Hping3 is an advanced network packet crafting and analysis tool used for network testing, security auditing, and firewall troubleshooting. Unlike the traditional ping command, hping3 allows users to create custom TCP, UDP, and ICMP packets, making it extremely useful for penetration testing and network diagnostics. It is widely used by network administrators and cybersecurity professionals to analyze network behavior and detect security vulnerabilities.
hping3 Options and Flags Cheat Sheet
TCP flag options
| Description | Command |
|---|---|
| Send TCP SYN packet | hping3 -S target |
| Send TCP ACK packet | hping3 -A target |
| Send TCP FIN packet | hping3 -F target |
| Send TCP RST packet | hping3 -R target |
| Send TCP PSH packet | hping3 -P target |
| Send TCP URG packet | hping3 -U target |
| Send XMAS scan packet | hping3 -F -P -U target |
Protocol selection options
| Description | Command |
|---|---|
| Send ICMP echo request | hping3 -1 target |
| Send UDP packet | hping3 -2 target |
| Send TCP packet (default mode) | hping3 target |
Port and addressing options
| Description | Command |
|---|---|
| Send packet to specific port | hping3 -p 80 target |
| Set custom source port | hping3 -s 5050 -p 80 target |
| Scan range of ports | hping3 --scan 20-100 target |
| Increment port automatically | hping3 -p ++20 target |
| Decrement port automatically | hping3 -p --80 target |
| Spoof source IP address | hping3 -a 192.168.1.10 target |
Packet control options
| Description | Command |
|---|---|
| Send specific number of packets | hping3 -c 10 target |
| Set packet size | hping3 -d 200 target |
| Set packet interval | hping3 -i u1000 target |
| Set TTL value | hping3 --ttl 64 target |
| Set TCP window size | hping3 --win 512 target |
| Set TCP sequence number | hping3 --seqnum 100 target |
| Set TCP acknowledgment number | hping3 --acknum 100 target |
Network interface and routing options
| Description | Command |
|---|---|
| Use specific network interface | hping3 -I eth0 target |
| Perform traceroute | hping3 --traceroute -1 target |
| Send packet through specific gateway | hping3 --route --gw 192.168.1.1 target |
Traffic generation options
| Description | Command |
|---|---|
| Flood mode traffic generation | hping3 --flood target |
| Fast packet sending mode | hping3 --fast target |
| Continuous packet sending | hping3 --keep target |
Payload and data options
| Description | Command |
|---|---|
| Send file contents in packet | hping3 -1 -E file.txt target |
| Send custom payload size | hping3 -d 120 target |
Output and debugging options
| Description | Command |
|---|---|
| Disable DNS resolution | hping3 -n target |
| Enable verbose output | hping3 -V target |
| Quiet mode output | hping3 -q target |
| Display help information | hping3 --help |
| Show version information | hping3 --version |
| View manual page | man hping3 |
How hping3 works
hping3 works by crafting and sending custom IP packets to a target host and analyzing the responses received. Unlike traditional network tools that send fixed packet types, hping3 allows you to modify packet headers such as TCP flags, source ports, TTL, packet size, and window size.
When a packet reaches the target system, the response from the server or firewall is captured and displayed. By analyzing these responses, administrators can determine port status, firewall behavior, network latency, and packet filtering rules.
Because hping3 works at the packet level, it is widely used for network diagnostics, security auditing, and penetration testing.
Difference between ping and hping3
The traditional ping command simply sends ICMP echo request packets to check whether a host is reachable. It is mainly used for basic connectivity testing and network latency measurement.
In contrast, hping3 is a much more advanced tool that allows sending custom TCP, UDP, or ICMP packets with specific flags and parameters. This makes it useful for port scanning, firewall testing, packet crafting, and security analysis.
While ping is primarily used for simple network troubleshooting, hping3 provides deep control over packet creation, enabling advanced network testing scenarios.
hping3 Installation on Different Platforms
Install hping3 on Ubuntu and Debian
On Debian-based distributions such as Ubuntu and Debian, hping3 can be installed using the APT package manager.
sudo apt update
sudo apt install hping3After installation, verify the command:
hping3 --versionInstall hping3 on CentOS and Rocky Linux
On CentOS, Rocky Linux, or other RHEL-based distributions, you can install hping3 using the DNF package manager.
sudo dnf install hping3If the package is not available in default repositories, enable the EPEL repository before installing.
sudo dnf install epel-release
sudo dnf install hping3Install hping3 on Kali Linux
Kali Linux is designed for penetration testing and security analysis, and hping3 is usually pre-installed.
