NPING（上）

NAME

nping - Network packet generation tool / ping utility

 

SYNOPSIS

nping [ Options] { targets}

 

DESCRIPTION

 

Nping is an open-source tool for network packet generation, response analysis and response time measurement. Nping allows users to generate network packets of a wide range of protocols, letting them tune virtually any field of the protocol headers. While Nping can be used as a simple ping utility to detect active hosts, it can also be used as a raw packet generator for network stack stress tests, ARP poisoning, Denial of Service attacks, route tracing, and other purposes.

Additionally, Nping offers a special mode of operation called the "Echo Mode", that lets users see how the generated probes change in transit, revealing the differences between the transmitted packets and the packets received at the other end. See section "Echo Mode" for details.

The output from Nping is a list of the packets that are being sent and received. The level of detail depends on the options used.

A typical Nping execution is shown in Example 1. The only Nping arguments used in this example are -c, to specify the number of times to target each host, --tcp to specify TCP Probe Mode, -p 80,433 to specify the target ports; and then the two target hostnames.

Example 1. A representative Nping execution

 

1. # nping -c 1 --tcp -p 80,433 scanme.nmap.org google.com 
2.  
3. Starting Nping ( http://nmap.org/nping ) 
4. SENT (0.0120s) TCP 96.16.226.135:50091 > 64.13.134.52:80 S ttl=64 id=52072 iplen=40  seq=1077657388 win=1480  
5. RCVD (0.1810s) TCP 64.13.134.52:80 > 96.16.226.135:50091 SA ttl=53 id=0 iplen=44  seq=4158134847 win=5840 <mss 1460> 
6. SENT (1.0140s) TCP 96.16.226.135:50091 > 74.125.45.100:80 S ttl=64 id=13932 iplen=40  seq=1077657388 win=1480  
7. RCVD (1.1370s) TCP 74.125.45.100:80 > 96.16.226.135:50091 SA ttl=52 id=52913 iplen=44  seq=2650443864 win=5720 <mss 1430> 
8. SENT (2.0140s) TCP 96.16.226.135:50091 > 64.13.134.52:433 S ttl=64 id=8373 iplen=40  seq=1077657388 win=1480  
9. SENT (3.0140s) TCP 96.16.226.135:50091 > 74.125.45.100:433 S ttl=64 id=23624 iplen=40  seq=1077657388 win=1480  
10.  
11. Statistics for host scanme.nmap.org (64.13.134.52): 
12.  |  Probes Sent: 2 | Rcvd: 1 | Lost: 1  (50.00%) 
13.  |_ Max rtt: 169.720ms | Min rtt: 169.720ms | Avg rtt: 169.720ms 
14. Statistics for host google.com (74.125.45.100): 
15.  |  Probes Sent: 2 | Rcvd: 1 | Lost: 1  (50.00%) 
16.  |_ Max rtt: 122.686ms | Min rtt: 122.686ms | Avg rtt: 122.686ms 
17. Raw packets sent: 4 (160B) | Rcvd: 2 (92B) | Lost: 2 (50.00%) 
18. Tx time: 3.00296s | Tx bytes/s: 53.28 | Tx pkts/s: 1.33 
19. Rx time: 3.00296s | Rx bytes/s: 30.64 | Rx pkts/s: 0.67 
20. Nping done: 2 IP addresses pinged in 4.01 seconds 

 

OPTIONS SUMMARY

This options summary is printed when Nping is run with no arguments. It helps people remember the most common options, but is no substitute for the in-depth documentation in the rest of this manual. Some obscure options aren't even included here.

 

