Go to main content

man pages section 1: User Commands

Exit Print View

Updated: Thursday, June 13, 2019
 
 

nping (1)

Name

nping - Network packet generation tool / ping utility

Synopsis

nping [Options] {targets}

Description

NPING(1)                     Nping Reference Guide                    NPING(1)



NAME
       nping - Network packet generation tool / ping utility

SYNOPSIS
       nping [Options] {targets}

DESCRIPTION
       Nping is an open-source tool for network packet generation, response
       analysis and response time measurement. Nping allows users to generate
       network packets of a wide range of protocols, letting them tune
       virtually any field of the protocol headers. While Nping can be used as
       a simple ping utility to detect active hosts, it can also be used as a
       raw packet generator for network stack stress tests, ARP poisoning,
       Denial of Service attacks, route tracing, and other purposes.

       Additionally, Nping offers a special mode of operation called the "Echo
       Mode", that lets users see how the generated probes change in transit,
       revealing the differences between the transmitted packets and the
       packets received at the other end. See section "Echo Mode" for details.

       The output from Nping is a list of the packets that are being sent and
       received. The level of detail depends on the options used.

       A typical Nping execution is shown in Example 1. The only Nping
       arguments used in this example are -c, to specify the number of times
       to target each host, --tcp to specify TCP Probe Mode, -p 80,433 to
       specify the target ports; and then the two target hostnames.

       Example 1. A representative Nping execution

           # nping -c 1 --tcp -p 80,433 scanme.nmap.org google.com

           Starting Nping ( https://nmap.org/nping )
           SENT (0.0120s) TCP 96.16.226.135:50091 > 64.13.134.52:80 S ttl=64 id=52072 iplen=40  seq=1077657388 win=1480
           RCVD (0.1810s) TCP 64.13.134.52:80 > 96.16.226.135:50091 SA ttl=53 id=0 iplen=44  seq=4158134847 win=5840 <mss 1460>
           SENT (1.0140s) TCP 96.16.226.135:50091 > 74.125.45.100:80 S ttl=64 id=13932 iplen=40  seq=1077657388 win=1480
           RCVD (1.1370s) TCP 74.125.45.100:80 > 96.16.226.135:50091 SA ttl=52 id=52913 iplen=44  seq=2650443864 win=5720 <mss 1430>
           SENT (2.0140s) TCP 96.16.226.135:50091 > 64.13.134.52:433 S ttl=64 id=8373 iplen=40  seq=1077657388 win=1480
           SENT (3.0140s) TCP 96.16.226.135:50091 > 74.125.45.100:433 S ttl=64 id=23624 iplen=40  seq=1077657388 win=1480

           Statistics for host scanme.nmap.org (64.13.134.52):
            |  Probes Sent: 2 | Rcvd: 1 | Lost: 1  (50.00%)
            |_ Max rtt: 169.720ms | Min rtt: 169.720ms | Avg rtt: 169.720ms
           Statistics for host google.com (74.125.45.100):
            |  Probes Sent: 2 | Rcvd: 1 | Lost: 1  (50.00%)
            |_ Max rtt: 122.686ms | Min rtt: 122.686ms | Avg rtt: 122.686ms
           Raw packets sent: 4 (160B) | Rcvd: 2 (92B) | Lost: 2 (50.00%)
           Tx time: 3.00296s | Tx bytes/s: 53.28 | Tx pkts/s: 1.33
           Rx time: 3.00296s | Rx bytes/s: 30.64 | Rx pkts/s: 0.67
           Nping done: 2 IP addresses pinged in 4.01 seconds

OPTIONS SUMMARY
       This options summary is printed when Nping is run with no arguments. It
       helps people remember the most common options, but is no substitute for
       the in-depth documentation in the rest of this manual. Some obscure
       options aren't even included here.

           Nping 0.5.59BETA1 ( https://nmap.org/nping )
           Usage: nping [Probe mode] [Options] {target specification}

           TARGET SPECIFICATION:
             Targets may be specified as hostnames, IP addresses, networks, etc.
             Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
           PROBE MODES:
             --tcp-connect                    : Unprivileged TCP connect probe mode.
             --tcp                            : TCP probe mode.
             --udp                            : UDP probe mode.
             --icmp                           : ICMP probe mode.
             --arp                            : ARP/RARP probe mode.
             --tr, --traceroute               : Traceroute mode (can only be used with
                                                TCP/UDP/ICMP modes).
           TCP CONNECT MODE:
              -p, --dest-port <port spec>     : Set destination port(s).
              -g, --source-port <portnumber>  : Try to use a custom source port.
           TCP PROBE MODE:
              -g, --source-port <portnumber>  : Set source port.
              -p, --dest-port <port spec>     : Set destination port(s).
              --seq <seqnumber>               : Set sequence number.
              --flags <flag list>             : Set TCP flags (ACK,PSH,RST,SYN,FIN...)
              --ack <acknumber>               : Set ACK number.
              --win <size>                    : Set window size.
              --badsum                        : Use a random invalid checksum.
           UDP PROBE MODE:
              -g, --source-port <portnumber>  : Set source port.
              -p, --dest-port <port spec>     : Set destination port(s).
              --badsum                        : Use a random invalid checksum.
           ICMP PROBE MODE:
             --icmp-type <type>               : ICMP type.
             --icmp-code <code>               : ICMP code.
             --icmp-id <id>                   : Set identifier.
             --icmp-seq <n>                   : Set sequence number.
             --icmp-redirect-addr <addr>      : Set redirect address.
             --icmp-param-pointer <pnt>       : Set parameter problem pointer.
             --icmp-advert-lifetime <time>    : Set router advertisement lifetime.
             --icmp-advert-entry <IP,pref>    : Add router advertisement entry.
             --icmp-orig-time  <timestamp>    : Set originate timestamp.
             --icmp-recv-time  <timestamp>    : Set receive timestamp.
             --icmp-trans-time <timestamp>    : Set transmit timestamp.
           ARP/RARP PROBE MODE:
             --arp-type <type>                : Type: ARP, ARP-reply, RARP, RARP-reply.
             --arp-sender-mac <mac>           : Set sender MAC address.
             --arp-sender-ip  <addr>          : Set sender IP address.
             --arp-target-mac <mac>           : Set target MAC address.
             --arp-target-ip  <addr>          : Set target IP address.
           IPv4 OPTIONS:
             -S, --source-ip                  : Set source IP address.
             --dest-ip <addr>                 : Set destination IP address (used as an
                                                alternative to {target specification} ).
             --tos <tos>                      : Set type of service field (8bits).
             --id  <id>                       : Set identification field (16 bits).
             --df                             : Set Don't Fragment flag.
             --mf                             : Set More Fragments flag.
             --ttl <hops>                     : Set time to live [0-255].
             --badsum-ip                      : Use a random invalid checksum.
             --ip-options <S|R [route]|L [route]|T|U ...> : Set IP options
             --ip-options <hex string>                    : Set IP options
             --mtu <size>                     : Set MTU. Packets get fragmented if MTU is
                                                small enough.
           IPv6 OPTIONS:
             -6, --IPv6                       : Use IP version 6.
             --dest-ip                        : Set destination IP address (used as an
                                                alternative to {target specification}).
             --hop-limit                      : Set hop limit (same as IPv4 TTL).
             --traffic-class <class> :        : Set traffic class.
             --flow <label>                   : Set flow label.
           ETHERNET OPTIONS:
             --dest-mac <mac>                 : Set destination mac address. (Disables
                                                ARP resolution)
             --source-mac <mac>               : Set source MAC address.
             --ether-type <type>              : Set EtherType value.
           PAYLOAD OPTIONS:
             --data <hex string>              : Include a custom payload.
             --data-string <text>             : Include a custom ASCII text.
             --data-length <len>              : Include len random bytes as payload.
           ECHO CLIENT/SERVER:
             --echo-client <passphrase>       : Run Nping in client mode.
             --echo-server <passphrase>       : Run Nping in server mode.
             --echo-port <port>               : Use custom <port> to listen or connect.
             --no-crypto                      : Disable encryption and authentication.
             --once                           : Stop the server after one connection.
             --safe-payloads                  : Erase application data in echoed packets.
           TIMING AND PERFORMANCE:
             Options which take <time> are in seconds, or append 'ms' (milliseconds),
             's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m, 0.25h).
             --delay <time>                   : Adjust delay between probes.
             --rate  <rate>                   : Send num packets per second.
           MISC:
             -h, --help                       : Display help information.
             -V, --version                    : Display current version number.
             -c, --count <n>                  : Stop after <n> rounds.
             -e, --interface <name>           : Use supplied network interface.
             -H, --hide-sent                  : Do not display sent packets.
             -N, --no-capture                 : Do not try to capture replies.
             --privileged                     : Assume user is fully privileged.
             --unprivileged                   : Assume user lacks raw socket privileges.
             --send-eth                       : Send packets at the raw ethernet layer.
             --send-ip                        : Send packets using raw IP sockets.
             --bpf-filter <filter spec>       : Specify custom BPF filter.
           OUTPUT:
             -v                               : Increment verbosity level by one.
             -v[level]                        : Set verbosity level. E.g: -v4
             -d                               : Increment debugging level by one.
             -d[level]                        : Set debugging level. E.g: -d3
             -q                               : Decrease verbosity level by one.
             -q[N]                            : Decrease verbosity level N times
             --quiet                          : Set verbosity and debug level to minimum.
             --debug                          : Set verbosity and debug to the max level.
           EXAMPLES:
             nping scanme.nmap.org
             nping --tcp -p 80 --flags rst --ttl 2 192.168.1.1
             nping --icmp --icmp-type time --delay 500ms 192.168.254.254
             nping --echo-server "public" -e wlan0 -vvv
             nping --echo-client "public" echo.nmap.org --tcp -p1-1024 --flags ack

           SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES


TARGET SPECIFICATION
       Everything on the Nping command line that isn't an option or an option
       argument is treated as a target host specification. Nping uses the same
       syntax for target specifications that Nmap does. The simplest case is a
       single target given by IP address or hostname.