To verify installation:
hping3 --versionIf the command is missing, install it using:
sudo apt install hping3Install hping3 on macOS using Homebrew
macOS users can install hping3 using the Homebrew package manager.
brew install hpingOnce installed, confirm installation with:
hping3 --versionRun hping3 on Windows using WSL
hping3 does not run natively on Windows, but it can be used through Windows Subsystem for Linux (WSL).
Install WSL first:
wsl --installAfter installing a Linux distribution (such as Ubuntu), open the WSL terminal and install hping3.
sudo apt update
sudo apt install hping3You can then run hping3 commands directly from the WSL environment.
hping3 Command Syntax Explained
Basic hping3 command structure
The basic syntax of the hping3 command follows a simple structure where the command is followed by various options and the target host.
hping3 [options] targetThe target represents the IP address or hostname of the destination system, while the options control how the packet is constructed and transmitted.
For example:
hping3 -S -p 80 example.comThis command sends a TCP SYN packet to port 80 of the target host.
Understanding flags and parameters
hping3 uses flags and parameters to modify packet behavior and control how packets are sent across the network.
Flags usually represent packet types or TCP control bits, while parameters allow you to define specific values such as ports, packet size, or time intervals.
For example:
hping3 -S -p 80 targetHere:
-Senables the TCP SYN flag-p 80specifies destination port 80
By combining multiple flags and parameters, you can create custom network packets tailored for specific testing scenarios.
How to specify targets and ports
In hping3, the target host can be defined using either an IP address or a domain name. The command will send packets directly to that destination.
hping3 target_ipTo test a specific service running on a host, you can define the destination port using the -p option.
hping3 -S -p 22 target_ipThis command sends a TCP SYN packet to port 22, which is commonly used for SSH services.
You can also scan multiple ports by specifying a range of ports.
hping3 --scan 20-100 target_ipHow packet types affect behavior
The type of packet sent by hping3 determines how the target system responds.
For example, sending a TCP SYN packet is commonly used to detect whether a port is open. If the port is open, the target responds with SYN-ACK, while a closed port responds with RST.
Similarly, sending ICMP packets allows you to check whether a host is reachable, while UDP packets can be used to test services such as DNS or SNMP.
By adjusting packet types and flags, hping3 allows administrators to analyze network behavior, detect filtering rules, and troubleshoot connectivity issues more effectively.
Check Network Connectivity Using hping3
Send ICMP echo request using hping3
You can use hping3 to send ICMP echo requests similar to the traditional ping command. This helps verify whether a remote host is reachable over the network.
hping3 -1 example.comHere, the -1 option instructs hping3 to send ICMP packets. The tool will display responses from the target host along with round-trip time information.
This method is useful when you want more control over packet size, interval, or TTL values compared to the standard ping command.
Check host availability using TCP SYN
Sometimes ICMP traffic may be blocked by firewalls. In such cases, you can test host availability using TCP SYN packets.
hping3 -S -p 80 example.comIn this command:
-Ssends a TCP SYN packet-p 80specifies destination port 80
If the target host responds with SYN-ACK, the service is reachable. If it returns RST, the port is closed but the host is still reachable.
Measure response time and packet loss
You can send multiple packets to evaluate network latency and packet loss.
hping3 -c 10 -1 example.comOptions used:
-c 10sends 10 packets-1uses ICMP protocol
By reviewing the output statistics, you can observe packet response times, dropped packets, and average latency, which helps diagnose network performance issues.
Compare hping3 results with ping
Both ping and hping3 can test connectivity, but hping3 offers greater flexibility and packet customization.
Example comparison:
ping example.comhping3 -1 example.comWhile ping only sends ICMP echo requests, hping3 allows testing connectivity using TCP, UDP, and custom packet configurations, making it more suitable for security testing and firewall analysis.
Scan Ports Using hping3
Scan a single TCP port
To check whether a specific service is running on a host, you can send a TCP SYN packet to a particular port.
hping3 -S -p 22 example.comThis command sends a SYN packet to port 22, which is commonly used by SSH. The response from the host will indicate whether the port is open or closed.
