IPV4 OPTIONS

-S addr, --source-ip addr (Source IP Address) .


Sets the source IP address. This option lets you specify a custom IP address to be used as source IP address in sent packets. This allows spoofing the sender of the packets. addr can be an IPv4 address or a hostname.

--dest-ip addr (Destination IP Address) .


Adds a target to Nping's target list. This option is provided for consistency but its use is deprecated in favor of plain target specifications. See the section called "TARGET SPECIFICATION".

--tos tos (Type of Service) .


Sets the IP TOS field. The TOS field is used to carry information to provide quality of service features. It is normally used to support a technique called Differentiated Services. See RFC 2474.for more information. tos must be a number in the range [0-255].

--id id (Identification) .


Sets the IPv4 Identification field. The Identification field is a 16-bit value that is common to all fragments belonging to a particular message. The value is used by the receiver to reassemble the original message from the fragments received. id must be a number in the range [0-65535].

--df (Don't Fragment) .


Sets the Don't Fragment bit in sent packets. When an IP datagram has its DF flag set, intermediate devices are not allowed to fragment it so if it needs to travel across a network with a MTU smaller that datagram length the datagram will have to be dropped. Normally an ICMP Destination Unreachable message is generated and sent back to the sender.

--md (More Fragments) .


Sets the More Fragments bit in sent packets. The MF flag is set to indicate the receiver that the current datagram is a fragment of some larger datagram. When set to zero it indicates that the current datagram is either the last fragment in the set or that it is the only fragment.

--ttl hops (Time To Live) .


Sets the IPv4 Time-To-Live (TTL) field in sent packets to the given value. The TTL field specifies how long the datagram is allowed to exist on the network. It was originally intended to represent a number of seconds but it actually represents the number of hops a packet can traverse before being dropped. The TTL tries to avoid a situation in which undeliverable datagrams keep being forwarded from one router to another endlessly. hops must be a number in the range [0-255].

--badsum-ip (Invalid IP checksum) .


Asks Nping to use an invalid IP checksum for packets sent to target hosts. Note that some systems (like most Linux kernels), may fix the checksum before placing the packet on the wire, so even if Nping shows the incorrect checksum in its output, the packets may be transparently corrected by the kernel.

--ip-options S|R [route]|L [route]|T|U ..., --ip-options hex string (IP Options) .


The IP protocol offers several options which may be placed in packet headers. Unlike the ubiquitous TCP options, IP options are rarely seen due to practicality and security concerns. In fact, many Internet routers block the most dangerous options such as source routing. Yet options can still be useful in some cases for determining and manipulating the network route to target machines. For example, you may be able to use the record route option to determine a path to a target even when more traditional traceroute-style approaches fail. Or if your packets are being dropped by a certain firewall, you may be able to specify a different route with the strict or loose source routing options.

The most powerful way to specify IP options is to simply pass in hexadecimal data as the argument to --ip-options. Precede each hex byte value with \x. You may repeat certain characters by following them with an asterisk and then the number of times you wish them to repeat. For example, \x01\x07\x04\x00*4 is the same as \x01\x07\x04\x00\x00\x00\x00.

Note that if you specify a number of bytes that is not a multiple of four, an incorrect IP header length will be set in the IP packet. The reason for this is that the IP header length field can only express multiples of four. In those cases, the length is computed by dividing the header length by 4 and rounding down. This will affect the way the header that follows the IP header is interpreted, showing bogus information in Nping or in the output of any sniffer. Although this kind of situation might be useful for some stack stress tests, users would normally want to specify explicit padding, so the correct header length is set.

Nping also offers a shortcut mechanism for specifying options. Simply pass the letter R, T, or U to request record-route, record-timestamp, or both options together, respectively. Loose or strict source routing may be specified with an L or S followed by a space and then a space-separated list of IP addresses.

For more information and examples of using IP options with Nping, see the mailing list post at http://seclists.org/nmap-dev/2006/q3/0052.html.

--mtu size (Maximum Transmission Unit) .


This option sets a fictional MTU in Nping so IP datagrams larger than size are fragmented before transmission. size must be specified in bytes and corresponds to the number of octets that can be carried on a single link-layer frame.
 

IPV6 OPTIONS

-6, --ipv6 (Use IPv6) .