       Nping supports CIDR-style addressing. You can append /numbits to an
       IPv4 address or hostname and Nping will send probes to every IP address
       for which the first numbits are the same as for the reference IP or
       hostname given. For example, 192.168.10.0/24 would send probes to the
       256 hosts between 192.168.10.0 (binary: 11000000 10101000 00001010
       00000000) and 192.168.10.255 (binary: 11000000 10101000 00001010
       11111111), inclusive.  192.168.10.40/24 would ping exactly the same
       targets. Given that the host scanme.nmap.org is at the IP address
       64.13.134.52, the specification scanme.nmap.org/16 would send probes to
       the 65,536 IP addresses between 64.13.0.0 and 64.13.255.255. The
       smallest allowed value is /0, which targets the whole Internet. The
       largest value is /32, which targets just the named host or IP address
       because all address bits are fixed.

       CIDR notation is short but not always flexible enough. For example, you
       might want to send probes to 192.168.0.0/16 but skip any IPs ending
       with .0 or .255 because they may be used as subnet network and
       broadcast addresses. Nping supports this through octet range
       addressing. Rather than specify a normal IP address, you can specify a
       comma-separated list of numbers or ranges for each octet. For example,
       192.168.0-255.1-254 will skip all addresses in the range that end in .0
       or .255, and 192.168.3-5,7.1 will target the four addresses
       192.168.3.1, 192.168.4.1, 192.168.5.1, and 192.168.7.1. Either side of
       a range may be omitted; the default values are 0 on the left and 255 on
       the right. Using - by itself is the same as 0-255, but remember to use
       0- in the first octet so the target specification doesn't look like a
       command-line option. Ranges need not be limited to the final octets:
       the specifier 0-.-.13.37 will send probes to all IP addresses on the
       Internet ending in .13.37. This sort of broad sampling can be useful
       for Internet surveys and research.

       IPv6 addresses can only be specified by their fully qualified IPv6
       address or hostname. CIDR and octet ranges aren't supported for IPv6
       because they are rarely useful.

       Nping accepts multiple host specifications on the command line, and
       they don't need to be the same type. The command nping scanme.nmap.org
       192.168.0.0/8 10.0.0,1,3-7.- does what you would expect.

OPTION SPECIFICATION
       Nping is designed to be very flexible and fit a wide variety of needs.
       As with most command-line tools, its behavior can be adjusted using
       command-line options. These general principles apply to option
       arguments, unless stated otherwise.

       Options that take integer numbers can accept values specified in
       decimal, octal or hexadecimal base. When a number starts with 0x, it
       will be treated as hexadecimal; when it simply starts with 0, it will
       be treated as octal. Otherwise, Nping will assume the number has been
       specified in base 10. Virtually all numbers that can be supplied from
       the command line are unsigned so, as a general rule, the minimum value
       is zero. Users may also specify the word random or rand to make Nping
       generate a random value within the expected range.

       IP addresses may be given as IPv4 addresses (e.g.  192.168.1.1), IPv6
       addresses (e.g.  2001:db8:85a3::8e4c:760:7146), or hostnames, which
       will be resolved using the default DNS server configured in the host
       system.

       Options that take MAC addresses accept the usual colon-separated 6 hex
       byte format (e.g.  00:50:56:d4:01:98). Hyphens may also be used instead
       of colons (e.g.  00-50-56-c0-00-08). The special word random or rand
       sets a random address and the word broadcast or bcast sets
       ff:ff:ff:ff:ff:ff.

GENERAL OPERATION
       Unlike other ping and packet generation tools, Nping supports multiple
       target host and port specifications. While this provides great
       flexibility, it is not obvious how Nping handles situations where there
       is more than one host and/or more than one port to send probes to. This
       section explains how Nping behaves in these cases.

       When multiple target hosts are specified, Nping rotates among them in
       round-robin fashion. This gives slow hosts more time to send their
       responses before another probe is sent to them. Ports are also
       scheduled using round robin. So, unless only one port is specified,
       Nping never sends two probes to the same target host and port
       consecutively.

       The loop around targets is the "inner loop" and the loop around ports
       is the "outer loop". All targets will be sent a probe for a given port
       before moving on to the next port. Between probes, Nping waits a
       configurable amount of time called the "inter-probe delay", which is
       controlled by the --delay option. These examples show how it works.

               # nping --tcp -c 2 1.1.1.1 -p 100-102

               Starting Nping ( https://nmap.org/nping )
               SENT (0.0210s) TCP 192.168.1.77 > 1.1.1.1:100
               SENT (1.0230s) TCP 192.168.1.77 > 1.1.1.1:101
               SENT (2.0250s) TCP 192.168.1.77 > 1.1.1.1:102
               SENT (3.0280s) TCP 192.168.1.77 > 1.1.1.1:100
               SENT (4.0300s) TCP 192.168.1.77 > 1.1.1.1:101
               SENT (5.0320s) TCP 192.168.1.77 > 1.1.1.1:102

               # nping --tcp -c 2 1.1.1.1 2.2.2.2 3.3.3.3 -p 8080

               Starting Nping ( https://nmap.org/nping )
               SENT (0.0230s) TCP 192.168.0.21 > 1.1.1.1:8080
               SENT (1.0240s) TCP 192.168.0.21 > 2.2.2.2:8080
               SENT (2.0260s) TCP 192.168.0.21 > 3.3.3.3:8080
               SENT (3.0270s) TCP 192.168.0.21 > 1.1.1.1:8080
               SENT (4.0290s) TCP 192.168.0.21 > 2.2.2.2:8080
               SENT (5.0310s) TCP 192.168.0.21 > 3.3.3.3:8080

               # nping --tcp -c 1 --delay 500ms 1.1.1.1 2.2.2.2 3.3.3.3 -p 137-139

               Starting Nping ( https://nmap.org/nping )
               SENT (0.0230s) TCP 192.168.0.21 > 1.1.1.1:137
               SENT (0.5250s) TCP 192.168.0.21 > 2.2.2.2:137
               SENT (1.0250s) TCP 192.168.0.21 > 3.3.3.3:137
               SENT (1.5280s) TCP 192.168.0.21 > 1.1.1.1:138
               SENT (2.0280s) TCP 192.168.0.21 > 2.2.2.2:138
               SENT (2.5310s) TCP 192.168.0.21 > 3.3.3.3:138
               SENT (3.0300s) TCP 192.168.0.21 > 1.1.1.1:139
               SENT (3.5330s) TCP 192.168.0.21 > 2.2.2.2:139
               SENT (4.0330s) TCP 192.168.0.21 > 3.3.3.3:139

PROBE MODES
       Nping supports a wide variety of protocols. Although in some cases
       Nping can automatically determine the mode from the options used, it is
       generally a good idea to specify it explicitly.

       --tcp-connect (TCP Connect mode)
           TCP connect mode is the default mode when a user does not have raw
           packet privileges. Instead of writing raw packets as most other
           modes do, Nping asks the underlying operating system to establish a
           connection with the target machine and port by issuing the connect
           system call. This is the same high-level system call that web
           browsers, P2P clients, and most other network-enabled applications
           use to establish a connection. It is part of a programming
           interface known as the Berkeley Sockets API. Rather than read raw
           packet responses off the wire, Nping uses this API to obtain status
           information on each connection attempt. For this reason, you will
           not be able to see the contents of the packets that are sent or
           received but only status information about the TCP connection
           establishment taking place.

       --tcp (TCP mode)
           TCP is the mode that lets users create and send any kind of TCP
           packet. TCP packets are sent embedded in IP packets that can also
           be tuned. This mode can be used for many different purposes. For
           example you could try to discover open ports by sending TCP SYN
           messages without completing the three-way handshake. This technique
           is often referred to as half-open scanning, because you don't open
           a full TCP connection. You send a SYN packet, as if you are going
           to open a real connection and then wait for a response. A SYN/ACK
           indicates the port is open, while a RST indicates it's closed. If
           no response is received one could assume that some intermediate
           network device is filtering the responses. Another use could be to
           see how a remote TCP/IP stack behaves when it receives a
           non-RFC-compliant packet, like one with both SYN and RST flags set.
           One could also do some evil by creating custom RST packets using an
           spoofed IP address with the intent of closing an active TCP
           connection.

