Sniffing & Spoofingnetworkpacketicmpudptcpscannertraceroutefirewallspoofing

hping3

hping3 is a network tool for sending custom ICMP/UDP/TCP packets and displaying target replies like ping. It supports testing firewall rules, port scanning, network performance testing, and more.

Description

hping3 is an active network smashing tool capable of sending custom ICMP/UDP/TCP packets and displaying target replies similar to ping with ICMP replies. It handles fragmentation, arbitrary packet body and size, and can transfer files under supported protocols. The tool is scriptable using the Tcl language.

Using hping3, you can test firewall rules, perform spoofed port scanning, test network performance with different protocols, conduct path MTU discovery, execute traceroute-like actions under various protocols, fingerprint remote operating systems, and audit TCP/IP stacks.

It supports multiple modes including RAW IP, ICMP, UDP, SCAN, and listen modes, with options for spoofing, randomization, and packet manipulation.

How It Works

hping3 sends custom crafted TCP/IP packets including ICMP, UDP, and TCP with configurable headers, fragmentation, TTL, IDs, and payloads. It displays replies from targets, supports spoofed source addresses, random destinations/sources, and protocol-specific options like ICMP types/codes or TCP ports/sequence numbers. Traceroute mode uses incremental TTL starting from 1 with binding implied.

Installation

bash

sudo apt install hping3

Flags

-h --helpshow this help

-v --versionshow version

-c --countpacket count

-i --intervalwait (uX for X microseconds, for example -i u1000)

--fastalias for -i u10000 (10 packets for second)

--fasteralias for -i u1000 (100 packets for second)

--floodsent packets as fast as possible. Don't show replies.

-n --numericnumeric output

-0 --rawipRAW IP mode

-1 --icmpICMP mode

-2 --udpUDP mode

-8 --scanSCAN mode. Example: hping --scan 1-30,70-90 -S www.target.host

-9 --listenlisten mode

-a --spoofspoof source address

--rand-destrandom destination address mode. see the man.

--rand-sourcerandom source address mode. see the man.

-t --ttlttl (default 64)

-T --traceroutetraceroute mode (implies --bind and --ttl 1)

-Vbe verbose

Examples

Use traceroute mode (--traceroute), be verbose (-V) in ICMP mode (-1) against the target (www.example.com)

hping3 --traceroute -V -1 www.example.com

Show help usage information

hping3 -h

SCAN mode example scanning ports 1-30 and 70-90 with SYN flag

hping3 --scan 1-30,70-90 -S www.target.host

Send packets as fast as possible without showing replies

hping3 --flood www.target.host

Send packets at 10 packets per second

hping3 --fast www.target.host

Send packets at 100 packets per second

hping3 --faster www.target.host

Send in ICMP mode (default echo request)

hping3 -1 www.target.host

Send TCP SYN packets (default TCP mode)

hping3 -S www.target.host

Updated 2026-04-16kali.org ↗