Tells Nping to use IP version 6 instead of the default IPv4. It is generally a good idea to specify this option as early as possible in the command line so Nping can parse it soon and know in advance that the rest of the parameters refer to IPv6. The command syntax is the same as usual except that you also add the -6 option. Of course, you must use IPv6 syntax if you specify an address rather than a hostname. An address might look like 3ffe:7501:4819:2000:210:f3ff:fe03:14d0, so hostnames are recommended.

While IPv6 hasn't exactly taken the world by storm, it gets significant use in some (usually Asian) countries and most modern operating systems support it. To use Nping with IPv6, both the source and target of your packets must be configured for IPv6. If your ISP (like most of them) does not allocate IPv6 addresses to you, free tunnel brokers are widely available and work fine with Nping. You can use the free IPv6 tunnel broker service at http://www.tunnelbroker.net.

Please note that IPv6 support is still highly experimental and many modes and options may not work with it.

-S addr, --source-ip addr (Source IP Address) .


Sets the source IP address. This option lets you specify a custom IP address to be used as source IP address in sent packets. This allows spoofing the sender of the packets. addr can be an IPv6 address or a hostname.

--dest-ip addr (Destination IP Address) .


Adds a target to Nping's target list. This option is provided for consistency but its use is deprecated in favor of plain target specifications. See the section called "TARGET SPECIFICATION".

--flow label (Flow Label) .


Sets the IPv6 Flow Label. The Flow Label field is 20 bits long and is intended to provide certain quality-of-service properties for real-time datagram delivery. However, it has not been widely adopted, and not all routers or endpoints support it. Check RFC 2460.for more information. label must be an integer in the range [0-1048575].

--traffic-class class (Traffic Class) .


Sets the IPv6 Traffic Class. This field is similar to the TOS field in IPv4, and is intended to provide the Differentiated Services method, enabling scalable service discrimination in the Internet without the need for per-flow state and signaling at every hop. Check RFC 2474.for more information. class must be an integer in the range [0-255].

--hop-limit hops (Hop Limit) .


Sets the IPv6 Hop Limit field in sent packets to the given value. The Hop Limit field specifies how long the datagram is allowed to exist on the network. It represents the number of hops a packet can traverse before being dropped. As with the TTL in IPv4, IPv6 Hop Limit tries to avoid a situation in which undeliverable datagrams keep being forwarded from one router to another endlessly. hops must be a number in the range [0-255].
 

ETHERNET OPTIONS

In most cases Nping sends packets at the raw IP level. This means that Nping creates its own IP packets and transmits them through a raw socket. However, in some cases it may be necessary to send packets at the raw Ethernet level. This happens, for example, when Nping is run under Windows (as Microsoft has disabled raw socket support since Windows XP SP2), or when Nping is asked to send ARP packets. Since in some cases it is necessary to construct ethernet frames, Nping offers some options to manipulate the different fields.

--dest-mac mac (Ethernet Destination MAC Address) .


This option sets the destination MAC address that should be set in outgoing Ethernet frames. This is useful in case Nping can't determine the next hop's MAC address or when you want to route probes through a router other than the configured default gateway. The MAC address should have the usual format of six colon-separated bytes, e.g. 00:50:56:d4:01:98. Alternatively, hyphens may be used instead of colons. Use the word random or rand to generate a random address, and broadcast or bcast to use ff:ff:ff:ff:ff:ff. If you set up a bogus destination MAC address your probes may not reach the intended targets.

--source-mac mac (Ethernet Source MAC Address) .


This option sets the source MAC address that should be set in outgoing Ethernet frames. This is useful in case Nping can't determine your network interface MAC address or when you want to inject traffic into the network while hiding your network card's real address. The syntax is the same as for --dest-mac. If you set up a bogus source MAC address you may not receive probe replies.

--ether-type type (Ethertype) .


This option sets the Ethertype field of the ethernet frame. The Ethertype is used to indicate which protocol is encapsulated in the payload. type can be supplied in two different ways. You can use the official numbers listed by the IEEE [3] (e.g. --ether-type 0x0800 for IP version 4), or one of the mnemonics from the section called "Ethernet Types".
 