       --udp (UDP mode)
           UDP mode can have two different behaviours. Under normal
           circumstances, it lets users create custom IP/UDP packets. However,
           if Nping is run by a user without raw packet privileges and no
           changes to the default protocol headers are requested, then Nping
           enters the unprivileged UDP mode which basically sends UDP packets
           to the specified target hosts and ports using the sendto system
           call. Note that in this unprivileged mode it is not possible to see
           low-level header information of the packets on the wire but only
           status information about the amount of bytes that are being
           transmitted and received. UDP mode can be used to interact with any
           UDP-based server. Examples are DNS servers, streaming servers,
           online gaming servers, and port knocking/single-packet
           authorization daemons.

       --icmp (ICMP mode)
           ICMP mode is the default mode when the user runs Nping with raw
           packet privileges. Any kind of ICMP message can be created. The
           default ICMP type is Echo, i.e., ping. ICMP mode can be used for
           many different purposes, from a simple request for a timestamp or a
           netmask to the transmission of fake destination unreachable
           messages, custom redirects, and router advertisements.

       --arp (ARP/RARP mode)
           ARP lets you create and send a few different ARP-related packets.
           These include ARP, RARP, DRARP, and InARP requests and replies.
           This mode can ban be used to perform low-level host discovery, and
           conduct ARP-cache poisoning attacks.

       --traceroute (Traceroute mode)
           Traceroute is not a mode by itself but a complement to TCP, UDP,
           and ICMP modes. When this option is specified Nping will set the IP
           TTL value of the first probe to 1. When the next router receives
           the packet it will drop it due to the expiration of the TTL and it
           will generate an ICMP destination unreachable message. The next
           probe will have a TTL of 2 so now the first router will forward the
           packet while the second router will be the one that drops the
           packet and generates the ICMP message. The third probe will have a
           TTL value of 3 and so on. By examining the source addresses of all
           those ICMP Destination Unreachable messages it is possible to
           determine the path that the probes take until they reach their
           final destination.

TCP CONNECT MODE
       -p port_spec, --dest-port port_spec (Target ports)
           This option specifies which ports you want to try to connect to. It
           can be a single port, a comma-separated list of ports (e.g.
           80,443,8080), a range (e.g.  1-1023), and any combination of those
           (e.g.  21-25,80,443,1024-2048). The beginning and/or end values of
           a range may be omitted, causing Nping to use 1 and 65535,
           respectively. So you can specify -p- to target ports from 1 through
           65535. Using port zero is allowed if you specify it explicitly.

       -g portnumber, --source-port portnumber (Spoof source port)
           This option asks Nping to use the specified port as source port for
           the TCP connections. Note that this might not work on all systems
           or may require root privileges. Specified value must be an integer
           in the range [0-65535].

TCP MODE
       -p port_spec, --dest-port port_spec (Target ports)
           This option specifies which destination ports you want to send
           probes to. It can be a single port, a comma-separated list of ports
           (e.g.  80,443,8080), a range (e.g.  1-1023), and any combination of
           those (e.g.  21-25,80,443,1024-2048). The beginning and/or end
           values of a range may be omitted, causing Nping to use 1 and 65535,
           respectively. So you can specify -p- to target ports from 1 through
           65535. Using port zero is allowed if you specify it explicitly.

       -g portnumber, --source-port portnumber (Spoof source port)
           This option asks Nping to use the specified port as source port for
           the TCP connections. Note that this might not work on all systems
           or may require root privileges. Specified value must be an integer
           in the range [0-65535].

       --seq seqnumber (Sequence Number)
           Specifies the TCP sequence number. In SYN packets this is the
           initial sequence number (ISN). In a normal transmission this
           corresponds to the sequence number of the first byte of data in the
           segment.  seqnumber must be a number in the range [0-4294967295].

       --flags flags (TCP Flags)
           This option specifies which flags should be set in the TCP packet.
           flags may be specified in three different ways:

            1. As a comma-separated list of flags, e.g.  --flags syn,ack,rst

            2. As a list of one-character flag initials, e.g.  --flags SAR
               tells Nping to set flags SYN, ACK, and RST.

            3. As an 8-bit hexadecimal number, where the supplied number is
               the exact value that will be placed in the flags field of the
               TCP header. The number should start with the prefix 0x and
               should be in the range [0x00-0xFF], e.g.  --flags 0x20 sets the
               URG flag as 0x20 corresponds to binary 00100000 and the URG
               flag is represented by the third bit.

           There are 8 possible flags to set: CWR, ECN, URG, ACK, PSH, RST,
           SYN, and FIN. The special value ALL means to set all flags.  NONE
           means to set no flags. It is important that if you don't want any
           flag to be set, you request it explicitly because in some cases the
           SYN flag may be set by default. Here is a brief description of the
           meaning of each flag:

           CWR (Congestion Window Reduced)
               Set by an ECN-Capable sender when it reduces its congestion
               window (due to a retransmit timeout, a fast retransmit or in
               response to an ECN notification.

           ECN (Explicit Congestion Notification)
               During the three-way handshake it indicates that sender is
               capable of performing explicit congestion notification.
               Normally it means that a packet with the IP Congestion
               Experienced flag set was received during normal transmission.
               See RFC 3168 for more information.

           URG (Urgent)
               Segment is urgent and the urgent pointer field carries valid
               information.

           ACK (Acknowledgement)
               The segment carries an acknowledgement and the value of the
               acknowledgement number field is valid and contains the next
               sequence number that is expected from the receiver.

           PSH (Push)
               The data in this segment should be immediately pushed to the
               application layer on arrival.

           RST (Reset)
               There was some problem and the sender wants to abort the
               connection.

           SYN (Synchronize)
               The segment is a request to synchronize sequence numbers and
               establish a connection. The sequence number field contains the
               sender's initial sequence number.

           FIN (Finish)
               The sender wants to close the connection.

       --win size (Window Size)
           Specifies the TCP window size, this is, the number of octets the
           sender of the segment is willing to accept from the receiver at one
           time. This is usually the size of the reception buffer that the OS
           allocates for a given connection.  size must be a number in the
           range [0-65535].

       --badsum (Invalid Checksum)
           Asks Nping to use an invalid TCP checksum for the packets sent to
           target hosts. Since virtually all host IP stacks properly drop
           these packets, any responses received are likely coming from a
           firewall or an IDS that didn't bother to verify the checksum. For
           more details on this technique, see https://nmap.org/p60-12.html.

UDP MODE
       -p port_spec, --dest-port port_spec (Target ports)
           This option specifies which ports you want UDP datagrams to be sent
           to. It can be a single port, a comma-separated list of ports (e.g.
           80,443,8080), a range (e.g.  1-1023), and any combination of those
           (e.g.  21-25,80,443,1024-2048). The beginning and/or end values of
           a range may be omitted, causing Nping to use 1 and 65535,
           respectively. So you can specify -p- to target ports from 1 through
           65535. Using port zero is allowed if you specify it explicitly.

       -g portnumber, --source-port portnumber (Spoof source port)
           This option asks Nping to use the specified port as source port for
           the transmitted datagrams. Note that this might not work on all
           systems or may require root privileges. Specified value must be an
           integer in the range [0-65535].

       --badsum (Invalid Checksum)
           Asks Nping to use an invalid UDP checksum for the packets sent to
           target hosts. Since virtually all host IP stacks properly drop
           these packets, any responses received are likely coming from a
           firewall or an IDS that didn't bother to verify the checksum. For
           more details on this technique, see https://nmap.org/p60-12.html.

ICMP MODE
       --icmp-type type (ICMP type)
           This option specifies which type of ICMP messages should be
           generated.  type can be supplied in two different ways. You can use
           the official type numbers assigned by IANA[1] (e.g.  --icmp-type 8
           for ICMP Echo Request), or you can use any of the mnemonics listed
           in the section called "ICMP Types".

       --icmp-code code (ICMP code)
           This option specifies which ICMP code should be included in the
           generated ICMP messages.  code can be supplied in two different
           ways. You can use the official code numbers assigned by IANA[1]
           (e.g.  --icmp-code 1 for Fragment Reassembly Time Exceeded), or you
           can use any of the mnemonics listed in the section called "ICMP
           Codes".

       --icmp-id id (ICMP identifier)
           This option specifies the value of the identifier used in some of
           the ICMP messages. In general it is used to match request and reply
           messages.  id must be a number in the range [0-65535].

       --icmp-seq seq (ICMP sequence)
           This option specifies the value of the sequence number field used
           in some ICMP messages. In general it is used to match request and
           reply messages.  id must be a number in the range [0-65535].