1. Nping 0.5.36TEST2 ( http://nmap.org/nping ) 
2. Usage: nping [Probe mode] [Options] {target specification} 
3.  
4. TARGET SPECIFICATION: 
5.   Targets may be specified as hostnames, IP addresses, networks, etc. 
6.   Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 
7. PROBE MODES: 
8.   --tcp-connect                    : Unprivileged TCP connect probe mode. 
9.   --tcp                            : TCP probe mode. 
10.   --udp                            : UDP probe mode. 
11.   --icmp                           : ICMP probe mode. 
12.   --arp                            : ARP/RARP probe mode. 
13.   --tr, --traceroute               : Traceroute mode (can only be used with  
14.                                      TCP/UDP/ICMP modes). 
15. TCP CONNECT MODE: 
16.    -p, --dest-port <port spec>     : Set destination port(s). 
17.    -g, --source-port <portnumber>  : Try to use a custom source port. 
18. TCP PROBE MODE: 
19.    -g, --source-port <portnumber>  : Set source port. 
20.    -p, --dest-port <port spec>     : Set destination port(s). 
21.    --seq <seqnumber>               : Set sequence number. 
22.    --flags <flag list>             : Set TCP flags (ACK,PSH,RST,SYN,FIN...) 
23.    --ack <acknumber>               : Set ACK number. 
24.    --win <size>                    : Set window size. 
25.    --badsum                        : Use a random invalid checksum.  
26. UDP PROBE MODE: 
27.    -g, --source-port <portnumber>  : Set source port. 
28.    -p, --dest-port <port spec>     : Set destination port(s). 
29.    --badsum                        : Use a random invalid checksum.  
30. ICMP PROBE MODE: 
31.   --icmp-type <type>               : ICMP type. 
32.   --icmp-code <code>               : ICMP code. 
33.   --icmp-id <id>                   : Set identifier. 
34.   --icmp-seq <n>                   : Set sequence number. 
35.   --icmp-redirect-addr <addr>      : Set redirect address. 
36.   --icmp-param-pointer <pnt>       : Set parameter problem pointer. 
37.   --icmp-advert-lifetime <time>    : Set router advertisement lifetime. 
38.   --icmp-advert-entry <IP,pref>    : Add router advertisement entry. 
39.   --icmp-orig-time  <timestamp>    : Set originate timestamp. 
40.   --icmp-recv-time  <timestamp>    : Set receive timestamp. 
41.   --icmp-trans-time <timestamp>    : Set transmit timestamp. 
42. ARP/RARP PROBE MODE: 
43.   --arp-type <type>                : Type: ARP, ARP-reply, RARP, RARP-reply. 
44.   --arp-sender-mac <mac>           : Set sender MAC address. 
45.   --arp-sender-ip  <addr>          : Set sender IP address. 
46.   --arp-target-mac <mac>           : Set target MAC address. 
47.   --arp-target-ip  <addr>          : Set target IP address. 
48. IPv4 OPTIONS: 
49.   -S, --source-ip                  : Set source IP address. 
50.   --dest-ip <addr>                 : Set destination IP address (used as an  
51.                                      alternative to {target specification} ).  
52.   --tos <tos>                      : Set type of service field (8bits). 
53.   --id  <id>                       : Set identification field (16 bits). 
54.   --df                             : Set Don't Fragment flag. 
55.   --mf                             : Set More Fragments flag. 
56.   --ttl <hops>                     : Set time to live [0-255]. 
57.   --badsum-ip                      : Use a random invalid checksum.  
58.   --ip-options <S|R [route]|L [route]|T|U ...> : Set IP options 
59.   --ip-options <hex string>                    : Set IP options 
60.   --mtu <size>                     : Set MTU. Packets get fragmented if MTU is 
61.                                      small enough. 
62. IPv6 OPTIONS: 
63.   -6, --IPv6                       : Use IP version 6. 
64.   --dest-ip                        : Set destination IP address (used as an 
65.                                      alternative to {target specification}). 
66.   --hop-limit                      : Set hop limit (same as IPv4 TTL). 
67.   --traffic-class <class> :        : Set traffic class. 
68.   --flow <label>                   : Set flow label. 
69. ETHERNET OPTIONS: 
70.   --dest-mac <mac>                 : Set destination mac address. (Disables 
71.                                      ARP resolution) 
72.   --source-mac <mac>               : Set source MAC address. 
73.   --ether-type <type>              : Set EtherType value. 
74. PAYLOAD OPTIONS: 
75.   --data <hex string>              : Include a custom payload. 
76.   --data-string <text>             : Include a custom ASCII text. 
77.   --data-length <len>              : Include len random bytes as payload. 
78. ECHO CLIENT/SERVER: 
79.   --echo-client <passphrase>       : Run Nping in client mode. 
80.   --echo-client <passphrase>       : Run Nping in server mode. 
81.   --echo-port <port>               : Use custom <port> to listen or connect. 
82.   --no-crypto                      : Disable encryption and authentication. 
83.   --once                           : Stop the server after one connection. 
84. TIMING AND PERFORMANCE: 
85.   Options which take <time> are in seconds, or append 'ms' (milliseconds), 
86.   's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m, 0.25h). 
87.   --delay <time>                   : Adjust delay between probes. 
88.   --rate  <rate>                   : Send num packets per second. 
89. MISC: 
90.   -h, --help                       : Display help information. 
91.   -V, --version                    : Display current version number.  
92.   -c, --count <n>                  : Stop after <n> rounds. 
93.   -e, --interface <name>           : Use supplied network interface. 
94.   -H, --hide-sent                  : Do not display sent packets. 
95.   -N, --no-capture                 : Do not try to capture replies. 
96.   --privileged                     : Assume user is fully privileged. 
97.   --unprivileged                   : Assume user lacks raw socket privileges. 
98.   --send-eth                       : Send packets at the raw ethernet layer. 
99.   --send-ip                        : Send packets using raw IP sockets. 
100.   --bpf-filter <filter spec>       : Specify custom BPF filter. 
101. OUTPUT: 
102.   -v                               : Increment verbosity level by one. 
103.   -v[level]                        : Set verbosity level. E.g: -v4 
104.   -d                               : Increment debugging level by one. 
105.   -d[level]                        : Set debugging level. E.g: -d3 
106.   -q                               : Decrease verbosity level by one. 
107.   -q[N]                            : Decrease verbosity level N times 
108.   --quiet                          : Set verbosity and debug level to minimum. 
109.   --debug                          : Set verbosity and debug to the max level. 
110. EXAMPLES: 
111.   nping scanme.nmap.org 
112.   nping --tcp -p 80 --flags rst --ttl 2 192.168.1.1 
113.   nping --icmp --icmp-type time --delay 500ms 192.168.254.254 
114.   nping --echo-server "public" -e wlan0 -vvv  
115.   nping --echo-client "public" echo.nmap.org --tcp -p1-1024 --flags ack 
116.  
117. SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES 

