nmap-dev/2006/q3/0052.html.

       --mtu size (Maximum Transmission Unit) .
	   This option sets a fictional MTU in Nping so IP datagrams larger than size are
	   fragmented before transmission.  size must be specified in bytes and corresponds to
	   the number of octets that can be carried on a single link-layer frame.

IPV6 OPTIONS
       -6, --ipv6 (Use IPv6) .
	   Tells Nping to use IP version 6 instead of the default IPv4. It is generally a good
	   idea to specify this option as early as possible in the command line so Nping can
	   parse it soon and know in advance that the rest of the parameters refer to IPv6. The
	   command syntax is the same as usual except that you also add the -6 option. Of course,
	   you must use IPv6 syntax if you specify an address rather than a hostname. An address
	   might look like 3ffe:7501:4819:2000:210:f3ff:fe03:14d0, so hostnames are recommended.

	   While IPv6 hasn't exactly taken the world by storm, it gets significant use in some
	   (usually Asian) countries and most modern operating systems support it. To use Nping
	   with IPv6, both the source and target of your packets must be configured for IPv6. If
	   your ISP (like most of them) does not allocate IPv6 addresses to you, free tunnel
	   brokers are widely available and work fine with Nping. You can use the free IPv6
	   tunnel broker service at http://www.tunnelbroker.net.

	   Please note that IPv6 support is still highly experimental and many modes and options
	   may not work with it.

       -S addr, --source-ip addr (Source IP Address) .
	   Sets the source IP address. This option lets you specify a custom IP address to be
	   used as source IP address in sent packets. This allows spoofing the sender of the
	   packets.  addr can be an IPv6 address or a hostname.

       --dest-ip addr (Destination IP Address) .
	   Adds a target to Nping's target list. This option is provided for consistency but its
	   use is deprecated in favor of plain target specifications. See the section called
	   "TARGET SPECIFICATION".

       --flow label (Flow Label) .
	   Sets the IPv6 Flow Label. The Flow Label field is 20 bits long and is intended to
	   provide certain quality-of-service properties for real-time datagram delivery.
	   However, it has not been widely adopted, and not all routers or endpoints support it.
	   Check RFC 2460.  for more information.  label must be an integer in the range
	   [0-1048575].

       --traffic-class class (Traffic Class) .
	   Sets the IPv6 Traffic Class. This field is similar to the TOS field in IPv4, and is
	   intended to provide the Differentiated Services method, enabling scalable service
	   discrimination in the Internet without the need for per-flow state and signaling at
	   every hop. Check RFC 2474.  for more information.  class must be an integer in the
	   range [0-255].

       --hop-limit hops (Hop Limit) .
	   Sets the IPv6 Hop Limit field in sent packets to the given value. The Hop Limit field
	   specifies how long the datagram is allowed to exist on the network. It represents the
	   number of hops a packet can traverse before being dropped. As with the TTL in IPv4,
	   IPv6 Hop Limit tries to avoid a situation in which undeliverable datagrams keep being
	   forwarded from one router to another endlessly.  hops must be a number in the range
	   [0-255].

ETHERNET OPTIONS
       In most cases Nping sends packets at the raw IP level. This means that Nping creates its
       own IP packets and transmits them through a raw socket. However, in some cases it may be
       necessary to send packets at the raw Ethernet level. This happens, for example, when Nping
       is run under Windows (as Microsoft has disabled raw socket support since Windows XP SP2),
       or when Nping is asked to send ARP packets. Since in some cases it is necessary to
       construct ethernet frames, Nping offers some options to manipulate the different fields.

       --dest-mac mac (Ethernet Destination MAC Address) .
	   This option sets the destination MAC address that should be set in outgoing Ethernet
	   frames. This is useful in case Nping can't determine the next hop's MAC address or
	   when you want to route probes through a router other than the configured default
	   gateway. The MAC address should have the usual format of six colon-separated bytes,
	   e.g.  00:50:56:d4:01:98. Alternatively, hyphens may be used instead of colons. Use the
	   word random or rand to generate a random address, and broadcast or bcast to use
	   ff:ff:ff:ff:ff:ff. If you set up a bogus destination MAC address your probes may not
	   reach the intended targets.