       --icmp-redirect-addr addr (ICMP Redirect address)
           This option sets the address field in ICMP Redirect messages. In
           other words, it sets the IP address of the router that should be
           used when sending IP datagrams to the original destination.  addr
           can be either an IPv4 address or a hostname.

       --icmp-param-pointer pointer (ICMP Parameter Problem pointer)
           This option specifies the pointer that indicates the location of
           the problem in ICMP Parameter Problem messages.  pointer should be
           a number in the range [0-255]. Normally this option is only used
           when ICMP code is set to 0 ("Pointer indicates the error").

       --icmp-advert-lifetime ttl (ICMP Router Advertisement Lifetime)
           This option specifies the router advertisement lifetime, this is,
           the number of seconds the information carried in an ICMP Router
           Advertisement can be considered valid for.  ttl must be a positive
           integer in the range [0-65535].

       --icmp-advert-entry addr,pref (ICMP Router Advertisement Entry)
           This option adds a Router Advertisement entry to an ICMP Router
           Advertisement message. The parameter must be two values separated
           by a comma.  addr is the router's IP and can be specified either as
           an IP address in dot-decimal notation or as a hostname.  pref is
           the preference level for the specified IP. It must be a number in
           the range [0-4294967295]. An example is --icmp-advert-entry
           192.168.128.1,3.

       --icmp-orig-time timestamp (ICMP Originate Timestamp)
           This option sets the Originate Timestamp in ICMP Timestamp
           messages. The Originate Timestamp is expressed as the number of
           milliseconds since midnight UTC and it corresponds to the time the
           sender last touched the Timestamp message before its transmission.
           timestamp can be specified as a regular time (e.g.  10s, 3h,
           1000ms), or the special string now. You can add or subtract values
           from now, for example --icmp-orig-time now-2s, --icmp-orig-time
           now+1h, --icmp-orig-time now+200ms.

       --icmp-recv-time timestamp (ICMP Receive Timestamp)
           This option sets the Receive Timestamp in ICMP Timestamp messages.
           The Receive Timestamp is expressed as the number of milliseconds
           since midnight UTC and it corresponds to the time the echoer first
           touched the Timestamp message on receipt.  timestamp is as with
           --icmp-orig-time.

       --icmp-trans-time timestamp (ICMP Transmit Timestamp)
           This option sets the Transmit Timestamp in ICMP Timestamp messages.
           The Transmit Timestamp is expressed as the number of milliseconds
           since midnight UTC and it corresponds to the time the echoer last
           touched the Timestamp message before its transmission.  timestamp
           is as with --icmp-orig-time.

   ICMP Types
       These identifiers may be used as mnemonics for the ICMP type numbers
       given to the --icmp-type option. In general there are three forms of
       each identifier: the full name (e.g.  destination-unreachable), the
       short name (e.g.  dest-unr), or the initials (e.g.  du). In ICMP types
       that request something, the word "request" is omitted.

       echo-reply, echo-rep, er
           Echo Reply (type 0). This message is sent in response to an Echo
           Request message.

       destination-unreachable, dest-unr, du
           Destination Unreachable (type 3). This message indicates that a
           datagram could not be delivered to its destination.

       source-quench, sour-que, sq
           Source Quench (type 4). This message is used by a congested IP
           device to tell other device that is sending packets too fast and
           that it should slow down.

       redirect, redi, r
           Redirect (type 5). This message is normally used by routers to
           inform a host that there is a better route to use for sending
           datagrams. See also the --icmp-redirect-addr option.

       echo-request, echo, e
           Echo Request (type 8). This message is used to test the
           connectivity of another device on a network.

       router-advertisement, rout-adv, ra
           Router Advertisement (type 9). This message is used by routers to
           let hosts know of their existence and capabilities. See also the
           --icmp-advert-lifetime option.

       router-solicitation, rout-sol, rs
           Router Solicitation (type 10). This message is used by hosts to
           request Router Advertisement messages from any listening routers.

       time-exceeded, time-exc, te
           Time Exceeded (type 11). This message is generated by some
           intermediate device (normally a router) to indicate that a datagram
           has been discarded before reaching its destination because the IP
           TTL expired.

       parameter-problem, member-pro, pp
           Parameter Problem (type 12). This message is used when a device
           finds a problem with a parameter in an IP header and it cannot
           continue processing it. See also the --icmp-param-pointer option.

       timestamp, time, tm
           Timestamp Request (type 13). This message is used to request a
           device to send a timestamp value for propagation time calculation
           and clock synchronization. See also the --icmp-orig-time,
           --icmp-recv-time, and --icmp-trans-time.

       timestamp-reply, time-rep, tr
           Timestamp Reply (type 14). This message is sent in response to a
           Timestamp Request message.

       information, info, i
           Information Request (type 15). This message is now obsolete but it
           was originally used to request configuration information from
           another device.

       information-reply, info-rep, ir
           Information Reply (type 16). This message is now obsolete but it
           was originally sent in response to an Information Request message
           to provide configuration information.

       mask-request, mask, m
           Address Mask Request (type 17). This message is used to ask a
           device to send its subnet mask.

       mask-reply, mask-rep, mr
           Address Mask Reply (type 18). This message contains a subnet mask
           and is sent in response to a Address Mask Request message.

       traceroute, trace, tc
           Traceroute (type 30). This message is normally sent by an
           intermediate device when it receives an IP datagram with a
           traceroute option. ICMP Traceroute messages are still experimental,
           see RFC 1393 for more information.

   ICMP Codes
       These identifiers may be used as mnemonics for the ICMP code numbers
       given to the --icmp-code option. They are listed by the ICMP type they
       correspond to.

       Destination Unreachable
           network-unreachable, netw-unr, net
               Code 0. Datagram could not be delivered to its destination
               network (probably due to some routing problem).

           host-unreachable, host-unr, host
               Code 1. Datagram was delivered to the destination network but
               it was impossible to reach the specified host (probably due to
               some routing problem).

           protocol-unreachable, prot-unr, proto
               Code 2. The protocol specified in the Protocol field of the IP
               datagram is not supported by the host to which the datagram was
               delivered.

           port-unreachable, port-unr, port
               Code 3. The TCP/UDP destination port was invalid.

           needs-fragmentation, need-fra, frag
               Code 4. Datagram had the DF bit set but it was too large for
               the MTU of the next physical network so it had to be dropped.

           source-route-failed, sour-rou, routefail
               Code 5. IP datagram had a Source Route option but a router
               couldn't pass it to the next hop.

           network-unknown, netw-unk, net?
               Code 6. Destination network is unknown. This code is never
               used. Instead, Network Unreachable is used.

           host-unknown, host-unk, host?
               Code 7. Specified host is unknown. Usually generated by a
               router local to the destination host to inform of a bad
               address.

           host-isolated, host-iso, isolated
               Code 8. Source Host Isolated. Not used.

           network-prohibited, netw-pro, !net
               Code 9. Communication with destination network is
               administratively prohibited (source device is not allowed to
               send packets to the destination network).

           host-prohibited, host-pro, !host
               Code 10. Communication with destination host is
               administratively prohibited. (The source device is allowed to
               send packets to the destination network but not to the
               destination device.)

           network-tos, unreachable-network-tos, netw-tos, tosnet
               Code 11. Destination network unreachable because it cannot
               provide the type of service specified in the IP TOS field.

           host-tos, unreachable-host-tos, toshost
               Code 12. Destination host unreachable because it cannot provide
               the type of service specified in the IP TOS field.

           communication-prohibited, comm-pro, !comm
               Code 13. Datagram could not be forwarded due to filtering that
               blocks the message based on its contents.

           host-precedence-violation, precedence-violation, prec-vio,
           violation
               Code 14. Precedence value in the IP TOS field is not permitted.

           precedence-cutoff, prec-cut, cutoff
               Code 15. Precedence value in the IP TOS field is lower than the
               minimum allowed for the network.

       Redirect
           redirect-network, redi-net, net
               Code 0. Redirect all future datagrams with the same destination
               network as the original datagram, to the router specified in
               the Address field. The use of this code is prohibited by RFC
               1812.

           redirect-host, redi-host, host
               Code 1. Redirect all future datagrams with the same destination
               host as the original datagram, to the router specified in the
               Address field.

           redirect-network-tos, redi-ntos, redir-ntos
               Code 2. Redirect all future datagrams with the same destination
               network and IP TOS value as the original datagram, to the
               router specified in the Address field. The use of this code is
               prohibited by RFC 1812.

           redirect-host-tos, redi-htos, redir-htos
               Code 3. Redirect all future datagrams with the same destination
               host and IP TOS value as the original datagram, to the router
               specified in the Address field.

       Router Advertisement
           normal-advertisement, norm-adv, normal, zero, default, def
               Code 0. Normal router advertisement. In Mobile IP: Mobility
               agent can act as a router for IP datagrams not related to
               mobile nodes.

           not-route-common-traffic, not-rou, mobile-ip, !route,
           !commontraffic
               Code 16. Used for Mobile IP. The mobility agent does not route
               common traffic. All foreign agents must forward to a default
               router any datagrams received from a registered mobile node

       Time Exceeded
           ttl-exceeded-in-transit, ttl-exc, ttl-transit
               Code 0. IP Time To Live expired during transit.

           fragment-reassembly-time-exceeded, frag-exc, frag-time
               Code 1. Fragment reassembly time has been exceeded.