 

TARGET SPECIFICATION

Everything on the Nping command line that isn't an option or an option argument is treated as a target host specification. Nping uses the same syntax for target specifications that Nmap does. The simplest case is a single target given by IP address or hostname.

Nping supports CIDR-style.addressing. You can append /numbits to an IPv4 address or hostname and Nping will send probes to every IP address for which the first numbits are the same as for the reference IP or hostname given. For example, 192.168.10.0/24 would send probes to the 256 hosts between 192.168.10.0 (binary: 11000000 10101000 00001010 00000000) and 192.168.10.255 (binary: 11000000 10101000 00001010 11111111), inclusive. 192.168.10.40/24 would ping exactly the same targets. Given that the host scanme.nmap.org.is at the IP address 64.13.134.52, the specification scanme.nmap.org/16 would send probes to the 65,536 IP addresses between 64.13.0.0 and 64.13.255.255. The smallest allowed value is /0, which targets the whole Internet. The largest value is /32, which targets just the named host or IP address because all address bits are fixed.

CIDR notation is short but not always flexible enough. For example, you might want to send probes to 192.168.0.0/16 but skip any IPs ending with .0 or .255 because they may be used as subnet network and broadcast addresses. Nping supports this through octet range addressing. Rather than specify a normal IP address, you can specify a comma-separated list of numbers or ranges for each octet. For example, 192.168.0-255.1-254 will skip all addresses in the range that end in .0 or .255, and 192.168.3-5,7.1 will target the four addresses 192.168.3.1, 192.168.4.1, 192.168.5.1, and 192.168.7.1. Either side of a range may be omitted; the default values are 0 on the left and 255 on the right. Using - by itself is the same as 0-255, but remember to use 0- in the first octet so the target specification doesn't look like a command-line option. Ranges need not be limited to the final octets: the specifier 0-.-.13.37 will send probes to all IP addresses on the Internet ending in .13.37. This sort of broad sampling can be useful for Internet surveys and research.

IPv6 addresses can only be specified by their fully qualified IPv6 address or hostname. CIDR and octet ranges aren't supported for IPv6 because they are rarely useful.

Nping accepts multiple host specifications on the command line, and they don't need to be the same type. The command nping scanme.nmap.org 192.168.0.0/8 10.0.0,1,3-7.- does what you would expect.  

OPTION SPECIFICATION

Nping is designed to be very flexible and fit a wide variety of needs. As with most command-line tools, its behavior can be adjusted using command-line options. These general principles apply to option arguments, unless stated otherwise.

Options that take integer numbers can accept values specified in decimal, octal or hexadecimal base. When a number starts with 0x, it will be treated as hexadecimal; when it simply starts with 0, it will be treated as octal. Otherwise, Nping will assume the number has been specified in base 10. Virtually all numbers that can be supplied from the command line are unsigned so, as a general rule, the minimum value is zero. Users may also specify the word random or rand to make Nping generate a random value within the expected range.

IP addresses may be given as IPv4 addresses (e.g. 192.168.1.1), IPv6 addresses (e.g. 2001:db8:85a3::8e4c:760:7146), or hostnames, which will be resolved using the default DNS server configured in the host system.

Options that take MAC addresses accept the usual colon-separated 6 hex byte format (e.g. 00:50:56:d4:01:98). Hyphens may also be used instead of colons (e.g. 00-50-56-c0-00-08). The special word random or rand sets a random address and the word broadcast or bcast sets ff:ff:ff:ff:ff:ff.  

GENERAL OPERATION

Unlike other ping and packet generation tools, Nping supports multiple target host and port specifications. While this provides great flexibility, it is not obvious how Nping handles situations where there is more than one host and/or more than one port to send probes to. This section explains how Nping behaves in these cases.

When multiple target hosts are specified, Nping rotates among them in round-robin fashion. This gives slow hosts more time to send their responses before another probe is sent to them. Ports are also scheduled using round robin. So, unless only one port is specified, Nping never sends two probes to the same target host and port consecutively.

The loop around targets is the "inner loop" and the loop around ports is the "outer loop". All targets will be sent a probe for a given port before moving on to the next port. Between probes, Nping waits a configurable amount of time called the "inter-probe delay", which is controlled by the --delay option. These examples show how it works.