       --source-mac mac (Ethernet Source MAC Address) .
	   This option sets the source MAC address that should be set in outgoing Ethernet
	   frames. This is useful in case Nping can't determine your network interface MAC
	   address or when you want to inject traffic into the network while hiding your network
	   card's real address. The syntax is the same as for --dest-mac. If you set up a bogus
	   source MAC address you may not receive probe replies.

       --ether-type type (Ethertype) .
	   This option sets the Ethertype field of the ethernet frame. The Ethertype is used to
	   indicate which protocol is encapsulated in the payload.  type can be supplied in two
	   different ways. You can use the official numbers listed by the IEEE[3] (e.g.
	   --ether-type 0x0800 for IP version 4), or one of the mnemonics from the section called
	   "Ethernet Types".

   Ethernet Types
       These identifiers may be used as mnemonics for the Ethertype numbers given to the
       --arp-type.  option.

       ipv4, ip, 4
	   Internet Protocol version 4 (type 0x0800).

       ipv6, 6
	   Internet Protocol version 6 (type 0x86DD).

       arp
	   Address Resolution Protocol (type 0x0806).

       rarp
	   Reverse Address Resolution Protocol (type 0x8035).

       frame-relay, frelay, fr
	   Frame Relay (type 0x0808).

       ppp
	   Point-to-Point Protocol (type 0x880B).

       gsmp
	   General Switch Management Protocol (type 0x880C).

       mpls
	   Multiprotocol Label Switching (type 0x8847).

       mps-ual, mps
	   Multiprotocol Label Switching with Upstream-assigned Label (type 0x8848).

       mcap
	   Multicast Channel Allocation Protocol (type 0x8861).

       pppoe-discovery, pppoe-d
	   PPP over Ethernet Discovery Stage (type 0x8863).

       pppoe-session, pppoe-s
	   PPP over Ethernet Session Stage (type 0x8864).

       ctag
	   Customer VLAN Tag Type (type 0x8100).

       epon
	   Ethernet Passive Optical Network (type 0x8808).

       pbnac
	   Port-based network access control (type 0x888E).

       stag
	   Service VLAN tag identifier (type 0x88A8).

       ethexp1
	   Local Experimental Ethertype 1 (type 0x88B5).

       ethexp2
	   Local Experimental Ethertype 2 (type 0x88B6).

       ethoui
	   OUI Extended Ethertype (type 0x88B7).

       preauth
	   Pre-Authentication (type 0x88C7).

       lldp
	   Link Layer Discovery Protocol (type 0x88CC).

       mac-security, mac-sec, macsec
	   Media Access Control Security (type 0x88E5).

       mvrp
	   Multiple VLAN Registration Protocol (type 0x88F5).

       mmrp
	   Multiple Multicast Registration Protocol (type 0x88F6).

       frrr
	   Fast Roaming Remote Request (type 0x890D).

PAYLOAD OPTIONS
       --data hex string (Append custom binary data to sent packets) .
	   This option lets you include binary data as payload in sent packets.  hex string may
	   be specified in any of the following formats: 0xAABBCCDDEEFF..., AABBCCDDEEFF...  or
	   \xAA\xBB\xCC\xDD\xEE\xFF.... Examples of use are --data 0xdeadbeef and --data
	   \xCA\xFE\x09. Note that if you specify a number like 0x00ff no byte-order conversion
	   is performed. Make sure you specify the information in the byte order expected by the
	   receiver.

       --data-string string (Append custom string to sent packets) .
	   This option lets you include a regular string as payload in sent packets.  string can
	   contain any string. However, note that some characters may depend on your system's
	   locale and the receiver may not see the same information. Also, make sure you enclose
	   the string in double quotes and escape any special characters from the shell. Example:
	   --data-string "Jimmy Jazz...".