       Parameter Problem
           pointer-indicates-error, poin-ind, pointer
               Code 0. The pointer field indicates the location of the
               problem. See the --icmp-param-pointer option.

           missing-required-option, miss-option, option-missing
               Code 1. IP datagram was expected to have an option that is not
               present.

           bad-length, bad-len, badlen
               Code 2. The length of the IP datagram is incorrect.

ARP MODE
       --arp-type type (ICMP Type)
           This option specifies which type of ARP messages should be
           generated.  type can be supplied in two different ways. You can use
           the official numbers assigned by IANA[2] (e.g.  --arp-type 1 for
           ARP Request), or you can use one of the mnemonics from the section
           called "ARP Types".

       --arp-sender-mac mac (Sender MAC address)
           This option sets the Sender Hardware Address field of the ARP
           header. Although ARP supports many types of link layer addresses,
           currently Nping only supports MAC addresses.  mac must be specified
           using the traditional MAC notation (e.g.  00:0a:8a:32:f4:ae). You
           can also use hyphens as separators (e.g.  00-0a-8a-32-f4-ae).

       --arp-sender-ip addr (Sender IP address)
           This option sets the Sender IP field of the ARP header.  addr can
           be given as an IPv4 address or a hostname.

       --arp-target-mac mac (target MAC address)
           This option sets the Target Hardware Address field of the ARP
           header.

       --arp-target-ip addr (target ip address)
           This option sets the Target IP field of the ARP header.

   ARP Types
       These identifiers may be used as mnemonics for the ARP type numbers
       given to the --arp-type option.

       arp-request, arp, a
           ARP Request (type 1). ARP requests are used to translate network
           layer addresses (normally IP addresses) to link layer addresses
           (usually MAC addresses). Basically, and ARP request is a
           broadcasted message that asks the host in the same network segment
           that has a given IP address to provide its MAC address.

       arp-reply, arp-rep, ar
           ARP Reply (type 2). An ARP reply is a message that a host sends in
           response to an ARP request to provide its link layer address.

       rarp-request, rarp, r
           RARP Requests (type 3). RARP requests are used to translate a link
           layer address (normally a MAC address) to a network layer address
           (usually an IP address). Basically a RARP request is a broadcasted
           message sent by a host that wants to know his own IP address
           because it doesn't have any. It was the first protocol designed to
           solve the bootstrapping problem. However, RARP is now obsolete and
           DHCP is used instead. For more information about RARP see RFC 903.

       rarp-reply, rarp-rep, rr
           RARP Reply (type 4). A RARP reply is a message sent in response to
           a RARP request to provide an IP address to the host that sent the
           RARP request in the first place.

       drarp-request, drarp, d
           Dynamic RARP Request (type 5). Dynamic RARP is an extension to RARP
           used to obtain or assign a network layer address from a fixed link
           layer address. DRARP was used mainly in Sun Microsystems platforms
           in the late 90's but now it's no longer used. See RFC 1931 for more
           information.

       drarp-reply, drarp-rep, dr
           Dynamic RARP Reply (type 6). A DRARP reply is a message sent in
           response to a RARP request to provide network layer address.

       drarp-error, drarp-err, de
           DRARP Error (type 7). DRARP Error messages are usually sent in
           response to DRARP requests to inform of some error. In DRARP Error
           messages, the Target Protocol Address field is used to carry an
           error code (usually in the first byte). The error code is intended
           to tell why no target protocol address is being returned. For more
           information see RFC 1931.

       inarp-request, inarp, i
           Inverse ARP Request (type 8). InARP requests are used to translate
           a link layer address to a network layer address. It is similar to
           RARP request but in this case, the sender of the InARP request
           wants to know the network layer address of another node, not its
           own address. InARP is mainly used in Frame Relay and ATM networks.
           For more information see RFC 2390.

       inarp-reply, inarp-rep, ir
           Inverse ARP Reply (type 9). InARP reply messages are sent in
           response to InARP requests to provide the network layer address
           associated with the host that has a given link layer address.

       arp-nak, an
           ARP NAK (type 10). ARP NAK messages are an extension to the ATMARP
           protocol and they are used to improve the robustness of the ATMARP
           server mechanism. With ARP NAK, a client can determine the
           difference between a catastrophic server failure and an ATMARP
           table lookup failure. See RFC 1577 for more information.

IPV4 OPTIONS
       -S addr, --source-ip addr (Source IP Address)
           Sets the source IP address. This option lets you specify a custom
           IP address to be used as source IP address in sent packets. This
           allows spoofing the sender of the packets.  addr can be an IPv4
           address or a hostname.

       --dest-ip addr (Destination IP Address)
           Adds a target to Nping's target list. This option is provided for
           consistency but its use is deprecated in favor of plain target
           specifications. See the section called "TARGET SPECIFICATION".

       --tos tos (Type of Service)
           Sets the IP TOS field. The TOS field is used to carry information
           to provide quality of service features. It is normally used to
           support a technique called Differentiated Services. See RFC 2474
           for more information.  tos must be a number in the range [0-255].

       --id id (Identification)
           Sets the IPv4 Identification field. The Identification field is a
           16-bit value that is common to all fragments belonging to a
           particular message. The value is used by the receiver to reassemble
           the original message from the fragments received.  id must be a
           number in the range [0-65535].

       --df (Don't Fragment)
           Sets the Don't Fragment bit in sent packets. When an IP datagram
           has its DF flag set, intermediate devices are not allowed to
           fragment it so if it needs to travel across a network with a MTU
           smaller that datagram length the datagram will have to be dropped.
           Normally an ICMP Destination Unreachable message is generated and
           sent back to the sender.

       --mf (More Fragments)
           Sets the More Fragments bit in sent packets. The MF flag is set to
           indicate the receiver that the current datagram is a fragment of
           some larger datagram. When set to zero it indicates that the
           current datagram is either the last fragment in the set or that it
           is the only fragment.

       --ttl hops (Time To Live)
           Sets the IPv4 Time-To-Live (TTL) field in sent packets to the given
           value. The TTL field specifies how long the datagram is allowed to
           exist on the network. It was originally intended to represent a
           number of seconds but it actually represents the number of hops a
           packet can traverse before being dropped. The TTL tries to avoid a
           situation in which undeliverable datagrams keep being forwarded
           from one router to another endlessly.  hops must be a number in the
           range [0-255].

       --badsum-ip (Invalid IP checksum)
           Asks Nping to use an invalid IP checksum for packets sent to target
           hosts. Note that some systems (like most Linux kernels), may fix
           the checksum before placing the packet on the wire, so even if
           Nping shows the incorrect checksum in its output, the packets may
           be transparently corrected by the kernel.

       --ip-options S|R [route]|L [route]|T|U ..., --ip-options hex string (IP
       Options)
           The IP protocol offers several options which may be placed in
           packet headers. Unlike the ubiquitous TCP options, IP options are
           rarely seen due to practicality and security concerns. In fact,
           many Internet routers block the most dangerous options such as
           source routing. Yet options can still be useful in some cases for
           determining and manipulating the network route to target machines.
           For example, you may be able to use the record route option to
           determine a path to a target even when more traditional
           traceroute-style approaches fail. Or if your packets are being
           dropped by a certain firewall, you may be able to specify a
           different route with the strict or loose source routing options.

           The most powerful way to specify IP options is to simply pass in
           hexadecimal data as the argument to --ip-options. Precede each hex
           byte value with \x. You may repeat certain characters by following
           them with an asterisk and then the number of times you wish them to
           repeat. For example, \x01\x07\x04\x00*4 is the same as
           \x01\x07\x04\x00\x00\x00\x00.

           Note that if you specify a number of bytes that is not a multiple
           of four, an incorrect IP header length will be set in the IP
           packet. The reason for this is that the IP header length field can
           only express multiples of four. In those cases, the length is
           computed by dividing the header length by 4 and rounding down. This
           will affect the way the header that follows the IP header is
           interpreted, showing bogus information in Nping or in the output of
           any sniffer. Although this kind of situation might be useful for
           some stack stress tests, users would normally want to specify
           explicit padding, so the correct header length is set.

           Nping also offers a shortcut mechanism for specifying options.
           Simply pass the letter R, T, or U to request record-route,
           record-timestamp, or both options together, respectively. Loose or
           strict source routing may be specified with an L or S followed by a
           space and then a space-separated list of IP addresses.

           For more information and examples of using IP options with Nping,
           see the mailing list post at
           http://seclists.org/nmap-dev/2006/q3/0052.html.

       --mtu size (Maximum Transmission Unit)
           This option sets a fictional MTU in Nping so IP datagrams larger
           than size are fragmented before transmission.  size must be
           specified in bytes and corresponds to the number of octets that can
           be carried on a single link-layer frame.