Ethernet Types

These identifiers may be used as mnemonics for the Ethertype numbers given to the --arp-type.option.

ipv4, ip, 4


Internet Protocol version 4 (type 0x0800).

ipv6, 6


Internet Protocol version 6 (type 0x86DD).

arp


Address Resolution Protocol (type 0x0806).

rarp


Reverse Address Resolution Protocol (type 0x8035).

frame-relay, frelay, fr


Frame Relay (type 0x0808).

ppp


Point-to-Point Protocol (type 0x880B).

gsmp


General Switch Management Protocol (type 0x880C).

mpls


Multiprotocol Label Switching (type 0x8847).

mps-ual, mps


Multiprotocol Label Switching with Upstream-assigned Label (type 0x8848).

mcap


Multicast Channel Allocation Protocol (type 0x8861).

pppoe-discovery, pppoe-d


PPP over Ethernet Discovery Stage (type 0x8863).

pppoe-session, pppoe-s


PPP over Ethernet Session Stage (type 0x8864).

ctag


Customer VLAN Tag Type (type 0x8100).

epon


Ethernet Passive Optical Network (type 0x8808).

pbnac


Port-based network access control (type 0x888E).

stag


Service VLAN tag identifier (type 0x88A8).

ethexp1


Local Experimental Ethertype 1 (type 0x88B5).

ethexp2


Local Experimental Ethertype 2 (type 0x88B6).

ethoui


OUI Extended Ethertype (type 0x88B7).

preauth


Pre-Authentication (type 0x88C7).

lldp


Link Layer Discovery Protocol (type 0x88CC).

mac-security, mac-sec, macsec


Media Access Control Security (type 0x88E5).

mvrp


Multiple VLAN Registration Protocol (type 0x88F5).

mmrp


Multiple Multicast Registration Protocol (type 0x88F6).

frrr


Fast Roaming Remote Request (type 0x890D).
 

PAYLOAD OPTIONS

--data hex string (Append custom binary data to sent packets) .


This option lets you include binary data as payload in sent packets. hex string may be specified in any of the following formats: 0xAABBCCDDEEFF ..., AABBCCDDEEFF ... or \xAA\xBB\xCC\xDD\xEE\xFF .... Examples of use are --data 0xdeadbeef and --data \xCA\xFE\x09. Note that if you specify a number like 0x00ff no byte-order conversion is performed. Make sure you specify the information in the byte order expected by the receiver.

--data-string string (Append custom string to sent packets) .


This option lets you include a regular string as payload in sent packets. string can contain any string. However, note that some characters may depend on your system's locale and the receiver may not see the same information. Also, make sure you enclose the string in double quotes and escape any special characters from the shell. Example: --data-string "Jimmy Jazz...".

--data-length len (Append random data to sent packets) .


This option lets you include len random bytes of data as payload in sent packets. len must be an integer in the range [0-65400]. However, values higher than 1400 are not recommended because it may not be possible to transmit packets due to network MTU limitations.
 

ECHO MODE

The "Echo Mode" is a novel technique implemented by Nping which lets users see how network packets change in transit, from the host where they originated to the target machine. Basically, the Echo mode turns Nping into two different pieces: the Echo server and the Echo client. The Echo server is a network service that has the ability to capture packets from the network and send a copy ("echo them") to the originating client through a side TCP channel. The Echo client is the part that generates such network packets, transmits them to the server, and receives their echoed version through a side TCP channel that it has previously established with the Echo server.

This scheme lets the client see the differences between the packets that it sends and what is actually received by the server. By having the server send back copies of the received packets through the side channel, things like NAT devices become immediately apparent to the client because it notices the changes in the source IP address (and maybe even source port). Other devices like those that perform traffic shaping, changing TCP window sizes or adding TCP options transparently between hosts, turn up too.

The Echo mode is also useful for troubleshooting routing and firewall issues. Among other things, it can be used to determine if the traffic generated by the Nping client is being dropped in transit and never gets to its destination or if the responses are the ones that don't get back to it.

Internally, client and server communicate over an encrypted and authenticated channel, using the Nping Echo Protocol (NEP), whose technical specification can be found in http://nmap.org/svn/nping/docs/EchoProtoRFC.txt

The following paragraphs describe the different options available in Nping's Echo mode.

--ec passphrase, --echo-client passphrase (Run Echo client) .


This option tells Nping to run as an Echo client. passphrase is a sequence of ASCII characters that is used used to generate the cryptographic keys needed for encryption and authentication in a given session. The passphrase should be a secret that is also known by the server, and it may contain any number of printable ASCII characters. Passphrases that contain whitespace or special characters must be enclosed in double quotes.