       --data-length len (Append random data to sent packets) .
	   This option lets you include len random bytes of data as payload in sent packets.  len
	   must be an integer in the range [0-65400]. However, values higher than 1400 are not
	   recommended because it may not be possible to transmit packets due to network MTU
	   limitations.

ECHO MODE
       The "Echo Mode" is a novel technique implemented by Nping which lets users see how network
       packets change in transit, from the host where they originated to the target machine.
       Basically, the Echo mode turns Nping into two different pieces: the Echo server and the
       Echo client. The Echo server is a network service that has the ability to capture packets
       from the network and send a copy ("echo them") to the originating client through a side
       TCP channel. The Echo client is the part that generates such network packets, transmits
       them to the server, and receives their echoed version through a side TCP channel that it
       has previously established with the Echo server.

       This scheme lets the client see the differences between the packets that it sends and what
       is actually received by the server. By having the server send back copies of the received
       packets through the side channel, things like NAT devices become immediately apparent to
       the client because it notices the changes in the source IP address (and maybe even source
       port). Other devices like those that perform traffic shaping, changing TCP window sizes or
       adding TCP options transparently between hosts, turn up too.

       The Echo mode is also useful for troubleshooting routing and firewall issues. Among other
       things, it can be used to determine if the traffic generated by the Nping client is being
       dropped in transit and never gets to its destination or if the responses are the ones that
       don't get back to it.

       Internally, client and server communicate over an encrypted and authenticated channel,
       using the Nping Echo Protocol (NEP), whose technical specification can be found in
       http://nmap.org/svn/nping/docs/EchoProtoRFC.txt

       The following paragraphs describe the different options available in Nping's Echo mode.

       --ec passphrase, --echo-client passphrase (Run Echo client) .
	   This option tells Nping to run as an Echo client.  passphrase is a sequence of ASCII
	   characters that is used to generate the cryptographic keys needed for encryption and
	   authentication in a given session. The passphrase should be a secret that is also
	   known by the server, and it may contain any number of printable ASCII characters.
	   Passphrases that contain whitespace or special characters must be enclosed in double
	   quotes.

	   When running Nping as an Echo client, most options from the regular raw probe modes
	   apply. The client may be configured to send specific probes using flags like --tcp,
	   --icmp or --udp. Protocol header fields may be manipulated normally using the
	   appropriate options (e.g.  --ttl, --seq, --icmp-type, etc.). The only exceptions are
	   ARP-related flags, which are not supported in Echo mode, as protocols like ARP are
	   closely related to the data link layer and its probes can't pass through different
	   network segments.

       --es passphrase, --echo-server passphrase (Run Echo server) .
	   This option tells Nping to run as an Echo server.  passphrase is a sequence of ASCII
	   characters that is used to generate the cryptographic keys needed for encryption and
	   authentication in a given session. The passphrase should be a secret that is also
	   known by the clients, and it may contain any number of printable ASCII characters.
	   Passphrases that contain whitespace or special characters must be enclosed in double
	   quotes. Note that although it is not recommended, it is possible to use empty
	   passphrases, supplying --echo-server "". However, if what you want is to set up an
	   open Echo server, it is better to use option --no-crypto. See below for details.

       --ep port, --echo-port port (Set Echo TCP port number) .
	   This option asks Nping to use the specified TCP port number for the Echo side channel
	   connection. If this option is used with --echo-server, it specifies the port on which
	   the server listens for connections. If it is used with --echo-client, it specifies the
	   port to connect to on the remote host. By default, port number 9929 is used.

       --nc, --no-crypto (Disable encryption and authentication) .
	   This option asks Nping not to use any cryptographic operations during an Echo session.
	   In practical terms, this means that the Echo side channel session data will be
	   transmitted in the clear, and no authentication will be performed by the server or
	   client during the session establishment phase. When --no-crypto is used, the
	   passphrase supplied with --echo-server or --echo-client is ignored.