 

1. # nping --tcp -c 2 1.1.1.1 -p 100-102 
2.  
3. Starting Nping ( http://nmap.org/nping ) 
4. SENT (0.0210s) TCP 192.168.1.77 > 1.1.1.1:100 
5. SENT (1.0230s) TCP 192.168.1.77 > 1.1.1.1:101 
6. SENT (2.0250s) TCP 192.168.1.77 > 1.1.1.1:102 
7. SENT (3.0280s) TCP 192.168.1.77 > 1.1.1.1:100 
8. SENT (4.0300s) TCP 192.168.1.77 > 1.1.1.1:101 
9. SENT (5.0320s) TCP 192.168.1.77 > 1.1.1.1:102 
10.  
11. # nping --tcp -c 2 1.1.1.1 2.2.2.2 3.3.3.3 -p 8080 
12.  
13. Starting Nping ( http://nmap.org/nping ) 
14. SENT (0.0230s) TCP 192.168.0.21 > 1.1.1.1:8080 
15. SENT (1.0240s) TCP 192.168.0.21 > 2.2.2.2:8080 
16. SENT (2.0260s) TCP 192.168.0.21 > 3.3.3.3:8080 
17. SENT (3.0270s) TCP 192.168.0.21 > 1.1.1.1:8080 
18. SENT (4.0290s) TCP 192.168.0.21 > 2.2.2.2:8080 
19. SENT (5.0310s) TCP 192.168.0.21 > 3.3.3.3:8080 
20.  
21. # nping --tcp -c 1 --delay 500ms 1.1.1.1 2.2.2.2 3.3.3.3 -p 137-139 
22.  
23. Starting Nping ( http://nmap.org/nping ) 
24. SENT (0.0230s) TCP 192.168.0.21 > 1.1.1.1:137 
25. SENT (0.5250s) TCP 192.168.0.21 > 2.2.2.2:137 
26. SENT (1.0250s) TCP 192.168.0.21 > 3.3.3.3:137 
27. SENT (1.5280s) TCP 192.168.0.21 > 1.1.1.1:138 
28. SENT (2.0280s) TCP 192.168.0.21 > 2.2.2.2:138 
29. SENT (2.5310s) TCP 192.168.0.21 > 3.3.3.3:138 
30. SENT (3.0300s) TCP 192.168.0.21 > 1.1.1.1:139 
31. SENT (3.5330s) TCP 192.168.0.21 > 2.2.2.2:139 
32. SENT (4.0330s) TCP 192.168.0.21 > 3.3.3.3:139 

 

PROBE MODES

Nping supports a wide variety of protocols. Although in some cases Nping can automatically determine the mode from the options used, it is generally a good idea to specify it explicitly.

--tcp-connect (TCP Connect mode) .

TCP connect mode is the default mode when a user does not have raw packet privileges. Instead of writing raw packets as most other modes do, Nping asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call. This is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection. It is part of a programming interface known as the Berkeley Sockets API. Rather than read raw packet responses off the wire, Nping uses this API to obtain status information on each connection attempt. For this reason, you will not be able to see the contents of the packets that are sent or received but only status information about the TCP connection establishment taking place.

--tcp (TCP mode) .

TCP is the mode that lets users create and send any kind of TCP packet. TCP packets are sent embedded in IP packets that can also be tuned. This mode can be used for many different purposes. For example you could try to discover open ports by sending TCP SYN messages without completing the three-way handshake. This technique is often referred to as half-open scanning, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and then wait for a response. A SYN/ACK indicates the port is open, while a RST indicates it's closed. If no response is received one could assume that some intermediate network device is filtering the responses. Another use could be to see how a remote TCP/IP stack behaves when it receives a non-RFC-compliant packet, like one with both SYN and RST flags set. One could also do some evil by creating custom RST packets using an spoofed IP address with the intent of closing an active TCP connection.

--udp (UDP mode) .

UDP mode can have two different behaviours. Under normal circumstances, it lets users create custom IP/UDP packets. However, if Nping is run by a user without raw packet privileges and no changes to the default protocol headers are requested, then Nping enters the unprivileged UDP mode which basically sends UDP packets to the specified target hosts and ports using the sendto system call. Note that in this unprivileged mode it is not possible to see low-level header information of the packets on the wire but only status information about the amount of bytes that are being transmitted and received. UDP mode can be used to interact with any UDP-based server. Examples are DNS servers, streaming servers, online gaming servers, and port knocking/single-packet.authorization daemons.

--icmp (ICMP mode) .

ICMP mode is the default mode when the user runs Nping with raw packet privileges. Any kind of ICMP message can be created. The default ICMP type is Echo, i.e., ping. ICMP mode can be used for many different purposes, from a simple request for a timestamp or a netmask to the transmission of fake destination unreachable messages, custom redirects, and router advertisements.

--arp (ARP/RARP mode) .

ARP lets you create and send a few different ARP-related packets. These include ARP, RARP, DRARP, and InARP requests and replies. This mode can ban be used to perform low-level host discovery, and conduct ARP-cache poisoning attacks.