Scan multiple ports using port ranges
hping3 can scan a range of ports to identify which services are available on a system.
hping3 --scan 20-100 -S example.comThis command scans ports 20 through 100 using TCP SYN packets. The responses from each port help determine whether the service is accessible.
Detect open and closed ports
When performing a port scan with hping3, different responses indicate the state of the port.
Typical responses include:
- SYN-ACK → Port is open
- RST → Port is closed
- No response → Port may be filtered by a firewall
Analyzing these responses helps administrators identify available services and potential security risks.
Fast port scanning techniques
To speed up scanning, hping3 provides options for sending packets rapidly.
hping3 --fast -S -p ++20 example.comHere:
--fastincreases the packet sending speed-p ++20increments the port number automatically during scanning
This technique allows faster service discovery across multiple ports.
Perform TCP SYN Scan
Send SYN packets to identify services
A TCP SYN scan is commonly used to detect running services on remote hosts.
hping3 -S -p 80 example.comIf the port is open, the server will respond with SYN-ACK, confirming that the service is active.
Analyze SYN-ACK and RST responses
Understanding the response packets is essential when performing SYN scans.
Typical responses include:
- SYN-ACK → Target port is open
- RST → Target port is closed
- No response → Port is filtered by firewall
These responses help determine network exposure and service availability.
Identify firewall filtered ports
Firewalls may block packets without sending any response.
You can test this behavior using hping3:
hping3 -S -p 443 example.comIf the packet receives no response, it may indicate that the firewall is silently dropping the packet instead of rejecting it.
This technique helps administrators verify firewall filtering rules.
Perform stealth scanning with hping3
Stealth scanning attempts to gather information about open ports while minimizing detection.
hping3 can be used to send carefully crafted packets that mimic legitimate network traffic.
hping3 -S -p 80 -c 1 example.comSending a small number of packets or modifying flags can help security professionals perform controlled reconnaissance without generating excessive traffic, which is useful in penetration testing environments.
Test Firewall Rules with hping3
Check whether firewall blocks specific ports
hping3 can be used to determine whether a firewall is blocking traffic to certain ports. By sending TCP packets to a specific port, you can analyze how the firewall responds.
hping3 -S -p 443 example.comIn this command:
-Ssends a TCP SYN packet-p 443targets port 443
If the firewall allows the packet, the system will respond with SYN-ACK or RST. If the firewall blocks the packet silently, you may receive no response, indicating packet filtering.
Send packets with custom flags
Firewalls often inspect TCP flags to determine whether a packet should be allowed or blocked. hping3 allows you to send packets with custom TCP flags.
hping3 -F -P -U -p 80 example.comOptions used:
-Fsets the FIN flag-Psets the PSH flag-Usets the URG flag
Sending unusual flag combinations helps test whether the firewall correctly detects suspicious or malformed packets.
Test inbound vs outbound firewall rules
Network administrators often configure firewalls to control both incoming and outgoing traffic. hping3 can help validate these rules.
To test outbound traffic from a system:
hping3 -S -p 80 example.comIf packets leave the network successfully and receive responses, outbound traffic is allowed. If packets fail to reach the destination, the firewall may be blocking outbound connections.
Validate firewall filtering behavior
Some firewalls drop packets silently, while others send rejection messages. You can observe this behavior using hping3.
hping3 -S -p 25 example.comPossible results:
- SYN-ACK → Port is open
- RST → Port is closed
- No response → Packet filtered by firewall
This information helps verify whether firewall rules are working as expected.
Perform Traceroute Using hping3
Trace route using ICMP packets
hping3 can perform traceroute operations to identify the path packets take through a network.
hping3 --traceroute -1 example.comThe --traceroute option sends packets with increasing TTL values and displays each intermediate router along the path to the destination.
Trace route using TCP packets
Some networks block ICMP packets used by traditional traceroute tools. In such cases, you can perform traceroute using TCP packets.
hping3 --traceroute -S -p 80 example.comThis method uses TCP SYN packets instead of ICMP packets, which may bypass certain network filtering rules.
Detect network hops and latency
Each router between the source and destination represents a network hop. hping3 reports the time taken for packets to travel to each hop.