	   This option must be specified if Nping was compiled without openSSL support. Note
	   that, for technical reasons, a passphrase still needs to be supplied after the
	   --echo-client or --echo-server flags, even though it will be ignored.

	   The --no-crypto flag might be useful when setting up a public Echo server, because it
	   allows users to connect to the Echo server without the need for any passphrase or
	   shared secret. However, it is strongly recommended to not use --no-crypto unless
	   absolutely necessary. Public Echo servers should be configured to use the passphrase
	   "public" or the empty passphrase (--echo-server "") as the use of cryptography does
	   not only provide confidentiality and authentication but also message integrity.

       --once (Serve one client and quit) .
	   This option asks the Echo server to quit after serving one client. This is useful when
	   only a single Echo session wants to be established as it eliminates the need to access
	   the remote host to shutdown the server.

       --safe-payloads (Zero application data before echoing a packet) .
	   This option asks the Echo server to erase any application layer data found in client
	   packets before echoing them. When the option is enabled, the Echo server parses the
	   packets received from Echo clients and tries to determine if they contain data beyond
	   the transport layer. If such data is found, it is overwritten with zeroes before
	   transmitting the packets to the appropriate Echo client.

	   Echo servers can handle multiple simultaneous clients running multiple echo sessions
	   in parallel. In order to determine which packet needs to be echoed to which client and
	   through which session, the Echo server uses an heuristic algorithm. Although we have
	   taken every security measure that we could think of to prevent that a client receives
	   an echoed packet that it did not generate, there is always a risk that our algorithm
	   makes a mistake and delivers a packet to the wrong client. The --safe-payloads option
	   is useful for public echo servers or critical deployments where that kind of mistake
	   cannot be afforded.

       The following examples illustrate how Nping's Echo mode can be used to discover
       intermediate devices.

       Example 2. Discovering NAT devices

	       # nping --echo-client "public" echo.nmap.org --udp

	       Starting Nping ( http://nmap.org/nping )
	       SENT (1.0970s) UDP 10.1.20.128:53 > 178.79.165.17:40125 ttl=64 id=32523 iplen=28
	       CAPT (1.1270s) UDP 80.38.10.21:45657 > 178.79.165.17:40125 ttl=54 id=32523 iplen=28
	       RCVD (1.1570s) ICMP 178.79.165.17 > 10.1.20.128 Port unreachable (type=3/code=3) ttl=49 id=16619 iplen=56
	       [...]
	       SENT (5.1020s) UDP 10.1.20.128:53 > 178.79.165.17:40125 ttl=64 id=32523 iplen=28
	       CAPT (5.1335s) UDP 80.38.10.21:45657 > 178.79.165.17:40125 ttl=54 id=32523 iplen=28
	       RCVD (5.1600s) ICMP 178.79.165.17 > 10.1.20.128 Port unreachable (type=3/code=3) ttl=49 id=16623 iplen=56

	       Max rtt: 60.628ms | Min rtt: 58.378ms | Avg rtt: 59.389ms
	       Raw packets sent: 5 (140B) | Rcvd: 5 (280B) | Lost: 0 (0.00%)| Echoed: 5 (140B)
	       Tx time: 4.00459s | Tx bytes/s: 34.96 | Tx pkts/s: 1.25
	       Rx time: 5.00629s | Rx bytes/s: 55.93 | Rx pkts/s: 1.00
	       Nping done: 1 IP address pinged in 6.18 seconds

       The output clearly shows the presence of a NAT device in the client's local network. Note
       how the captured packet (CAPT) differs from the SENT packet: the source address for the
       original packets is in the reserved 10.0.0.0/8 range, while the address seen by the server
       is 80.38.10.21, the Internet side address of the NAT device. The source port was also
       modified by the device. The line starting with RCVD corresponds to the responses generated
       by the TCP/IP stack of the machine where the Echo server is run.