When running Nping as an Echo client, most options from the regular raw probe modes apply. The client may be configured to send specific probes using flags like --tcp, --icmp or --udp. Protocol header fields may be manipulated normally using the appropriate options (e.g. --ttl, --seq, --icmp-type, etc.). The only exceptions are ARP-related flags, which are not supported in Echo mode, as protocols like ARP are closely related to the data link layer and its probes can't pass through different network segments.

--es passphrase, --echo-server passphrase (Run Echo server) .


This option tells Nping to run as an Echo server. passphrase is a sequence of ASCII characters that is used used to generate the cryptographic keys needed for encryption and authentication in a given session. The passphrase should be a secret that is also known by the clients, and it may contain any number of printable ASCII characters. Passphrases that contain whitespace or special characters must be enclosed in double quotes. Note that although it is not recommended, it is possible to use empty passphrases, supplying --echo-server "". However, if what you want is to set up an open Echo server, it is better to use option --no-crypto. See below for details.

--ep port, --echo-port port (Set Echo TCP port number) .


This option asks Nping to use the specified TCP port number for the Echo side channel connection. If this option is used with --echo-server, it specifies the port on which the server listens for connections. If it is used with --echo-client, it specifies the port to connect to on the remote host. By default, port number 9929 is used.

--nc, --no-crypto (Disable encryption and authentication) .


This option asks Nping not to use any cryptographic operations during an Echo session. In practical terms, this means that the Echo side channel session data will be transmitted in the clear, and no authentication will be performed by the server or client during the session establishment phase. When --no-crypto is used, the passphrase supplied with --echo-server or --echo-client is ignored.

This option must be specified if Nping was compiled without openSSL support. Note that, for technical reasons, a passphrase still needs to be supplied after the --echo-client or --echo-server flags, even though it will be ignored.

The --no-crypto flag might be useful when setting up a public Echo server, because it allows users to connect to the Echo server without the need for any passphrase or shared secret. However, it is strongly recommended to not use --no-crypto unless absolutely necessary. Public Echo servers should be configured to use the passphrase "public" or the empty passphrase (--echo-server "") as the use of cryptography does not only provide confidentiality and authentication but also message integrity.

--once (Serve one client and quit) .


This option asks the Echo server to quit after serving one client. This is useful when only a single Echo session wants to be established as it eliminates the need to access the remote host to shutdown the server.

The following examples illustrate how Nping's Echo mode can be used to discover intermediate devices.

Example 2. Discovering NAT devices

 

 
  
  1. # nping --echo-client "public" echo.nmap.org --udp  
  2.  
  3.    Starting Nping ( http://nmap.org/nping ) 
  4.    SENT (1.0970s) UDP 10.1.20.128:53 > 178.79.165.17:40125 ttl=64 id=32523 iplen=28  
  5.    CAPT (1.1270s) UDP 80.38.10.21:45657 > 178.79.165.17:40125 ttl=54 id=32523 iplen=28  
  6.    RCVD (1.1570s) ICMP 178.79.165.17 > 10.1.20.128 Port unreachable (type=3/code=3ttl=49 id=16619 iplen=56  
  7.    [...] 
  8.    SENT (5.1020s) UDP 10.1.20.128:53 > 178.79.165.17:40125 ttl=64 id=32523 iplen=28  
  9.    CAPT (5.1335s) UDP 80.38.10.21:45657 > 178.79.165.17:40125 ttl=54 id=32523 iplen=28  
  10.    RCVD (5.1600s) ICMP 178.79.165.17 > 10.1.20.128 Port unreachable (type=3/code=3ttl=49 id=16623 iplen=56  
  11.      
  12.    Max rtt: 60.628ms | Min rtt: 58.378ms | Avg rtt: 59.389ms 
  13.    Raw packets sent: 5 (140B) | Rcvd: 5 (280B) | Lost: 0 (0.00%)| Echoed: 5 (140B)  
  14.    Tx time: 4.00459s | Tx bytes/s: 34.96 | Tx pkts/s: 1.25 
  15.    Rx time: 5.00629s | Rx bytes/s: 55.93 | Rx pkts/s: 1.00 
  16.    Nping done: 1 IP address pinged in 6.18 seconds 
 
  
 
 
  
The output clearly shows the presence of a NAT device in the client's local network. Note how the captured packet (CAPT) differs from the SENT packet: the source address for the original packets is in the reserved 10.0.0.0/8 range, while the address seen by the server is 80.38.10.21, the Internet side address of the NAT device. The source port was also modified by the device. The line starting with RCVD corresponds to the responses generated by the TCP/IP stack of the machine where the Echo server is run.
 