IPV6 OPTIONS
       -6, --ipv6 (Use IPv6)
           Tells Nping to use IP version 6 instead of the default IPv4. It is
           generally a good idea to specify this option as early as possible
           in the command line so Nping can parse it soon and know in advance
           that the rest of the parameters refer to IPv6. The command syntax
           is the same as usual except that you also add the -6 option. Of
           course, you must use IPv6 syntax if you specify an address rather
           than a hostname. An address might look like
           3ffe:7501:4819:2000:210:f3ff:fe03:14d0, so hostnames are
           recommended.

           While IPv6 hasn't exactly taken the world by storm, it gets
           significant use in some (usually Asian) countries and most modern
           operating systems support it. To use Nping with IPv6, both the
           source and target of your packets must be configured for IPv6. If
           your ISP (like most of them) does not allocate IPv6 addresses to
           you, free tunnel brokers are widely available and work fine with
           Nping. You can use the free IPv6 tunnel broker service at
           http://www.tunnelbroker.net.

           Please note that IPv6 support is still highly experimental and many
           modes and options may not work with it.

       -S addr, --source-ip addr (Source IP Address)
           Sets the source IP address. This option lets you specify a custom
           IP address to be used as source IP address in sent packets. This
           allows spoofing the sender of the packets.  addr can be an IPv6
           address or a hostname.

       --dest-ip addr (Destination IP Address)
           Adds a target to Nping's target list. This option is provided for
           consistency but its use is deprecated in favor of plain target
           specifications. See the section called "TARGET SPECIFICATION".

       --flow label (Flow Label)
           Sets the IPv6 Flow Label. The Flow Label field is 20 bits long and
           is intended to provide certain quality-of-service properties for
           real-time datagram delivery. However, it has not been widely
           adopted, and not all routers or endpoints support it. Check RFC
           2460 for more information.  label must be an integer in the range
           [0-1048575].

       --traffic-class class (Traffic Class)
           Sets the IPv6 Traffic Class. This field is similar to the TOS field
           in IPv4, and is intended to provide the Differentiated Services
           method, enabling scalable service discrimination in the Internet
           without the need for per-flow state and signaling at every hop.
           Check RFC 2474 for more information.  class must be an integer in
           the range [0-255].

       --hop-limit hops (Hop Limit)

           Sets the IPv6 Hop Limit field in sent packets to the given value.
           The Hop Limit field specifies how long the datagram is allowed to
           exist on the network. It represents the number of hops a packet can
           traverse before being dropped. As with the TTL in IPv4, IPv6 Hop
           Limit tries to avoid a situation in which undeliverable datagrams
           keep being forwarded from one router to another endlessly.  hops
           must be a number in the range [0-255].

ETHERNET OPTIONS
       In most cases Nping sends packets at the raw IP level. This means that
       Nping creates its own IP packets and transmits them through a raw
       socket. However, in some cases it may be necessary to send packets at
       the raw Ethernet level. This happens, for example, when Nping is run
       under Windows (as Microsoft has disabled raw socket support since
       Windows XP SP2), or when Nping is asked to send ARP packets. Since in
       some cases it is necessary to construct ethernet frames, Nping offers
       some options to manipulate the different fields.

       --dest-mac mac (Ethernet Destination MAC Address)
           This option sets the destination MAC address that should be set in
           outgoing Ethernet frames. This is useful in case Nping can't
           determine the next hop's MAC address or when you want to route
           probes through a router other than the configured default gateway.
           The MAC address should have the usual format of six colon-separated
           bytes, e.g.  00:50:56:d4:01:98. Alternatively, hyphens may be used
           instead of colons. Use the word random or rand to generate a random
           address, and broadcast or bcast to use ff:ff:ff:ff:ff:ff. If you
           set up a bogus destination MAC address your probes may not reach
           the intended targets.

       --source-mac mac (Ethernet Source MAC Address)
           This option sets the source MAC address that should be set in
           outgoing Ethernet frames. This is useful in case Nping can't
           determine your network interface MAC address or when you want to
           inject traffic into the network while hiding your network card's
           real address. The syntax is the same as for --dest-mac. If you set
           up a bogus source MAC address you may not receive probe replies.

       --ether-type type (Ethertype)
           This option sets the Ethertype field of the ethernet frame. The
           Ethertype is used to indicate which protocol is encapsulated in the
           payload.  type can be supplied in two different ways. You can use
           the official numbers listed by the IEEE[3] (e.g.  --ether-type
           0x0800 for IP version 4), or one of the mnemonics from the section
           called "Ethernet Types".

   Ethernet Types
       These identifiers may be used as mnemonics for the Ethertype numbers
       given to the --arp-type option.

       ipv4, ip, 4
           Internet Protocol version 4 (type 0x0800).

       ipv6, 6
           Internet Protocol version 6 (type 0x86DD).

       arp
           Address Resolution Protocol (type 0x0806).

       rarp
           Reverse Address Resolution Protocol (type 0x8035).

       frame-relay, frelay, fr
           Frame Relay (type 0x0808).

       ppp
           Point-to-Point Protocol (type 0x880B).

       gsmp
           General Switch Management Protocol (type 0x880C).

       mpls
           Multiprotocol Label Switching (type 0x8847).

       mps-ual, mps
           Multiprotocol Label Switching with Upstream-assigned Label (type
           0x8848).

       mcap
           Multicast Channel Allocation Protocol (type 0x8861).

       pppoe-discovery, pppoe-d
           PPP over Ethernet Discovery Stage (type 0x8863).

       pppoe-session, pppoe-s
           PPP over Ethernet Session Stage (type 0x8864).

       ctag
           Customer VLAN Tag Type (type 0x8100).

       epon
           Ethernet Passive Optical Network (type 0x8808).

       pbnac
           Port-based network access control (type 0x888E).

       stag
           Service VLAN tag identifier (type 0x88A8).

       ethexp1
           Local Experimental Ethertype 1 (type 0x88B5).

       ethexp2
           Local Experimental Ethertype 2 (type 0x88B6).

       ethoui
           OUI Extended Ethertype (type 0x88B7).

       preauth
           Pre-Authentication (type 0x88C7).

       lldp
           Link Layer Discovery Protocol (type 0x88CC).

       mac-security, mac-sec, macsec
           Media Access Control Security (type 0x88E5).

       mvrp
           Multiple VLAN Registration Protocol (type 0x88F5).

       mmrp
           Multiple Multicast Registration Protocol (type 0x88F6).

       frrr
           Fast Roaming Remote Request (type 0x890D).

PAYLOAD OPTIONS
       --data hex string (Append custom binary data to sent packets)
           This option lets you include binary data as payload in sent
           packets.  hex string may be specified in any of the following
           formats: 0xAABBCCDDEEFF..., AABBCCDDEEFF...  or
           \xAA\xBB\xCC\xDD\xEE\xFF.... Examples of use are --data 0xdeadbeef
           and --data \xCA\xFE\x09. Note that if you specify a number like
           0x00ff no byte-order conversion is performed. Make sure you specify
           the information in the byte order expected by the receiver.

       --data-string string (Append custom string to sent packets)
           This option lets you include a regular string as payload in sent
           packets.  string can contain any string. However, note that some
           characters may depend on your system's locale and the receiver may
           not see the same information. Also, make sure you enclose the
           string in double quotes and escape any special characters from the
           shell. Example: --data-string "Jimmy Jazz...".

       --data-length len (Append random data to sent packets)
           This option lets you include len random bytes of data as payload in
           sent packets.  len must be an integer in the range [0-65400].
           However, values higher than 1400 are not recommended because it may
           not be possible to transmit packets due to network MTU limitations.

ECHO MODE
       The "Echo Mode" is a novel technique implemented by Nping which lets
       users see how network packets change in transit, from the host where
       they originated to the target machine. Basically, the Echo mode turns
       Nping into two different pieces: the Echo server and the Echo client.
       The Echo server is a network service that has the ability to capture
       packets from the network and send a copy ("echo them") to the
       originating client through a side TCP channel. The Echo client is the
       part that generates such network packets, transmits them to the server,
       and receives their echoed version through a side TCP channel that it
       has previously established with the Echo server.

       This scheme lets the client see the differences between the packets
       that it sends and what is actually received by the server. By having
       the server send back copies of the received packets through the side
       channel, things like NAT devices become immediately apparent to the
       client because it notices the changes in the source IP address (and
       maybe even source port). Other devices like those that perform traffic
       shaping, changing TCP window sizes or adding TCP options transparently
       between hosts, turn up too.

       The Echo mode is also useful for troubleshooting routing and firewall
       issues. Among other things, it can be used to determine if the traffic
       generated by the Nping client is being dropped in transit and never
       gets to its destination or if the responses are the ones that don't get
       back to it.

       Internally, client and server communicate over an encrypted and
       authenticated channel, using the Nping Echo Protocol (NEP), whose
       technical specification can be found in
       https://nmap.org/svn/nping/docs/EchoProtoRFC.txt

       The following paragraphs describe the different options available in
       Nping's Echo mode.