       Example 3. Discovering a transparent proxy

	       # nping --echo-client "public" echo.nmap.org --tcp -p80

	       Starting Nping ( http://nmap.org/nping )
	       SENT (1.2160s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40	seq=567704200 win=1480
	       RCVD (1.2180s) TCP 178.79.165.17:80 > 10.0.1.77:41659 SA ttl=128 id=13177 iplen=44  seq=3647106954 win=16384 <mss 1460>
	       SENT (2.2150s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40	seq=567704200 win=1480
	       SENT (3.2180s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40	seq=567704200 win=1480
	       SENT (4.2190s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40	seq=567704200 win=1480
	       SENT (5.2200s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40	seq=567704200 win=1480

	       Max rtt: 2.062ms | Min rtt: 2.062ms | Avg rtt: 2.062ms
	       Raw packets sent: 5 (200B) | Rcvd: 1 (46B) | Lost: 4 (80.00%)| Echoed: 0 (0B)
	       Tx time: 4.00504s | Tx bytes/s: 49.94 | Tx pkts/s: 1.25
	       Rx time: 5.00618s | Rx bytes/s: 9.19 | Rx pkts/s: 0.20
	       Nping done: 1 IP address pinged in 6.39 seconds

       In this example, the output is a bit more tricky. The absence of error messages shows that
       the Echo client has successfully established an Echo session with the server. However, no
       CAPT packets can be seen in the output. This means that none of the transmitted packets
       reached the server. Interestingly, a TCP SYN-ACK packet was received in response to the
       first TCP-SYN packet (and also, it is known that the target host does not have port 80
       open). This behavior reveals the presence of a transparent web proxy cache server (which
       in this case is an old MS ISA server).

TIMING AND PERFORMANCE OPTIONS
       --delay time (Delay between probes) .
	   This option lets you control for how long will Nping wait before sending the next
	   probe. Like in many other ping tools, the default delay is one second.  time must be a
	   positive integer or floating point number. By default it is specified in seconds,
	   however you can give an explicit unit by appending ms for milliseconds, s for seconds,
	   m for minutes, or h for hours (e.g.	2.5s, 45m, 2h).

       --rate rate (Send probes at a given rate) .
	   This option specifies the number of probes that Nping should send per second. This
	   option and --delay are inverses; --rate 20 is the same as --delay 0.05. If both
	   options are used, only the last one in the parameter list counts.

MISCELLANEOUS OPTIONS
       -h, --help (Display help) .
	   Displays help information and exits.

       -V, --version (Display version) .
	   Displays the program's version number and quits.

       -c rounds, --count rounds (Stop after a given number of rounds) .
	   This option lets you specify the number of times that Nping should loop over target
	   hosts (and in some cases target ports). Nping calls these "rounds". In a basic
	   execution with only one target (and only one target port in TCP/UDP modes), the number
	   of rounds matches the number of probes sent to the target host. However, in more
	   complex executions where Nping is run against multiple targets and multiple ports, the
	   number of rounds is the number of times that Nping sends a complete set of probes that
	   covers all target IPs and all target ports. For example, if Nping is asked to send TCP
	   SYN packets to hosts 192.168.1.0-255 and ports 80 and 433, then 256 x 2 = 512 packets
	   are sent in one round. So if you specify -c 100, Nping will loop over the different
	   target hosts and ports 100 times, sending a total of 256 x 2 x 100 = 51200 packets. By
	   default Nping runs for 5 rounds. If a value of 0 is specified, Nping will run
	   continuously.

       -e name, --interface name (Set the network interface to be used) .
	   This option tells Nping what interface should be used to send and receive packets.
	   Nping should be able to detect this automatically, but it will tell you if it cannot.
	   name must be the name of an existing network interface with an assigned IP address.

       --privileged (Assume that the user is fully privileged) .
	   Tells Nping to simply assume that it is privileged enough to perform raw socket sends,
	   packet sniffing, and similar operations that usually require special privileges. By
	   default Nping quits if such operations are requested by a user that has no root or
	   administrator privileges. This option may be useful on Linux, BSD or similar systems
	   that can be configured to allow unprivileged users to perform raw-packet
	   transmissions. The NPING_PRIVILEGED.  environment variable may be set as an
	   alternative to using --privileged.