  
Example 3. Discovering a transparent proxy
 
  
 
 
  
 
 
  
 
  
  1. # nping --echo-client "public" echo.nmap.org --tcp -p80 
  2.  
  3.    Starting Nping ( http://nmap.org/nping ) 
  4.    SENT (1.2160s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40  seq=567704200 win=1480  
  5.    RCVD (1.2180s) TCP 178.79.165.17:80 > 10.0.1.77:41659 SA ttl=128 id=13177 iplen=44  seq=3647106954 win=16384 <mss 1460> 
  6.    SENT (2.2150s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40  seq=567704200 win=1480  
  7.    SENT (3.2180s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40  seq=567704200 win=1480  
  8.    SENT (4.2190s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40  seq=567704200 win=1480  
  9.    SENT (5.2200s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40  seq=567704200 win=1480  
  10.      
  11.    Max rtt: 2.062ms | Min rtt: 2.062ms | Avg rtt: 2.062ms 
  12.    Raw packets sent: 5 (200B) | Rcvd: 1 (46B) | Lost: 4 (80.00%)| Echoed: 0 (0B)  
  13.    Tx time: 4.00504s | Tx bytes/s: 49.94 | Tx pkts/s: 1.25 
  14.    Rx time: 5.00618s | Rx bytes/s: 9.19 | Rx pkts/s: 0.20 
  15.    Nping done: 1 IP address pinged in 6.39 seconds 
 
  
 
 
  
In this example, the output is a bit more tricky. The absence of error messages shows that the Echo client has successfully established an Echo session with the server. However, no CAPT packets can be seen in the output. This means that none of the transmitted packets reached the server. Interestingly, a TCP SYN-ACK packet was received in response to the first TCP-SYN packet (and also, it is known that the target host does not have port 80 open). This behavior reveals the presence of a transparent web proxy cache server (which in this case is an old MS ISA server).  
 
  
TIMING AND PERFORMANCE OPTIONS
 
  
--delay time (Delay between probes) .
 
  
 
    
    
 
    
   

     This option lets you control for how long will Nping wait before sending the next probe. Like in many other ping tools, the default delay is one second. 
    time must be a positive integer or floating point number. By default it is specified in seconds, however you can give an explicit unit by appending ms for milliseconds, s for seconds, m for minutes, or h for hours (e.g. 2.5s, 45m, 2h). 
   
 
  
 
  
--rate rate (Send probes at a given rate) .
 
  
 
    
    
 
    
   

     This option specifies the number of probes that Nping should send per second. This option and 
    --delay are inverses; 
    --rate 20 is the same as 
    --delay 0.05. If both options are used, only the last one in the parameter list counts. 
   
 
  
 
    
  
MISCELLANEOUS OPTIONS
 
  
-h, --help (Display help) .
 
  
 
    
    
 
    
   

     Displays help information and exits. 
   
 
  
 
  
-V, --version (Display version) .
 
  
 
    
    
 
    
   

     Displays the program's version number and quits. 
   
 
  
 
  
-c rounds, --count rounds (Stop after a given number of rounds) .
 
  
 
    
    
 
    
   

     This option lets you specify the number of times that Nping should loop over target hosts (and in some cases target ports). Nping calls these "rounds". In a basic execution with only one target (and only one target port in TCP/UDP modes), the number of rounds matches the number of probes sent to the target host. However, in more complex executions where Nping is run against multiple targets and multiple ports, the number of rounds is the number of times that Nping sends a complete set of probes that covers all target IPs and all target ports. For example, if Nping is asked to send TCP SYN packets to hosts 192.168.1.0-255 and ports 80 and 433, then 256 × 2 = 512 packets are sent in one round. So if you specify 
    -c 100, Nping will loop over the different target hosts and ports 100 times, sending a total of 256 × 2 × 100 = 51200 packets. By default Nping runs for 5 rounds. If a value of 0 is specified, Nping will run for 232 rounds. 
   
 
  
 
  
-e name, --interface name (Set the network interface to be used) .
 
  
 
    
    
 
    
   

     This option tells Nping what interface should be used to send and receive packets. Nping should be able to detect this automatically, but it will tell you if it cannot. 
    name must be the name of an existing network interface with an assigned IP address. 
   
 
  
 
  
--privileged (Assume that the user is fully privileged) .
 