       --ec passphrase, --echo-client passphrase (Run Echo client)
           This option tells Nping to run as an Echo client.  passphrase is a
           sequence of ASCII characters that is used used to generate the
           cryptographic keys needed for encryption and authentication in a
           given session. The passphrase should be a secret that is also known
           by the server, and it may contain any number of printable ASCII
           characters. Passphrases that contain whitespace or special
           characters must be enclosed in double quotes.

           When running Nping as an Echo client, most options from the regular
           raw probe modes apply. The client may be configured to send
           specific probes using flags like --tcp, --icmp or --udp. Protocol
           header fields may be manipulated normally using the appropriate
           options (e.g.  --ttl, --seq, --icmp-type, etc.). The only
           exceptions are ARP-related flags, which are not supported in Echo
           mode, as protocols like ARP are closely related to the data link
           layer and its probes can't pass through different network segments.

       --es passphrase, --echo-server passphrase (Run Echo server)
           This option tells Nping to run as an Echo server.  passphrase is a
           sequence of ASCII characters that is used used to generate the
           cryptographic keys needed for encryption and authentication in a
           given session. The passphrase should be a secret that is also known
           by the clients, and it may contain any number of printable ASCII
           characters. Passphrases that contain whitespace or special
           characters must be enclosed in double quotes. Note that although it
           is not recommended, it is possible to use empty passphrases,
           supplying --echo-server "". However, if what you want is to set up
           an open Echo server, it is better to use option --no-crypto. See
           below for details.

       --ep port, --echo-port port (Set Echo TCP port number)
           This option asks Nping to use the specified TCP port number for the
           Echo side channel connection. If this option is used with
           --echo-server, it specifies the port on which the server listens
           for connections. If it is used with --echo-client, it specifies the
           port to connect to on the remote host. By default, port number 9929
           is used.

       --nc, --no-crypto (Disable encryption and authentication)
           This option asks Nping not to use any cryptographic operations
           during an Echo session. In practical terms, this means that the
           Echo side channel session data will be transmitted in the clear,
           and no authentication will be performed by the server or client
           during the session establishment phase. When --no-crypto is used,
           the passphrase supplied with --echo-server or --echo-client is
           ignored.

           This option must be specified if Nping was compiled without openSSL
           support. Note that, for technical reasons, a passphrase still needs
           to be supplied after the --echo-client or --echo-server flags, even
           though it will be ignored.

           The --no-crypto flag might be useful when setting up a public Echo
           server, because it allows users to connect to the Echo server
           without the need for any passphrase or shared secret. However, it
           is strongly recommended to not use --no-crypto unless absolutely
           necessary. Public Echo servers should be configured to use the
           passphrase "public" or the empty passphrase (--echo-server "") as
           the use of cryptography does not only provide confidentiality and
           authentication but also message integrity.

       --once (Serve one client and quit)
           This option asks the Echo server to quit after serving one client.
           This is useful when only a single Echo session wants to be
           established as it eliminates the need to access the remote host to
           shutdown the server.

       --safe-payloads (Zero application data before echoing a packet)
           This option asks the Echo server to erase any application layer
           data found in client packets before echoing them. When the option
           is enabled, the Echo server parses the packets received from Echo
           clients and tries to determine if they contain data beyond the
           transport layer. If such data is found, it is overwritten with
           zeroes before transmitting the packets to the appropriate Echo
           client.

           Echo servers can handle multiple simultaneous clients running
           multiple echo sessions in parallel. In order to determine which
           packet needs to be echoed to which client and through which
           session, the Echo server uses an heuristic algorithm. Although we
           have taken every security measure that we could think of to prevent
           that a client receives an echoed packet that it did not generate,
           there is always a risk that our algorithm makes a mistake and
           delivers a packet to the wrong client. The --safe-payloads option
           is useful for public echo servers or critical deployments where
           that kind of mistake cannot be afforded.

       The following examples illustrate how Nping's Echo mode can be used to
       discover intermediate devices.

       Example 2. Discovering NAT devices

               # nping --echo-client "public" echo.nmap.org --udp

               Starting Nping ( https://nmap.org/nping )
               SENT (1.0970s) UDP 10.1.20.128:53 > 178.79.165.17:40125 ttl=64 id=32523 iplen=28
               CAPT (1.1270s) UDP 80.38.10.21:45657 > 178.79.165.17:40125 ttl=54 id=32523 iplen=28
               RCVD (1.1570s) ICMP 178.79.165.17 > 10.1.20.128 Port unreachable (type=3/code=3) ttl=49 id=16619 iplen=56
               [...]
               SENT (5.1020s) UDP 10.1.20.128:53 > 178.79.165.17:40125 ttl=64 id=32523 iplen=28
               CAPT (5.1335s) UDP 80.38.10.21:45657 > 178.79.165.17:40125 ttl=54 id=32523 iplen=28
               RCVD (5.1600s) ICMP 178.79.165.17 > 10.1.20.128 Port unreachable (type=3/code=3) ttl=49 id=16623 iplen=56

               Max rtt: 60.628ms | Min rtt: 58.378ms | Avg rtt: 59.389ms
               Raw packets sent: 5 (140B) | Rcvd: 5 (280B) | Lost: 0 (0.00%)| Echoed: 5 (140B)
               Tx time: 4.00459s | Tx bytes/s: 34.96 | Tx pkts/s: 1.25
               Rx time: 5.00629s | Rx bytes/s: 55.93 | Rx pkts/s: 1.00
               Nping done: 1 IP address pinged in 6.18 seconds


       The output clearly shows the presence of a NAT device in the client's
       local network. Note how the captured packet (CAPT) differs from the
       SENT packet: the source address for the original packets is in the
       reserved 10.0.0.0/8 range, while the address seen by the server is
       80.38.10.21, the Internet side address of the NAT device. The source
       port was also modified by the device. The line starting with RCVD
       corresponds to the responses generated by the TCP/IP stack of the
       machine where the Echo server is run.

       Example 3. Discovering a transparent proxy

               # nping --echo-client "public" echo.nmap.org --tcp -p80

               Starting Nping ( https://nmap.org/nping )
               SENT (1.2160s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40  seq=567704200 win=1480
               RCVD (1.2180s) TCP 178.79.165.17:80 > 10.0.1.77:41659 SA ttl=128 id=13177 iplen=44  seq=3647106954 win=16384 <mss 1460>
               SENT (2.2150s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40  seq=567704200 win=1480
               SENT (3.2180s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40  seq=567704200 win=1480
               SENT (4.2190s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40  seq=567704200 win=1480
               SENT (5.2200s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40  seq=567704200 win=1480

               Max rtt: 2.062ms | Min rtt: 2.062ms | Avg rtt: 2.062ms
               Raw packets sent: 5 (200B) | Rcvd: 1 (46B) | Lost: 4 (80.00%)| Echoed: 0 (0B)
               Tx time: 4.00504s | Tx bytes/s: 49.94 | Tx pkts/s: 1.25
               Rx time: 5.00618s | Rx bytes/s: 9.19 | Rx pkts/s: 0.20
               Nping done: 1 IP address pinged in 6.39 seconds


       In this example, the output is a bit more tricky. The absence of error
       messages shows that the Echo client has successfully established an
       Echo session with the server. However, no CAPT packets can be seen in
       the output. This means that none of the transmitted packets reached the
       server. Interestingly, a TCP SYN-ACK packet was received in response to
       the first TCP-SYN packet (and also, it is known that the target host
       does not have port 80 open). This behavior reveals the presence of a
       transparent web proxy cache server (which in this case is an old MS ISA
       server).

TIMING AND PERFORMANCE OPTIONS
       --delay time (Delay between probes)
           This option lets you control for how long will Nping wait before
           sending the next probe. Like in many other ping tools, the default
           delay is one second.  time must be a positive integer or floating
           point number. By default it is specified in seconds, however you
           can give an explicit unit by appending ms for milliseconds, s for
           seconds, m for minutes, or h for hours (e.g.  2.5s, 45m, 2h).

       --rate rate (Send probes at a given rate)
           This option specifies the number of probes that Nping should send
           per second. This option and --delay are inverses; --rate 20 is the
           same as --delay 0.05. If both options are used, only the last one
           in the parameter list counts.

MISCELLANEOUS OPTIONS
       -h, --help (Display help)
           Displays help information and exits.

       -V, --version (Display version)
           Displays the program's version number and quits.

       -c rounds, --count rounds (Stop after a given number of rounds)
           This option lets you specify the number of times that Nping should
           loop over target hosts (and in some cases target ports). Nping
           calls these "rounds". In a basic execution with only one target
           (and only one target port in TCP/UDP modes), the number of rounds
           matches the number of probes sent to the target host. However, in
           more complex executions where Nping is run against multiple targets
           and multiple ports, the number of rounds is the number of times
           that Nping sends a complete set of probes that covers all target
           IPs and all target ports. For example, if Nping is asked to send
           TCP SYN packets to hosts 192.168.1.0-255 and ports 80 and 433, then
           256 x 2 = 512 packets are sent in one round. So if you specify -c
           100, Nping will loop over the different target hosts and ports 100
           times, sending a total of 256 x 2 x 100 = 51200 packets. By default
           Nping runs for 5 rounds. If a value of 0 is specified, Nping will
           run continuously.