       --unprivileged (Assume that the user lacks raw socket privileges) .
	   This option is the opposite of --privileged. It tells Nping to treat the user as
	   lacking network raw socket and sniffing privileges. This is useful for testing,
	   debugging, or when the raw network functionality of your operating system is somehow
	   broken. The NPING_UNPRIVILEGED.  environment variable may be set as an alternative to
	   using --unprivileged.

       --send-eth (Use raw ethernet sending) .
	   Asks Nping to send packets at the raw ethernet (data link) layer rather than the
	   higher IP (network) layer. By default, Nping chooses the one which is generally best
	   for the platform it is running on. Raw sockets (IP layer) are generally most efficient
	   for Unix machines, while ethernet frames are required for Windows operation since
	   Microsoft disabled raw socket support. Nping still uses raw IP packets despite this
	   option when there is no other choice (such as non-ethernet connections).

       --send-ip (Send at raw IP level) .
	   Asks Nping to send packets via raw IP sockets rather than sending lower level ethernet
	   frames. It is the complement to the --send-eth option.

       --bpf-filter filter spec --filter filter spec (Set custom BPF filter) .
	   This option lets you use a custom BPF filter. By default Nping chooses a filter that
	   is intended to capture most common responses to the particular probes that are sent.
	   For example, when sending TCP packets, the filter is set to capture packets whose
	   destination port matches the probe's source port or ICMP error messages that may be
	   generated by the target or any intermediate device as a result of the probe. If for
	   some reason you expect strange packets in response to sent probes or you just want to
	   sniff a particular kind of traffic, you can specify a custom filter using the BPF
	   syntax used by tools like tcpdump..	See the documentation at http://www.tcpdump.org/
	   for more information.

       -H, --hide-sent (Do not display sent packets) .
	   This option tells Nping not to print information about sent packets. This can be
	   useful when using very short inter-probe delays (i.e., when flooding), because
	   printing information to the standard output has a computational cost and disabling it
	   can probably speed things up a bit. Also, it may be useful when using Nping to detect
	   active hosts or open ports (e.g. sending probes to all TCP ports in a /24 subnet). In
	   that case, users may not want to see thousands of sent probes but just the replies
	   generated by active hosts.

       -N, --no-capture (Do not attempt to capture replies) .
	   This option tells Nping to skip packet capture. This means that packets in response to
	   sent probes will not be processed or displayed. This can be useful when doing flooding
	   and network stack stress tests. Note that when this option is specified, most of the
	   statistics shown at the end of the execution will be useless. This option does not
	   work with TCP Connect mode.

OUTPUT OPTIONS
       -v[level], --verbose [level] (Increase or set verbosity level) .
	   Increases the verbosity level, causing Nping to print more information during its
	   execution. There are 9 levels of verbosity (-4 to 4). Every instance of -v increments
	   the verbosity level by one (from its default value, level 0). Every instance of option
	   -q decrements the verbosity level by one. Alternatively you can specify the level
	   directly, as in -v3 or -v-1. These are the available levels:

	   Level -4
	       No output at all. In some circumstances you may not want Nping to produce any
	       output (like when one of your work mates is watching over your shoulder). In that
	       case level -4 can be useful because although you won't see any response packets,
	       probes will still be sent.

	   Level -3
	       Like level -4 but displays fatal error messages so you can actually see if Nping
	       is running or it failed due to some error.

	   Level -2
	       Like level -3 but also displays warnings and recoverable errors.

	   Level -1
	       Displays traditional run-time information (version, start time, statistics, etc.)
	       but does not display sent or received packets.

	   Level 0
	       This is the default verbosity level. It behaves like level -1 but also displays
	       sent and received packets and some other important information.

	   Level 1
	       Like level 0 but it displays detailed information about timing, flags, protocol
	       details, etc.

	   Level 2
	       Like level 1 but displays very detailed information about sent and received
	       packets and other interesting information.

	   Level 3
	       Like level 2 but also displays the raw hexadecimal dump of sent and received
	       packets.