  
 
    
    
 
    
   

     Tells Nping to simply assume that it is privileged enough to perform raw socket sends, packet sniffing, and similar operations that usually require special privileges. By default Nping quits if such operations are requested by a user that has no root or administrator privileges. This option may be useful on Linux, BSD or similar systems that can be configured to allow unprivileged users to perform raw-packet transmissions. The 
    NPING_PRIVILEGED.environment variable may be set as an alternative to using 
    --privileged. 
   
 
  
 
  
--unprivileged (Assume that the user lacks raw socket privileges) .
 
  
 
    
    
 
    
   

     This option is the opposite of 
    --privileged. It tells Nping to treat the user as lacking network raw socket and sniffing privileges. This is useful for testing, debugging, or when the raw network functionality of your operating system is somehow broken. The 
    NPING_UNPRIVILEGED.environment variable may be set as an alternative to using 
    --unprivileged. 
   
 
  
 
  
--send-eth (Use raw ethernet sending) .
 
  
 
    
    
 
    
   

     Asks Nping to send packets at the raw ethernet (data link) layer rather than the higher IP (network) layer. By default, Nping chooses the one which is generally best for the platform it is running on. Raw sockets (IP layer) are generally most efficient for Unix machines, while ethernet frames are required for Windows operation since Microsoft disabled raw socket support. Nping still uses raw IP packets despite this option when there is no other choice (such as non-ethernet connections). 
   
 
  
 
  
--send-ip (Send at raw IP level) .
 
  
 
    
    
 
    
   

     Asks Nping to send packets via raw IP sockets rather than sending lower level ethernet frames. It is the complement to the 
    --send-eth option. 
   
 
  
 
  
--bpf-filter filter spec --filter filter spec (Set custom BPF filter) .
 
  
 
    
    
 
    
   

     This option lets you use a custom BPF filter. By default Nping chooses a filter that is intended to capture most common responses to the particular probes that are sent. For example, when sending TCP packets, the filter is set to capture packets whose destination port matches the probe's source port or ICMP error messages that may be generated by the target or any intermediate device as a result of the probe. If for some reason you expect strange packets in response to sent probes or you just want to sniff a particular kind of traffic, you can specify a custom filter using the BPF syntax used by tools like tcpdump..See the documentation at 
    http://www.tcpdump.org/ for more information. 
   
 
  
 
  
-H, --hide-sent (Do not display sent packets) .
 
  
 
    
    
 
    
   

     This option tells Nping not to print information about sent packets. This can be useful when using very short inter-probe delays (i.e., when flooding), because printing information to the standard output has a computational cost and disabling it can probably speed things up a bit. Also, it may be useful when using Nping to detect active hosts or open ports (e.g. sending probes to all TCP ports in a /24 subnet). In that case, users may not want to see thousands of sent probes but just the replies generated by active hosts. 
   
 
  
 
  
-N, --no-capture (Do not attempt to capture replies) .
 
  
 
    
    
 
    
   

     This option tells Nping to skip packet capture. This means that packets in response to sent probes will not be processed or displayed. This can be useful when doing flooding and network stack stress tests. Note that when this option is specified, most of the statistics shown at the end of the execution will be useless. This option does not work with TCP Connect mode. 
   
 
  
 
    
  
OUTPUT OPTIONS
 
  
-v[level], --verbose [level] (Increase or set verbosity level) .
 
  
 
    
    
 
    
   

     Increases the verbosity level, causing Nping to print more information during its execution. There are 9 levels of verbosity (-4 to 4). Every instance of 
    -v increments the verbosity level by one (from its default value, level 0). Every instance of option 
    -q decrements the verbosity level by one. Alternatively you can specify the level directly, as in 
    -v3 or 
    -v-1. These are the available levels: 
    
Level −4
 
    
 
      
      
 
      
     

       No output at all. In some circumstances you may not want Nping to produce any output (like when one of your work mates is watching over your shoulder). In that case level −4 can be useful because although you won't see any response packets, probes will still be sent. 
     
 
    
 
    
Level −3
 
    
 
      
      
 
      
     

       Like level −4 but displays fatal error messages so you can actually see if Nping is running or it failed due to some error. 
     
 
    
 
    
Level −2
 
    
 
      
      
 
      
     

       Like level −3 but also displays warnings and recoverable errors. 
     
 
    
 
    
Level −1
 
    
 
      
      
 
      
     

       Displays traditional run-time information (version, start time, statistics, etc.) but does not display sent or received packets. 
     