--traceroute (Traceroute mode) .

Traceroute is not a mode by itself but a complement to TCP, UDP, and ICMP modes. When this option is specified Nping will set the IP TTL value of the first probe to 1. When the next router receives the packet it will drop it due to the expiration of the TTL and it will generate an ICMP destination unreachable message. The next probe will have a TTL of 2 so now the first router will forward the packet while the second router will be the one that drops the packet and generates the ICMP message. The third probe will have a TTL value of 3 and so on. By examining the source addresses of all those ICMP Destination Unreachable messages it is possible to determine the path that the probes take until they reach their final destination.

 

TCP CONNECT MODE

-p port_spec, --dest-port port_spec (Target ports) .

This option specifies which ports you want to try to connect to. It can be a single port, a comma-separated list of ports (e.g. 80,443,8080), a range (e.g. 1-1023), and any combination of those (e.g. 21-25,80,443,1024-2048). The beginning and/or end values of a range may be omitted, causing Nping to use 1 and 65535, respectively. So you can specify -p- to target ports from 1 through 65535. Using port zero is allowed if you specify it explicitly.

-g portnumber, --source-port portnumber (Spoof source port) .

This option asks Nping to use the specified port as source port for the TCP connections. Note that this might not work on all systems or may require root privileges. Specified value must be an integer in the range [0-65535].

 

TCP MODE

-p port_spec, --dest-port port_spec (Target ports)

This option specifies which destination ports you want to send probes to. It can be a single port, a comma-separated list of ports (e.g. 80,443,8080), a range (e.g. 1-1023), and any combination of those (e.g. 21-25,80,443,1024-2048). The beginning and/or end values of a range may be omitted, causing Nping to use 1 and 65535, respectively. So you can specify -p- to target ports from 1 through 65535. Using port zero is allowed if you specify it explicitly.

-g portnumber, --source-port portnumber (Spoof source port)

This option asks Nping to use the specified port as source port for the TCP connections. Note that this might not work on all systems or may require root privileges. Specified value must be an integer in the range [0-65535].

--seq seqnumber (Sequence Number) .

Specifies the TCP sequence number. In SYN packets this is the initial sequence number (ISN). In a normal transmission this corresponds to the sequence number of the first byte of data in the segment. seqnumber must be a number in the range [0-4294967295].

--flags flags (TCP Flags) .

This option specifies which flags should be set in the TCP packet. flags may be specified in three different ways:

 

1. As a comma-separated list of flags, e.g. --flags syn,ack,rst

 

2. As a list of one-character flag initials, e.g. --flags SAR tells Nping to set flags SYN, ACK, and RST.

 

3. As an 8-bit hexadecimal number, where the supplied number is the exact value that will be placed in the flags field of the TCP header. The number should start with the prefix 0x and should be in the range [0x00-0xFF], e.g. --flags 0x20 sets the URG flag as 0x20 corresponds to binary 00100000 and the URG flag is represented by the third bit.

There are 8 possible flags to set: CWR, ECN, URG, ACK, PSH, RST, SYN, and FIN. The special value ALL means to set all flags. NONE means to set no flags. It is important that if you don't want any flag to be set, you request it explicitly because in some cases the SYN flag may be set by default. Here is a brief description of the meaning of each flag:

CWR (Congestion Window Reduced) .

Set by an ECN-Capable sender when it reduces its congestion window (due to a retransmit timeout, a fast retransmit or in response to an ECN notification.

ECN (Explicit Congestion Notification) .

During the three-way handshake it indicates that sender is capable of performing explicit congestion notification. Normally it means that a packet with the IP Congestion Experienced flag set was received during normal transmission. See RFC 3168.for more information.

URG (Urgent) .

Segment is urgent and the urgent pointer field carries valid information.

ACK (Acknowledgement) .

The segment carries an acknowledgement and the value of the acknowledgement number field is valid and contains the next sequence number that is expected from the receiver.

PSH (Push) .

The data in this segment should be immediately pushed to the application layer on arrival.

RST (Reset) .

There was some problem and the sender wants to abort the connection.

SYN (Synchronize) .

The segment is a request to synchronize sequence numbers and establish a connection. The sequence number field contains the sender's initial sequence number.

FIN (Finish) .

The sender wants to close the connection.

--win size (Window Size) .

Specifies the TCP window size, this is, the number of octets the sender of the segment is willing to accept from the receiver at one time. This is usually the size of the reception buffer that the OS allocates for a given connection. size must be a number in the range [0-65535].

--badsum (Invalid Checksum) .

Asks Nping to use an invalid TCP checksum for the packets sent to target hosts. Since virtually all host IP stacks properly drop these packets, any responses received are likely coming from a firewall or an IDS that didn't bother to verify the checksum. For more details on this technique, see http://nmap.org/p60-12.html.

 

UDP MODE

-p port_spec, --dest-port port_spec (Target ports) .