This helps identify slow network segments, routing delays, or misconfigured routers.
Troubleshoot routing issues
Traceroute analysis is useful when diagnosing connectivity problems. If packets stop responding after a specific hop, it may indicate:
- Routing misconfiguration
- Firewall blocking packets
- Network congestion
- Device failure along the route
Using hping3 allows you to perform traceroute with different packet types, providing deeper insight into routing behavior.
Generate Network Traffic for Testing
Simulate network load using flood mode
hping3 provides a flood mode that sends packets as fast as possible to generate network traffic.
hping3 --flood -S -p 80 example.comThe --flood option removes the delay between packets, allowing the tool to generate high volumes of traffic.
This feature is often used in controlled testing environments to evaluate network performance.
Stress test web servers
You can simulate traffic to test how a web server handles multiple incoming packets.
hping3 -S -p 80 -i u1000 example.comOptions used:
-Ssends SYN packets-p 80targets HTTP service-i u1000sends packets every 1000 microseconds
This helps determine whether the server can handle large numbers of incoming connections.
Generate custom traffic patterns
hping3 allows you to customize traffic patterns by adjusting parameters such as packet size, interval, and protocol type.
hping3 -S -d 200 -i u500 example.comOptions used:
-d 200sets packet data size to 200 bytes-i u500sends packets at custom intervals
This flexibility allows network engineers to simulate different types of network workloads.
Evaluate network resilience
Generating controlled traffic using hping3 helps administrators evaluate how well the network performs under load.
By observing packet responses, latency changes, and packet drops, you can determine whether the network infrastructure can maintain stable performance during heavy traffic conditions.
Craft Custom Packets with hping3
Modify TCP flags (SYN, FIN, ACK)
hping3 allows you to customize TCP packets by setting specific TCP flags. This is useful for testing how systems and firewalls react to different types of TCP packets.
hping3 -S -p 80 example.comOptions used:
-Ssets the SYN flag-Asets the ACK flag-Fsets the FIN flag
Example sending multiple flags:
hping3 -F -P -U -p 80 example.comThis sends packets with FIN, PSH, and URG flags, which can help test firewall rule behavior and packet filtering mechanisms.
Set custom packet size
You can modify the size of the packet payload using the -d option. This is useful when testing MTU limits or packet fragmentation behavior.
hping3 -S -p 80 -d 200 example.comHere:
-d 200sets the packet data size to 200 bytes
Larger packet sizes can be used to evaluate how networks handle large packets or fragmentation scenarios.
Set custom TCP window size
The TCP window size controls the amount of data a receiver can accept before acknowledging packets. hping3 allows you to define a custom window size for testing purposes.
hping3 -S -p 80 --win 512 example.comThis command sends a packet with a TCP window size of 512 bytes. Adjusting this value helps simulate different client behaviors and analyze how servers handle varying TCP window configurations.
Modify TTL values
The TTL (Time-To-Live) value controls how many hops a packet can traverse before being discarded.
hping3 -S -p 80 --ttl 50 example.comSetting different TTL values can help identify routing paths, detect network hops, and troubleshoot connectivity problems.
Craft packets for advanced testing
hping3 supports combining multiple parameters to craft advanced packets tailored for specific testing scenarios.
hping3 -S -p 80 -d 150 --ttl 40 --win 256 example.comThis command creates a customized packet with:
- TCP SYN flag
- Packet size of 150 bytes
- TTL value of 40
- TCP window size of 256
Such packet crafting is commonly used in network diagnostics, penetration testing, and protocol analysis.
Spoof Source IP Address
Send packets with fake source IP
hping3 can spoof the source IP address of packets using the -a option.
hping3 -a 192.168.1.50 -S -p 80 example.comIn this example, the packet appears to originate from 192.168.1.50, even though it is sent from another system.
Understand IP spoofing behavior
IP spoofing is a technique where the sender modifies the source IP address in packet headers. This technique is often used in security testing and attack simulations.
Since the spoofed IP address is not the real sender, responses from the target system will be sent to the spoofed address instead of the attacker.
Test network intrusion detection systems
Security teams often use spoofed packets to evaluate whether IDS or IPS systems can detect suspicious traffic.
By sending packets with unusual IP addresses or packet flags, administrators can test whether monitoring systems generate appropriate alerts.