	   Level 4 and higher
	       Same as level 3.

       -q[level], --reduce-verbosity [level] (Decrease verbosity level) .
	   Decreases the verbosity level, causing Nping to print less information during its
	   execution.

       -d[level] (Increase or set debugging level) .
	   When even verbose mode doesn't provide sufficient data for you, debugging is available
	   to flood you with much more! As with the -v, debugging is enabled with a command-line
	   flag -d and the debug level can be increased by specifying it multiple times. There
	   are 7 debugging levels (0 to 6). Every instance of -d increments debugging level by
	   one. Provide an argument to -d to set the level directly; for example -d4.

	   Debugging output is useful when you suspect a bug in Nping, or if you are simply
	   confused as to what Nping is doing and why. As this feature is mostly intended for
	   developers, debug lines aren't always self-explanatory. You may get something like

	       NSOCK (1.0000s) Callback: TIMER SUCCESS for EID 12; tcpconnect_event_handler(): Received callback of type TIMER with status SUCCESS

	   If you don't understand a line, your only recourses are to ignore it, look it up in
	   the source code, or request help from the development list (nmap-dev). Some lines are
	   self-explanatory, but the messages become more obscure as the debug level is
	   increased. These are the available levels:

	   Level 0
	       Level 0. No debug information at all. This is the default level.

	   Level 1
	       In this level, only very important or high-level debug information will be
	       printed.

	   Level 2
	       Like level 1 but also displays important or medium-level debug information

	   Level 3
	       Like level 2 but also displays regular and low-level debug information.

	   Level 4
	       Like level 3 but also displays messages only a real Nping freak would want to see.

	   Level 5
	       Like level 4 but it enables basic debug information related to external libraries
	       like Nsock..

	   Level 6
	       Like level 5 but it enables full, very detailed, debug information related to
	       external libraries like Nsock.

BUGS
       Like its author, Nping isn't perfect. But you can help make it better by sending bug
       reports or even writing patches. If Nping doesn't behave the way you expect, first upgrade
       to the latest Nmap version available from http://nmap.org/download.html. If the problem
       persists, do some research to determine whether it has already been discovered and
       addressed. Try searching for the error message on our search page at
       http://insecure.org/search.html or at Google. Also try browsing the nmap-dev archives at
       http://seclists.org/.  Read this full manual page as well. If nothing comes out of this,
       mail a bug report to <dev@nmap.org>. Please include everything you have learned about the
       problem, as well as what version of Nping you are running and what operating system
       version it is running on. Problem reports and Nping usage questions sent to <dev@nmap.org>
       are far more likely to be answered than those sent to Fyodor directly. If you subscribe to
       the nmap-dev list before posting, your message will bypass moderation and get through more
       quickly. Subscribe at http://nmap.org/mailman/listinfo/dev.

       Code patches to fix bugs are even better than bug reports. Basic instructions for creating
       patch files with your changes are available at https://svn.nmap.org/nmap/HACKING. Patches
       may be sent to nmap-dev (recommended) or to any of the authors listed in the next section
       directly.

AUTHORS
       Luis MartinGarcia <luis.mgarc@gmail.com> (http://aldabaknocking.com)

       Fyodor <fyodor@nmap.org> (http://insecure.org)

NOTES
	1. official type numbers assigned by IANA
	   http://www.iana.org/assignments/icmp-parameters

	2. official numbers assigned by IANA
	   http://www.iana.org/assignments/arp-parameters/

	3. official numbers listed by the IEEE
	   http://standards.ieee.org/regauth/ethertype/eth.txt

Nping					    07/28/2013					 NPING(1)
Unix & Linux Commands & Man Pages : ©2000 - 2018 Unix and Linux Forums


All times are GMT -4. The time now is 10:37 AM.

Unix & Linux Forums Content Copyright©1993-2018. All Rights Reserved.
×
UNIX.COM Login
Username:
Password:  
Show Password





Not a Forum Member?
Forgot Password?