This option specifies which ports you want UDP datagrams to be sent to. It can be a single port, a comma-separated list of ports (e.g. 80,443,8080), a range (e.g. 1-1023), and any combination of those (e.g. 21-25,80,443,1024-2048). The beginning and/or end values of a range may be omitted, causing Nping to use 1 and 65535, respectively. So you can specify -p- to target ports from 1 through 65535. Using port zero is allowed if you specify it explicitly.

-g portnumber, --source-port portnumber (Spoof source port) .

This option asks Nping to use the specified port as source port for the transmitted datagrams. Note that this might not work on all systems or may require root privileges. Specified value must be an integer in the range [0-65535].

--badsum (Invalid Checksum)

Asks Nping to use an invalid UDP checksum for the packets sent to target hosts. Since virtually all host IP stacks properly drop these packets, any responses received are likely coming from a firewall or an IDS that didn't bother to verify the checksum. For more details on this technique, see http://nmap.org/p60-12.html.

 

ICMP MODE

--icmp-type type (ICMP type) .

This option specifies which type of ICMP messages should be generated. type can be supplied in two different ways. You can use the official type numbers assigned by IANA [1] (e.g. --icmp-type 8 for ICMP Echo Request), or you can use any of the mnemonics listed in the section called "ICMP Types".

--icmp-code code (ICMP code) .

This option specifies which ICMP code should be included in the generated ICMP messages. code can be supplied in two different ways. You can use the official code numbers assigned by IANA [1] (e.g. --icmp-code 1 for Fragment Reassembly Time Exceeded), or you can use any of the mnemonics listed in the section called "ICMP Codes".

--icmp-id id (ICMP identifier) .

This option specifies the value of the identifier used in some of the ICMP messages. In general it is used to match request and reply messages. id must be a number in the range [0-65535].

--icmp-seq seq (ICMP sequence) .

This option specifies the value of the sequence number field used in some ICMP messages. In general it is used to match request and reply messages. id must be a number in the range [0-65535].

--icmp-redirect-addr addr (ICMP Redirect address) .

This option sets the address field in ICMP Redirect messages. In other words, it sets the IP address of the router that should be used when sending IP datagrams to the original destination. addr can be either an IPv4 address or a hostname.

--icmp-param-pointer pointer (ICMP Parameter Problem pointer) .

This option specifies the pointer that indicates the location of the problem in ICMP Parameter Problem messages. pointer should be a number in the range [0-255]. Normally this option is only used when ICMP code is set to 0 ("Pointer indicates the error").

--icmp-advert-lifetime ttl (ICMP Router Advertisement Lifetime) .

This option specifies the router advertisement lifetime, this is, the number of seconds the information carried in an ICMP Router Advertisement can be considered valid for. ttl must be a positive integer in the range [0-65535].

--icmp-advert-entry addr,pref (ICMP Router Advertisement Entry) .

This option adds a Router Advertisement entry to an ICMP Router Advertisement message. The parameter must be two values separated by a comma. addr is the router's IP and can be specified either as an IP address in dot-decimal notation or as a hostname. pref is the preference level for the specified IP. It must be a number in the range [0-4294967295]. An example is --icmp-advert-entry 192.168.128.1,3.

--icmp-orig-time timestamp (ICMP Originate Timestamp) .

This option sets the Originate Timestamp in ICMP Timestamp messages. The Originate Timestamp is expressed as the number of milliseconds since midnight UTC and it corresponds to the time the sender last touched the Timestamp message before its transmission. timestamp can be specified as a regular time (e.g. 10s, 3h, 1000ms), or the special string now. You can add or subtract values from now, for example --icmp-orig-time now-2s, --icmp-orig-time now+1h, --icmp-orig-time now+200ms.

--icmp-recv-time timestamp (ICMP Receive Timestamp) .

This option sets the Receive Timestamp in ICMP Timestamp messages. The Receive Timestamp is expressed as the number of milliseconds since midnight UTC and it corresponds to the time the echoer first touched the Timestamp message on receipt. timestamp is as with --icmp-orig-time.

--icmp-trans-time timestamp (ICMP Transmit Timestamp) .

This option sets the Transmit Timestamp in ICMP Timestamp messages. The Transmit Timestamp is expressed as the number of milliseconds since midnight UTC and it corresponds to the time the echoer last touched the Timestamp message before its transmission. timestamp is as with --icmp-orig-time.