Validate logging and monitoring systems
Spoofed packets can also be used to verify whether network logs correctly capture suspicious traffic patterns.
This helps administrators confirm that SIEM tools, firewalls, and monitoring platforms properly record abnormal network activity.
Perform Idle Scan (Zombie Scan)
What is an idle scan
An idle scan is a stealth scanning technique that uses a third-party system (called a zombie host) to probe a target. This allows the attacker to hide their identity while scanning the target system.
Instead of sending packets directly from the attacker, packets are sent through the zombie host.
Identify zombie hosts
A zombie host must meet specific conditions to be useful for idle scanning:
- It should have predictable IP ID sequences
- It should be mostly idle with minimal network activity
- It should respond consistently to probe packets
These characteristics allow the scanner to observe changes in packet responses.
Execute stealth scanning
hping3 can help initiate idle scan techniques by manipulating packet headers and analyzing responses.
Example command:
hping3 -Q -1 -a zombie_host target_hostThis command attempts to use the zombie host to probe the target system without revealing the original scanning system.
Interpret idle scan results
By analyzing changes in the zombie host’s packet behavior, the scanner can infer whether a target port is open, closed, or filtered.
This scanning method is considered stealthy because the target system only sees traffic coming from the zombie host, not the actual scanner.
Transfer Data Using hping3
Send files using ICMP packets
hping3 can embed data within ICMP packets, allowing users to send files over the network.
hping3 -1 -E file.txt example.comOptions used:
-1sends ICMP packets-Ereads data from the specified file
The contents of the file are transmitted inside ICMP packet payloads.
Use embedded data packets
Embedding data inside network packets can be used for network testing or covert data transfer.
hping3 allows sending arbitrary data inside packets, which can help test deep packet inspection systems or network monitoring tools.
Example:
hping3 -1 -d 120 example.comThis command sends ICMP packets with a 120-byte payload.
Practical use cases for packet data transfer
Sending embedded data using hping3 can be useful in several scenarios:
- Testing intrusion detection systems
- Evaluating packet inspection tools
- Simulating covert communication techniques
- Understanding how networks handle unusual packet payloads
Because these techniques can resemble malicious activity, they should always be used only in authorized testing environments.
Measure Network Latency and Packet Loss
Send repeated packets to measure latency
hping3 can send multiple packets to measure the time taken for packets to travel between systems. This helps determine network latency and response times.
hping3 -c 10 -1 example.comOptions used:
-c 10sends 10 packets-1sends ICMP packets
The output will show response times for each packet, allowing you to evaluate average latency and response consistency.
Detect packet drops in network path
Packet drops occur when packets fail to reach the destination or return to the sender. By sending a sequence of packets, hping3 helps identify packet loss along the network path.
hping3 -c 20 -S -p 80 example.comIf some packets do not receive responses, it may indicate:
- Network congestion
- Packet filtering by firewalls
- Routing issues
- Network device failures
Monitoring these responses helps identify reliability problems in the network infrastructure.
Evaluate network reliability
Consistent packet responses indicate a stable network, while delays or dropped packets may suggest performance issues.
Administrators often use hping3 to perform repeated connectivity checks, allowing them to monitor network behavior under different conditions and detect intermittent connectivity issues.
Adjust Packet Timing and Size
Control packet sending interval
hping3 allows precise control over how frequently packets are sent. This helps simulate different traffic patterns.
hping3 -S -p 80 -i u1000 example.comHere:
-i u1000sends packets every 1000 microseconds
Adjusting packet intervals helps analyze how systems respond to varying traffic rates.
Modify packet size using -d
Packet size can be customized to test how networks handle different payload sizes.
hping3 -S -p 80 -d 200 example.comOptions used:
-d 200sets the packet data size to 200 bytes
Testing different packet sizes can help identify MTU issues, fragmentation behavior, or performance bottlenecks.
Simulate real network traffic
By adjusting parameters such as packet size, interval, and protocol type, hping3 can simulate realistic network traffic patterns.
hping3 -S -p 80 -d 150 -i u500 example.comThis command sends packets that mimic normal application traffic, allowing administrators to evaluate how the network performs under typical workload conditions.
