--dest-port (Target ports)
This option specifies which destination ports you want to send
probes to. It can be a single port, a comma-separated list of
80,443,8080), a range
1-1023), and any combination
of those (e.g.
The beginning and/or end values
of a range may be omitted, causing Nping to use 1 and 65535,
respectively. So you can specify
-p- to target ports from 1 through
65535. Using port zero is allowed if you specify it explicitly.
--source-port (Spoof source port)
This option asks Nping to use the specified port as source port for
the TCP connections. Note that this might not work on all systems or
may require root privileges. Specified value must be an integer in
the range [0–65535].
--seq (Sequence Number)
Specifies the TCP sequence number. In SYN packets this is the initial
sequence number (ISN). In a normal transmission this corresponds to
the sequence number of the first byte of data in the segment.
<seqnumber> must be a number in the range
--flags (TCP Flags)
This option specifies which flags should be set in the TCP packet.
<flags> may be specified in three different
As a comma-separated list of flags, e.g.
As a list of one-character flag initials, e.g.
--flags SAR tells Nping to set flags SYN, ACK, and RST.
As an 8-bit hexadecimal number, where the supplied number
is the exact value that will be placed in the flags field of the
TCP header. The number should start with the prefix
0x and should be in the range
--flags 0x20 sets the
URG flag as 0x20 corresponds to binary 00100000 and the URG flag
is represented by the third bit.
There are 8 possible flags to set:
The special value
ALL means to set all flags.
NONE means to set no flags. It is important that
if you don't want any flag to be set, you request it explicitly
because in some cases the SYN flag may be set by default. Here is a
brief description of the meaning of each flag:
CWR (Congestion Window Reduced)
Set by an ECN-Capable sender
when it reduces its congestion window (due to a retransmit
timeout, a fast retransmit or in response to an ECN
ECN (Explicit Congestion Notification)
During the three-way
handshake it indicates that sender is capable of performing
explicit congestion notification. Normally it means that a
packet with the IP Congestion Experienced flag set was received
during normal transmission. See
for more information.
Segment is urgent and the urgent pointer field
carries valid information.
The segment carries an acknowledgement
and the value of the acknowledgement number field is valid and
contains the next sequence number that is expected from the
The data in this segment should be immediately
pushed to the application layer on arrival.
There was some problem and the sender wants to
abort the connection.
The segment is a request to synchronize
sequence numbers and establish a connection. The sequence
number field contains the sender's initial sequence
The sender wants to close the connection.
--win (Window Size)
Specifies the TCP window size, this is, the number of octets the
sender of the segment is willing to accept from the receiver at one
time. This is usually the size of the reception buffer that the OS
allocates for a given connection.
must be a number in the range [0–65535].
--badsum (Invalid Checksum)
Asks Nping to use an invalid TCP checksum for the packets sent to
target hosts. Since virtually all host IP stacks properly drop these
packets, any responses received are likely coming from a firewall or
an IDS that didn't bother to verify the checksum. For more
details on this technique, see