       -e name, --interface name (Set the network interface to be used)
           This option tells Nping what interface should be used to send and
           receive packets. Nping should be able to detect this automatically,
           but it will tell you if it cannot.  name must be the name of an
           existing network interface with an assigned IP address.

       --privileged (Assume that the user is fully privileged)
           Tells Nping to simply assume that it is privileged enough to
           perform raw socket sends, packet sniffing, and similar operations
           that usually require special privileges. By default Nping quits if
           such operations are requested by a user that has no root or
           administrator privileges. This option may be useful on Linux, BSD
           or similar systems that can be configured to allow unprivileged
           users to perform raw-packet transmissions. The NPING_PRIVILEGED
           environment variable may be set as an alternative to using
           --privileged.

       --unprivileged (Assume that the user lacks raw socket privileges)
           This option is the opposite of --privileged. It tells Nping to
           treat the user as lacking network raw socket and sniffing
           privileges. This is useful for testing, debugging, or when the raw
           network functionality of your operating system is somehow broken.
           The NPING_UNPRIVILEGED environment variable may be set as an
           alternative to using --unprivileged.

       --send-eth (Use raw ethernet sending)
           Asks Nping to send packets at the raw ethernet (data link) layer
           rather than the higher IP (network) layer. By default, Nping
           chooses the one which is generally best for the platform it is
           running on. Raw sockets (IP layer) are generally most efficient for
           Unix machines, while ethernet frames are required for Windows
           operation since Microsoft disabled raw socket support. Nping still
           uses raw IP packets despite this option when there is no other
           choice (such as non-ethernet connections).

       --send-ip (Send at raw IP level)
           Asks Nping to send packets via raw IP sockets rather than sending
           lower level ethernet frames. It is the complement to the --send-eth
           option.

       --bpf-filter filter spec --filter filter spec (Set custom BPF filter)
           This option lets you use a custom BPF filter. By default Nping
           chooses a filter that is intended to capture most common responses
           to the particular probes that are sent. For example, when sending
           TCP packets, the filter is set to capture packets whose destination
           port matches the probe's source port or ICMP error messages that
           may be generated by the target or any intermediate device as a
           result of the probe. If for some reason you expect strange packets
           in response to sent probes or you just want to sniff a particular
           kind of traffic, you can specify a custom filter using the BPF
           syntax used by tools like tcpdump.  See the documentation at
           http://www.tcpdump.org/ for more information.

       -H, --hide-sent (Do not display sent packets)
           This option tells Nping not to print information about sent
           packets. This can be useful when using very short inter-probe
           delays (i.e., when flooding), because printing information to the
           standard output has a computational cost and disabling it can
           probably speed things up a bit. Also, it may be useful when using
           Nping to detect active hosts or open ports (e.g. sending probes to
           all TCP ports in a /24 subnet). In that case, users may not want to
           see thousands of sent probes but just the replies generated by
           active hosts.

       -N, --no-capture (Do not attempt to capture replies)
           This option tells Nping to skip packet capture. This means that
           packets in response to sent probes will not be processed or
           displayed. This can be useful when doing flooding and network stack
           stress tests. Note that when this option is specified, most of the
           statistics shown at the end of the execution will be useless. This
           option does not work with TCP Connect mode.

OUTPUT OPTIONS
       -v[level], --verbose [level] (Increase or set verbosity level)
           Increases the verbosity level, causing Nping to print more
           information during its execution. There are 9 levels of verbosity
           (-4 to 4). Every instance of -v increments the verbosity level by
           one (from its default value, level 0). Every instance of option -q
           decrements the verbosity level by one. Alternatively you can
           specify the level directly, as in -v3 or -v-1. These are the
           available levels:

           Level -4
               No output at all. In some circumstances you may not want Nping
               to produce any output (like when one of your work mates is
               watching over your shoulder). In that case level -4 can be
               useful because although you won't see any response packets,
               probes will still be sent.

           Level -3
               Like level -4 but displays fatal error messages so you can
               actually see if Nping is running or it failed due to some
               error.

           Level -2
               Like level -3 but also displays warnings and recoverable
               errors.

           Level -1
               Displays traditional run-time information (version, start time,
               statistics, etc.) but does not display sent or received
               packets.

           Level 0
               This is the default verbosity level. It behaves like level -1
               but also displays sent and received packets and some other
               important information.

           Level 1
               Like level 0 but it displays detailed information about timing,
               flags, protocol details, etc.

           Level 2
               Like level 1 but displays very detailed information about sent
               and received packets and other interesting information.

           Level 3
               Like level 2 but also displays the raw hexadecimal dump of sent
               and received packets.

           Level 4 and higher
               Same as level 3.

       -q[level], --reduce-verbosity [level] (Decrease verbosity level)
           Decreases the verbosity level, causing Nping to print less
           information during its execution.

       -d[level] (Increase or set debugging level)
           When even verbose mode doesn't provide sufficient data for you,
           debugging is available to flood you with much more! As with the -v,
           debugging is enabled with a command-line flag -d and the debug
           level can be increased by specifying it multiple times. There are 7
           debugging levels (0 to 6). Every instance of -d increments
           debugging level by one. Provide an argument to -d to set the level
           directly; for example -d4.

           Debugging output is useful when you suspect a bug in Nping, or if
           you are simply confused as to what Nping is doing and why. As this
           feature is mostly intended for developers, debug lines aren't
           always self-explanatory. You may get something like


               NSOCK (1.0000s) Callback: TIMER SUCCESS for EID 12; tcpconnect_event_handler(): Received callback of type TIMER with status SUCCESS

           If you don't understand a line, your only recourses are to ignore
           it, look it up in the source code, or request help from the
           development list (nmap-dev). Some lines are self-explanatory, but
           the messages become more obscure as the debug level is increased.
           These are the available levels:

           Level 0
               Level 0. No debug information at all. This is the default
               level.

           Level 1
               In this level, only very important or high-level debug
               information will be printed.

           Level 2
               Like level 1 but also displays important or medium-level debug
               information

           Level 3
               Like level 2 but also displays regular and low-level debug
               information.

           Level 4
               Like level 3 but also displays messages only a real Nping freak
               would want to see.

           Level 5
               Like level 4 but it enables basic debug information related to
               external libraries like Nsock.

           Level 6
               Like level 5 but it enables full, very detailed, debug
               information related to external libraries like Nsock.

BUGS
       Like its author, Nping isn't perfect. But you can help make it better
       by sending bug reports or even writing patches. If Nping doesn't behave
       the way you expect, first upgrade to the latest Nmap version available
       from https://nmap.org/download.html. If the problem persists, do some
       research to determine whether it has already been discovered and
       addressed. Try searching for the error message on our search page at
       http://insecure.org/search.html or at Google. Also try browsing the
       nmap-dev archives at http://seclists.org/ Read this full manual page as
       well. If nothing comes out of this, mail a bug report to
       <dev@nmap.org>. Please include everything you have learned about the
       problem, as well as what version of Nping you are running and what
       operating system version it is running on. Problem reports and Nping
       usage questions sent to <dev@nmap.org> are far more likely to be
       answered than those sent to Fyodor directly. If you subscribe to the
       nmap-dev list before posting, your message will bypass moderation and
       get through more quickly. Subscribe at
       https://nmap.org/mailman/listinfo/dev.

       Code patches to fix bugs are even better than bug reports. Basic
       instructions for creating patch files with your changes are available
       at https://svn.nmap.org/nmap/HACKING. Patches may be sent to nmap-dev
       (recommended) or to any of the authors listed in the next section
       directly.

AUTHORS
       Luis MartinGarcia <luis.mgarc@gmail.com> (http://www.luismg.com)

       Fyodor <fyodor@nmap.org> (http://insecure.org)


ATTRIBUTES
       See attributes(7) for descriptions of the following attributes:


       +---------------+------------------+
       |ATTRIBUTE TYPE | ATTRIBUTE VALUE  |
       +---------------+------------------+
       |Availability   | diagnostic/nmap  |
       +---------------+------------------+
       |Stability      | Volatile         |
       +---------------+------------------+
NOTES
        1. official type numbers assigned by IANA
           http://www.iana.org/assignments/icmp-parameters

        2. official numbers assigned by IANA
           http://www.iana.org/assignments/arp-parameters/

        3. official numbers listed by the IEEE
           http://standards.ieee.org/regauth/ethertype/eth.txt


       This software was built from source available at
       https://github.com/oracle/solaris-userland.  The original community
       source was downloaded from  https://nmap.org/dist/nmap-7.70.tgz

       Further information about this software can be found on the open source
       community website at https://nmap.org/.



Nping                             03/15/2018                          NPING(1)