Use hping3 for Security Testing
Detect firewall filtering rules
hping3 can help determine how a firewall handles different types of traffic by sending packets with specific flags.
hping3 -S -p 443 example.comIf the firewall allows the packet, the host may respond with SYN-ACK. If the firewall blocks the packet, there may be no response.
Analyzing these responses helps administrators verify firewall rule configurations.
Identify IDS or IPS behavior
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) monitor network traffic for suspicious activity.
Security teams can use hping3 to generate controlled traffic patterns and observe whether the IDS or IPS detects and alerts on unusual packets.
For example:
hping3 -F -P -U -p 80 example.comSending packets with unusual flag combinations helps test whether the monitoring system can identify suspicious traffic.
Simulate reconnaissance attacks
During penetration testing, security professionals simulate reconnaissance activities to identify exposed services.
hping3 --scan 20-100 -S example.comThis command scans ports 20 through 100 to detect which services are running on the target system.
Such scans help security teams identify open ports that could potentially expose vulnerabilities.
Common Errors When Using hping3
Permission denied when running hping3
One of the most common issues when using hping3 is receiving a permission denied error. This happens because hping3 needs access to raw sockets, which are restricted to privileged users.
Example error:
hping3: can't open raw socketTo resolve this issue, run the command with elevated privileges:
sudo hping3 -S -p 80 example.comUsing sudo allows the tool to create raw packets required for network testing.
hping3 requires root privileges
hping3 performs low-level packet crafting, which requires root or administrative privileges on most operating systems.
If you try running hping3 without sufficient permissions, the tool may fail to send packets or produce errors.
Always run hping3 with:
sudo hping3 [options] targetAlternatively, administrators can grant required capabilities using tools like setcap, but this approach should be used carefully due to security implications.
Incorrect port scanning results
Sometimes hping3 may show unexpected port states during scanning. This can happen due to several reasons:
- Network latency causing delayed responses
- Rate limiting by firewalls
- Incorrect TCP flag combinations
- Packet filtering by intermediate devices
For example, sending SYN packets to test port status:
sudo hping3 -S -p 80 example.comThe response types typically indicate:
- SYN-ACK → Port is open
- RST → Port is closed
- No response → Port may be filtered
If scan results appear inconsistent, try adjusting the packet interval using -i or increasing packet count with -c.
Firewall blocking packets
Firewalls often block or filter packets generated by hping3, especially when unusual TCP flags or high traffic rates are used.
Example:
sudo hping3 -S -p 22 example.comIf the firewall blocks the packet silently, you may receive no response from the target system.
To troubleshoot firewall filtering:
- Test using different packet types (ICMP, TCP, UDP)
- Reduce packet rate using the
-ioption - Verify firewall rules on the target system
- Check network logs or IDS alerts
Understanding firewall behavior helps determine whether packets are being blocked, filtered, or rate-limited by security systems.
Frequently Asked Questions
1. What is hping3 used for?
hping3 is a network packet crafting and analysis tool used for port scanning, firewall testing, traceroute analysis, and network diagnostics. It allows users to send custom TCP, UDP, and ICMP packets for advanced network testing.2. What is the difference between ping and hping3?
The ping command sends simple ICMP echo requests to test connectivity, while hping3 allows creating custom TCP, UDP, and ICMP packets with configurable flags, ports, packet size, and timing for advanced network analysis.3. Can hping3 be used for port scanning?
Yes. hping3 can perform port scanning by sending TCP SYN packets to specific ports and analyzing responses such as SYN-ACK or RST to determine whether the port is open or closed.4. Is hping3 available on Windows?
hping3 is not natively available on Windows, but it can be used through Windows Subsystem for Linux (WSL) or Cygwin to run Linux networking tools within a Windows environment.Summary
hping3 is a powerful packet crafting and network analysis tool widely used for network troubleshooting, security testing, and firewall validation. Unlike traditional utilities such as ping, it allows administrators to create customized TCP, UDP, and ICMP packets with detailed control over packet headers and flags.
By using hping3, network engineers and cybersecurity professionals can perform tasks such as port scanning, traceroute analysis, firewall rule testing, traffic simulation, and packet-level diagnostics. When used responsibly in authorized environments, hping3 becomes an essential tool for understanding network behavior and improving security.
Official Documentation
For more detailed information about hping3 and its available options, refer to the official manual page:
