Hping3
Hping3 is a network tool for packet crafting and analysis. Can be used for OS fingerprinting, port scanning, firewall testing, and advanced network reconnaissance.
Installation
# Debian/Ubuntu
sudo apt install hping3
# Kali Linux (pre-installed)
which hping3
# macOS
brew install hping3
# Build from source
git clone https://github.com/antirez/hping
cd hping && ./configure && make && sudo make installBasic Host Discovery
| Command | Description |
|---|---|
hping3 target | Default ICMP echo (ping) |
hping3 -1 target | ICMP echo request |
hping3 -2 target | UDP packet |
hping3 -S target | TCP SYN packet |
hping3 -h | Show help |
TCP Scanning
# TCP SYN scan on port 80
hping3 -S -p 80 target
# TCP SYN scan with multiple ports
hping3 -S -p 22,80,443,3389 target
# TCP SYN scan with port range
hping3 -S -p +80:443 target
# TCP ACK scan (firewall detection)
hping3 -A -p 80 target
# TCP FIN scan
hping3 -F -p 80 target
# TCP RST scan
hping3 -R -p 80 target
# TCP XMAS scan
hping3 -X -p 80 targetICMP Scanning
# ICMP echo request (ping)
hping3 -1 target
# ICMP timestamp request
hping3 -17 target
# ICMP mask request
hping3 --icmptype 17 target
# ICMP unreachable probe
hping3 -1 -c 1 --rand-dest targetUDP Scanning
# UDP port scan
hping3 -2 -p 53 target
# UDP on DNS port
hping3 -2 -p 53 target
# UDP random destination
hping3 -2 -p 1234 --rand-dest targetFlood and DoS Testing
# TCP flood on port 80
hping3 -S -p 80 --flood target
# UDP flood
hping3 -2 -p 1234 --flood target
# ICMP flood
hping3 -1 --flood target
# Flood with specific data
hping3 -S -p 80 --flood -d 1000 target
# Limit flood rate (packets per second)
hping3 -S -p 80 -i u1000 targetTraceroute
# TCP traceroute
hping3 -S -p 80 --traceroute target
# ICMP traceroute
hping3 -1 --traceroute target
# UDP traceroute
hping3 -2 -p 53 --traceroute targetFirewall Testing
# Send packet with specific flags
hping3 -S -p 80 -F -P -U target
# Fragment testing
hping3 -S -p 80 -f target
# TTL testing (bypass firewall)
hping3 -S -p 80 --ttl 1 target
hping3 -S -p 80 --ttl 64 target
# MSS testing
hping3 -S -p 80 -m 1000 target
# IP identification field
hping3 -S -p 80 --ipid 1 targetOS Fingerprinting
# TCP window size scan
hping3 -S -p 80 target
# SYN/ACK response analysis
hping3 -A -p 80 target
# TTL analysis
hping3 -S -p 22 target
# Combine multiple flags
hping3 -S -F -P -U -p 80 targetAdvanced Packet Crafting
# Send specific packet with data
hping3 -S -p 80 -d 100 target
# Custom data payload
hping3 -S -p 80 -E payloadfile target
# Spoof source IP
hping3 -S -p 80 -a 192.168.1.200 target
# Set source port
hping3 -S -p 80 -s 1234 target
# Keep alive mode (send continuously)
hping3 -S -p 80 -i u100 targetOutput and Analysis
# Verbose output
hping3 -S -p 80 -V target
# Comment mode (add comments)
hping3 -S -p 80 -C target
# Raw output
hping3 -S -p 80 -r target
# Count packets (stop after N)
hping3 -S -p 80 -c 10 target
# Save to pcap file
hping3 -S -p 80 -w savedfile.pcap target
# Read from pcap
hping3 -S -p 80 -r savedfile.pcap targetTiming Control
# Send with interval (microseconds)
hping3 -S -p 80 -i u1000 target
# Send with interval (milliseconds)
hping3 -S -p 80 -i m100 target
# Send with interval (seconds)
hping3 -S -p 80 -i 1 target
# Wait after sending (seconds)
hping3 -S -p 80 -w 2 targetPractical Examples
Port Scanning
# Simple port scan
hping3 -S -p 80,443,22,3389 target
# Port range scan
hping3 -S target --scan 1:1024Idle Scan
# Using zombie IP for stealth
hping3 -a zombie_ip -S -p 80 targetDetect Filtering
# Check if packets are blocked
hping3 -S -p 999 target
# Test UDP filtering
hping3 -2 -p 53 target
# Test ICMP filtering
hping3 -1 targetPacket Options
# Set TCP flags: SYN
-S
# Set TCP flags: ACK
-A
# Set TCP flags: FIN
-F
# Set TCP flags: RST
-R
# Set TCP flags: PUSH
-P
# Set TCP flags: URGENT
-U
# Set TCP flags: XMAS (F, P, U)
-X
# Fragment IP packets
-f
# Set DF bit
--df
# Set destination port
-p 80
# Set source port
-s 1234
# Set TTL
--ttl 64
# Set IP ID
--ipid 1000
# Set window size
-w 1024Last updated: March 2026