 
    
 
    
Level 0
 
    
 
      
      
 
      
     

       This is the default verbosity level. It behaves like level −1 but also displays sent and received packets and some other important information. 
     
 
    
 
    
Level 1
 
    
 
      
      
 
      
     

       Like level 0 but it displays detailed information about timing, flags, protocol details, etc. 
     
 
    
 
    
Level 2
 
    
 
      
      
 
      
     

       Like level 1 but displays very detailed information about sent and received packets and other interesting information. 
     
 
    
 
    
Level 3
 
    
 
      
      
 
      
     

       Like level 2 but also displays the raw hexadecimal dump of sent and received packets. 
     
 
    
 
    
Level 4
 
    
 
      
      
 
      
     

       Currently unused. 
     
 
    
 
   
 
  
 
  
-q[level], --reduce-verbosity [level] (Decrease verbosity level) .
 
  
 
    
    
 
    
   

     Decreases the verbosity level, causing Nping to print less information during its execution. 
   
 
  
 
  
-d[level] (Increase or set debugging level) .
 
  
 
    
    
 
    
   

     When even verbose mode doesn't provide sufficient data for you, debugging is available to flood you with much more! As with the 
    -v, debugging is enabled with a command-line flag 
    -d and the debug level can be increased by specifying it multiple times. There are 7 debugging levels (0 to 6). Every instance of 
    -d increments debugging level by one. Provide an argument to 
    -d to set the level directly; for example 
    -d4. 
    
Debugging output is useful when you suspect a bug in Nping, or if you are simply confused as to what Nping is doing and why. As this feature is mostly intended for developers, debug lines aren't always self-explanatory. You may get something like
 
    
 
 
    
 
      
      
 
      
     
 
      
NSOCK (1.0000s) Callback: TIMER SUCCESS for EID 12; tcpconnect_event_handler(): Received callback of type TIMER with status SUCCESS

 
     
 
    
 
    
If you don't understand a line, your only recourses are to ignore it, look it up in the source code, or request help from the development list (nmap-dev). Some lines are self-explanatory, but the messages become more obscure as the debug level is increased. These are the available levels:
 
    
Level 0
 
    
 
      
      
 
      
     

       Level 0. No debug information at all. This is the default level. 
     
 
    
 
    
Level 1
 
    
 
      
      
 
      
     

       In this level, only very important or high-level debug information will be printed. 
     
 
    
 
    
Level 2
 
    
 
      
      
 
      
     

       Like level 1 but also displays important or medium-level debug information 
     
 
    
 
    
Level 3
 
    
 
      
      
 
      
     

       Like level 2 but also displays regular and low-level debug information. 
     
 
    
 
    
Level 4
 
    
 
      
      
 
      
     

       Like level 3 but also displays messages only a real Nping freak would want to see. 
     
 
    
 
    
Level 5
 
    
 
      
      
 
      
     

       Like level 4 but it enables basic debug information related to external libraries like Nsock.. 
     
 
    
 
    
Level 6
 
    
 
      
      
 
      
     

       Like level 5 but it enables full, very detailed, debug information related to external libraries like Nsock. 
     
 
    
 
   
 
  
 
    
  
BUGS
 
  
Like its author, Nping isn't perfect. But you can help make it better by sending bug reports or even writing patches. If Nping doesn't behave the way you expect, first upgrade to the latest Nmap version available from http://nmap.org/download.html. If the problem persists, do some research to determine whether it has already been discovered and addressed. Try searching for the error message on our search page at http://insecure.org/search.html or at Google. Also try browsing the nmap-dev archives at http://seclists.org/.Read this full manual page as well. If nothing comes out of this, mail a bug report to nmap-dev@insecure.org. Please include everything you have learned about the problem, as well as what version of Nping you are running and what operating system version it is running on. Problem reports and Nping usage questions sent to nmap-dev@insecure.org are far more likely to be answered than those sent to Fyodor directly. If you subscribe to the nmap-dev list before posting, your message will bypass moderation and get through more quickly. Subscribe at http://cgi.insecure.org/mailman/listinfo/nmap-dev.
 
  
Code patches to fix bugs are even better than bug reports. Basic instructions for creating patch files with your changes are available at http://nmap.org/data/HACKING. Patches may be sent to nmap-dev (recommended) or to any of the authors listed in the next section directly.