 

ICMP Types

These identifiers may be used as mnemonics for the ICMP type numbers given to the --icmp-type.option. In general there are three forms of each identifier: the full name (e.g. destination-unreachable), the short name (e.g. dest-unr), or the initials (e.g. du). In ICMP types that request something, the word "request" is omitted.

echo-reply, echo-rep, er

Echo Reply (type 0). This message is sent in response to an Echo Request message.

destination-unreachable, dest-unr, du

Destination Unreachable (type 3). This message indicates that a datagram could not be delivered to its destination.

source-quench, sour-que, sq

Source Quench (type 4). This message is used by a congested IP device to tell other device that is sending packets too fast and that it should slow down.

redirect, redi, r

Redirect (type 5). This message is normally used by routers to inform a host that there is a better route to use for sending datagrams. See also the --icmp-redirect-addr option.

echo-request, echo, e

Echo Request (type 8). This message is used to test the connectivity of another device on a network.

router-advertisement, rout-adv, ra

Router Advertisement (type 9). This message is used by routers to let hosts know of their existence and capabilities. See also the --icmp-advert-lifetime option.

router-solicitation, rout-sol, rs

Router Solicitation (type 10). This message is used by hosts to request Router Advertisement messages from any listening routers.

time-exceeded, time-exc, te

Time Exceeded (type 11). This message is generated by some intermediate device (normally a router) to indicate that a datagram has been discarded before reaching its destination because the IP TTL expired.

parameter-problem, member-pro, pp

Parameter Problem (type 12). This message is used when a device finds a problem with a parameter in an IP header and it cannot continue processing it. See also the --icmp-param-pointer option.

timestamp, time, tm

Timestamp Request (type 13). This message is used to request a device to send a timestamp value for propagation time calculation and clock synchronization. See also the --icmp-orig-time, --icmp-recv-time, and --icmp-trans-time.

timestamp-reply, time-rep, tr

Timestamp Reply (type 14). This message is sent in response to a Timestamp Request message.

information, info, i

Information Request (type 15). This message is now obsolete but it was originally used to request configuration information from another device.

information-reply, info-rep, ir

Information Reply (type 16). This message is now obsolete but it was originally sent in response to an Information Request message to provide configuration information.

mask-request, mask, m

Address Mask Request (type 17). This message is used to ask a device to send its subnet mask.

mask-reply, mask-rep, mr

Address Mask Reply (type 18). This message contains a subnet mask and is sent in response to a Address Mask Request message.

traceroute, trace, tc

Traceroute (type 30). This message is normally sent by an intermediate device when it receives an IP datagram with a traceroute option. ICMP Traceroute messages are still experimental, see RFC 1393.for more information.

 

ICMP Codes

These identifiers may be used as mnemonics for the ICMP code numbers given to the --icmp-code.option. They are listed by the ICMP type they correspond to.

Destination Unreachable

network-unreachable, netw-unr, net

Code 0. Datagram could not be delivered to its destination network (probably due to some routing problem).

host-unreachable, host-unr, host

Code 1. Datagram was delivered to the destination network but it was impossible to reach the specified host (probably due to some routing problem).

protocol-unreachable, prot-unr, proto

Code 2. The protocol specified in the Protocol field of the IP datagram is not supported by the host to which the datagram was delivered.

port-unreachable, port-unr, port

Code 3. The TCP/UDP destination port was invalid.

needs-fragmentation, need-fra, frag

Code 4. Datagram had the DF bit set but it was too large for the MTU of the next physical network so it had to be dropped.

source-route-failed, sour-rou, routefail

Code 5. IP datagram had a Source Route option but a router couldn't pass it to the next hop.

network-unknown, netw-unk, net?

Code 6. Destination network is unknown. This code is never used. Instead, Network Unreachable is used.

host-unknown, host-unk, host?

Code 7. Specified host is unknown. Usually generated by a router local to the destination host to inform of a bad address.

host-isolated, host-iso, isolated

Code 8. Source Host Isolated. Not used.

network-prohibited, netw-pro, !net

Code 9. Communication with destination network is administratively prohibited (source device is not allowed to send packets to the destination network).

host-prohibited, host-pro, !host

Code 10. Communication with destination host is administratively prohibited. (The source device is allowed to send packets to the destination network but not to the destination device.)

network-tos, unreachable-network-tos, netw-tos, tosnet

Code 11. Destination network unreachable because it cannot provide the type of service specified in the IP TOS field.

host-tos, unreachable-host-tos, toshost

Code 12. Destination host unreachable because it cannot provide the type of service specified in the IP TOS field.

communication-prohibited, comm-pro, !comm

Code 13. Datagram could not be forwarded due to filtering that blocks the message based on its contents.

host-precedence-violation, precedence-violation, prec-vio, violation

Code 14. Precedence value in the IP TOS field is not permitted.

precedence-cutoff, prec-cut, cutoff

Code 15. Precedence value in the IP TOS field is lower than the minimum allowed for the network.

Redirect

redirect-network, redi-net, net

Code 0. Redirect all future datagrams with the same destination network as the original datagram, to the router specified in the Address field. The use of this code is prohibited by RFC 1812..

redirect-host, redi-host, host

Code 1. Redirect all future datagrams with the same destination host as the original datagram, to the router specified in the Address field.

redirect-network-tos, redi-ntos, redir-ntos

Code 2. Redirect all future datagrams with the same destination network and IP TOS value as the original datagram, to the router specified in the Address field. The use of this code is prohibited by RFC 1812.

redirect-host-tos, redi-htos, redir-htos

Code 3. Redirect all future datagrams with the same destination host and IP TOS value as the original datagram, to the router specified in the Address field.

Router Advertisement

normal-advertisement, norm-adv, normal, zero, default, def

Code 0. Normal router advertisement. In Mobile IP: Mobility agent can act as a router for IP datagrams not related to mobile nodes.

not-route-common-traffic, not-rou, mobile-ip, !route, !commontraffic

Code 16. Used for Mobile IP. The mobility agent does not route common traffic. All foreign agents must forward to a default router any datagrams received from a registered mobile node

Time Exceeded

ttl-exceeded-in-transit, ttl-exc, ttl-transit

Code 0. IP Time To Live expired during transit.

fragment-reassembly-time-exceeded, frag-exc, frag-time

Code 1. Fragment reassembly time has been exceeded.

Parameter Problem

pointer-indicates-error, poin-ind, pointer

Code 0. The pointer field indicates the location of the problem. See the --icmp-param-pointer option.

missing-required-option, miss-option, option-missing

Code 1. IP datagram was expected to have an option that is not present.

bad-length, bad-len, badlen

Code 2. The length of the IP datagram is incorrect.

 

ARP MODE

--arp-type type (ICMP Type) .

This option specifies which type of ARP messages should be generated. type can be supplied in two different ways. You can use the official numbers assigned by IANA [2] (e.g. --arp-type 1 for ARP Request), or you can use one of the mnemonics from the section called "ARP Types".

--arp-sender-mac mac (Sender MAC address) .

This option sets the Sender Hardware Address field of the ARP header. Although ARP supports many types of link layer addresses, currently Nping only supports MAC addresses. mac must be specified using the traditional MAC notation (e.g. 00:0a:8a:32:f4:ae). You can also use hyphens as separators (e.g. 00-0a-8a-32-f4-ae).

--arp-sender-ip addr (Sender IP address) .

This option sets the Sender IP field of the ARP header. addr can be given as an IPv4 address or a hostname.

--arp-target-mac mac (target MAC address) .

This option sets the Target Hardware Address field of the ARP header.

--arp-target-ip addr (target ip address) .

This option sets the Target IP field of the ARP header.

 

ARP Types

These identifiers may be used as mnemonics for the ARP type numbers given to the --arp-type.option.

arp-request, arp, a

ARP Request (type 1). ARP requests are used to translate network layer addresses (normally IP addresses) to link layer addresses (usually MAC addresses). Basically, and ARP request is a broadcasted message that asks the host in the same network segment that has a given IP address to provide its MAC address.

arp-reply, arp-rep, ar

ARP Reply (type 2). An ARP reply is a message that a host sends in response to an ARP request to provide its link layer address.

rarp-request, rarp, r

RARP Requests (type 3). RARP requests are used to translate a link layer address (normally a MAC address) to a network layer address (usually an IP address). Basically a RARP request is a broadcasted message sent by a host that wants to know his own IP address because it doesn't have any. It was the first protocol designed to solve the bootstrapping problem. However, RARP is now obsolete and DHCP is used instead. For more information about RARP see RFC 903..

rarp-reply, rarp-rep, rr

RARP Reply (type 4). A RARP reply is a message sent in response to a RARP request to provide an IP address to the host that sent the RARP request in the first place.

drarp-request, drarp, d

Dynamic RARP Request (type 5). Dynamic RARP is an extension to RARP used to obtain or assign a network layer address from a fixed link layer address. DRARP was used mainly in Sun Microsystems platforms in the late 90's but now it's no longer used. See RFC 1931.for more information.

drarp-reply, drarp-rep, dr

Dynamic RARP Reply (type 6). A DRARP reply is a message sent in response to a RARP request to provide network layer address.

drarp-error, drarp-err, de

DRARP Error (type 7). DRARP Error messages are usually sent in response to DRARP requests to inform of some error. In DRARP Error messages, the Target Protocol Address field is used to carry an error code (usually in the first byte). The error code is intended to tell why no target protocol address is being returned. For more information see RFC 1931.

inarp-request, inarp, i

Inverse ARP Request (type 8). InARP requests are used to translate a link layer address to a network layer address. It is similar to RARP request but in this case, the sender of the InARP request wants to know the network layer address of another node, not its own address. InARP is mainly used in Frame Relay and ATM networks. For more information see RFC 2390..

inarp-reply, inarp-rep, ir

Inverse ARP Reply (type 9). InARP reply messages are sent in response to InARP requests to provide the network layer address associated with the host that has a given link layer address.

arp-nak, an

ARP NAK (type 10). ARP NAK messages are an extension to the ATMARP protocol and they are used to improve the robustness of the ATMARP server mechanism. With ARP NAK, a client can determine the difference between a catastrophic server failure and an ATMARP table lookup failure. See RFC 1577.for more information.

 

 

 

 

 

 

 

 

 

转载于:https://blog.51cto.com/arhatlohan/754266