Home page logo
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News


Nmap Network Scanning

IPv4 Options

-S <addr>, --source-ip <addr> (Source IP Address)

Sets the source IP address. This option lets you specify a custom IP address to be used as source IP address in sent packets. This allows spoofing the sender of the packets. <addr> can be an IPv4 address or a hostname.

--dest-ip <addr> (Destination IP Address)

Adds a target to Nping's target list. This option is provided for consistency but its use is deprecated in favor of plain target specifications. See the section called “Target Specification”.

--tos <tos> (Type of Service)

Sets the IP TOS field. The TOS field is used to carry information to provide quality of service features. It is normally used to support a technique called Differentiated Services. See RFC 2474 for more information. <tos> must be a number in the range [0–255].

--id <id> (Identification)

Sets the IPv4 Identification field. The Identification field is a 16-bit value that is common to all fragments belonging to a particular message. The value is used by the receiver to reassemble the original message from the fragments received. <id> must be a number in the range [0–65535].

--df (Don't Fragment)

Sets the Don't Fragment bit in sent packets. When an IP datagram has its DF flag set, intermediate devices are not allowed to fragment it so if it needs to travel across a network with a MTU smaller that datagram length the datagram will have to be dropped. Normally an ICMP Destination Unreachable message is generated and sent back to the sender.

--mf (More Fragments)

Sets the More Fragments bit in sent packets. The MF flag is set to indicate the receiver that the current datagram is a fragment of some larger datagram. When set to zero it indicates that the current datagram is either the last fragment in the set or that it is the only fragment.

--ttl <hops> (Time To Live)

Sets the IPv4 Time-To-Live (TTL) field in sent packets to the given value. The TTL field specifies how long the datagram is allowed to exist on the network. It was originally intended to represent a number of seconds but it actually represents the number of hops a packet can traverse before being dropped. The TTL tries to avoid a situation in which undeliverable datagrams keep being forwarded from one router to another endlessly. <hops> must be a number in the range [0–255].

--badsum-ip (Invalid IP checksum)

Asks Nping to use an invalid IP checksum for packets sent to target hosts. Note that some systems (like most Linux kernels), may fix the checksum before placing the packet on the wire, so even if Nping shows the incorrect checksum in its output, the packets may be transparently corrected by the kernel.

--ip-options <S|R [route]|L [route]|T|U ...>, --ip-options <hex string> (IP Options)

The IP protocol offers several options which may be placed in packet headers. Unlike the ubiquitous TCP options, IP options are rarely seen due to practicality and security concerns. In fact, many Internet routers block the most dangerous options such as source routing. Yet options can still be useful in some cases for determining and manipulating the network route to target machines. For example, you may be able to use the record route option to determine a path to a target even when more traditional traceroute-style approaches fail. Or if your packets are being dropped by a certain firewall, you may be able to specify a different route with the strict or loose source routing options.

The most powerful way to specify IP options is to simply pass in hexadecimal data as the argument to --ip-options. Precede each hex byte value with \x. You may repeat certain characters by following them with an asterisk and then the number of times you wish them to repeat. For example, \x01\x07\x04\x00*4 is the same as \x01\x07\x04\x00\x00\x00\x00.

Note that if you specify a number of bytes that is not a multiple of four, an incorrect IP header length will be set in the IP packet. The reason for this is that the IP header length field can only express multiples of four. In those cases, the length is computed by dividing the header length by 4 and rounding down. This will affect the way the header that follows the IP header is interpreted, showing bogus information in Nping or in the output of any sniffer. Although this kind of situation might be useful for some stack stress tests, users would normally want to specify explicit padding, so the correct header length is set.

Nping also offers a shortcut mechanism for specifying options. Simply pass the letter R, T, or U to request record-route, record-timestamp, or both options together, respectively. Loose or strict source routing may be specified with an L or S followed by a space and then a space-separated list of IP addresses.

For more information and examples of using IP options with Nping, see the mailing list post at http://seclists.org/nmap-dev/2006/q3/0052.html.

--mtu <size> (Maximum Transmission Unit)

This option sets a fictional MTU in Nping so IP datagrams larger than <size> are fragmented before transmission. <size> must be specified in bytes and corresponds to the number of octets that can be carried on a single link-layer frame.

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]