hping wiki

Please, write here your bug report, and a patch if you have it. You should specify (ideally):
  • Operating system and version
  • Hping version
  • GCC version if you have access to the info
  • Tcl/Tk version you linked against
  • How to reproduce the bug.

Please write the bug report in any case even if you have only some of this information.
  • OS Ubuntu 8.10
  • hping version 2.0.0-rc3, 3.0.0-alpha-2
  • gcc version 4.3.2 (Ubuntu 4.3.2-1ubuntu12

Buffer overflow is in place when options --scan and -t uses at the same time. At the list below I used ttl 1 (there are two hops to the target But situation is the same for any ttl=target_ttl-1 and less. Also I mentioned that if I use one remote port to scan sometimes issue not shown and I can see the normal output of hping. Situation is the same both for hping2 and hping3.
root@bt:~# traceroute -T
traceroute to (, 30 hops max, 40 byte packets
1  my.firewall (  5.406 ms  10.532 ms  15.561 ms
2 (  58.799 ms  60.190 ms  61.298 ms

root@bt:~# hping -S -p 80
HPING (eth0 S set, 40 headers + 0 data bytes
len=46 ip= ttl=127 DF id=20607 sport=80 flags=SA seq=0 win=65535 rtt=4.9 ms
len=46 ip= ttl=127 DF id=20610 sport=80 flags=SA seq=1 win=65535 rtt=4.9 ms
--- hping statistic ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 4.9/4.9/4.9 ms

root@bt:~# hping -S -p 80 -t 1
HPING (eth0 S set, 40 headers + 0 data bytes
TTL 0 during transit from ip= name=my.firewall
TTL 0 during transit from ip= name=my.firewall
TTL 0 during transit from ip= name=my.firewall
--- hping statistic ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

root@bt:~# hping -S --scan 80 -t 1
Scanning (, port 80
1 ports to scan, use -V to see all the replies
|port| serv name |  flags  |ttl| id  | win |
*** buffer overflow detected ***: hping terminated
======= Backtrace: =========
======= Memory map: ========
08048000-08058000 r-xp 00000000 03:05 1058310    /usr/sbin/hping2
08058000-0805a000 rw-p 0000f000 03:05 1058310    /usr/sbin/hping2
0805a000-08060000 rw-p 00000000 00:00 0
080fb000-0811c000 rw-p 00000000 00:00 0          [heap]
b7d98000-b7da5000 r-xp 00000000 03:05 1038415    /lib/libgcc_s.so.1
b7da5000-b7da6000 r--p 0000c000 03:05 1038415    /lib/libgcc_s.so.1
b7da6000-b7da7000 rw-p 0000d000 03:05 1038415    /lib/libgcc_s.so.1
b7db9000-b7e7a000 rw-s 00000000 00:08 1736725    /SYSV00000000 (deleted)
b7e7a000-b7fd2000 r-xp 00000000 03:05 1048034    /lib/tls/i686/cmov/libc-2.8.90.so
b7fd2000-b7fd4000 r--p 00158000 03:05 1048034    /lib/tls/i686/cmov/libc-2.8.90.so
b7fd4000-b7fd5000 rw-p 0015a000 03:05 1048034    /lib/tls/i686/cmov/libc-2.8.90.so
b7fd5000-b7fd8000 rw-p 00000000 00:00 0
b7fea000-b7fec000 rw-p 00000000 00:00 0
b7fec000-b8006000 r-xp 00000000 03:05 1038373    /lib/ld-2.8.90.so
b8006000-b8007000 rw-p 00000000 00:00 0
b8007000-b8008000 r--p 0001a000 03:05 1038373    /lib/ld-2.8.90.so
b8008000-b8009000 rw-p 0001b000 03:05 1038373    /lib/ld-2.8.90.so
bf8fd000-bf912000 rw-p 00000000 00:00 0          [stack]
ffffe000-fffff000 r-xp 00000000 00:00 0          [vdso]
Not responding ports: (80 www)
All replies received. Done.

root@bt:~# hping -S --scan 80
Scanning (, port 80
1 ports to scan, use -V to see all the replies
|port| serv name |  flags  |ttl| id  | win |
   80 www        : .S..A... 127 46672 65535
All replies received. Done.
Not responding ports:


FIXME fixed: The IP id issue for fragments can be resolved with this path. 13.09.2007 (oliver dot stampfli @ epfl dot ch) Index: sendip.c
RCS file: /cvsroot/hping2/hping3s/sendip.c,v
retrieving revision 1.2
diff -r1.2 sendip.c
< 	else /* if you need fragmentation id must not be randomic */
> 	else /* if you need fragmentation id must not be random but all fragments belonging to the
> 		  * the same IP packet must have the same id that is unique amongst other fragments. */
< 		/* FIXME: when frag. enabled sendip_handler shold inc. ip->id */
< 		/*        for every frame sent */
< 		ip->id		= (src_id == -1) ?
< 			htons(getpid() & 255) :
< 			htons((unsigned short) src_id);
> 		if(src_id == -1)
> 		{
> 			__u16 b16_counter = (__u16)sent_pkt;
> 			__u16 b16_pid = getpid() & 0xff;
> 			ip->id = htons(b16_pid + b16_counter);
> 		}
> 		else
> 		{
> 			ip->id = htons((unsigned short) src_id);
> 		}

Bug Report: Error in computation of checksums for odd packet size. 31.8.2007 (oliver dot stampfli @ epfl dot ch) It is the same bug that was already discovered in the ars.c file but this one is in the cksum.c file: Change line 22 of cksum.c.
*((__u16 *) &oddbyte) = *(__u16 *) buf;

*((__u16 *) &oddbyte) = *(__u8 *) buf;

Bug Report: Not possible to send maximal data size. (oliver dot stampfli at epfl dot ch)
One can not send packets with the maximal size of 65535 byte. Patch attached to fix this problem : patch_maxsize.diff
Bug Report: Too early auto-fragmentation (oliver dot stampfli at epfl dot ch)
The problem is that if someone wants to send packets with exactly the MTU size of an interface then hping activates auto-fragmentation although it is not needed at this point. The effect is that one cannot send MTU sized packets with the DF bit on. After this patch hping will send packets with exactly the same packet size but it will no more activate the auto-fragment mode too early and therefore one can send packets with MTU size that still have the DF bit set.
       diff -urb hping3s/sendip_handler.c hping3.work/sendip_handler.c
       --- hping3s/sendip_handler.c        2003-09-01 02:22:06.000000000 +0200
       +++ hping3.work/sendip_handler.c   2007-05-29 11:03:07.000000000 +0200
       @@ -19,7 +19,7 @@
               ip_optlen = ip_opt_build(ip_opt);
       -       if (!opt_fragment && (size+ip_optlen+20 >= h_if_mtu))
       +       if (!opt_fragment && (size+ip_optlen+20 > h_if_mtu))
                       /* auto-activate fragmentation */
                       virtual_mtu = h_if_mtu-20;

Bug Report: hping2 and hping3 accepts ICMP error messages which are not meant for it. (oliver dot stampfli at epfl dot ch)
OS: any Hping version: any GCC: any Tcl/Tk any
When you do with a host H a 'traceroute H' and a 'hping -A -p 22 -fast -q H' at the same time then hping wrongly takes the ICMP ttl exceeded messages meant for traceroute for its own. The problem is that hping machtes these ICMP packets only on the IP addresses and not on other criterias.
From waitpacket.c in method recv_icmp:
       /* ------------------------------------ *
 * ------------------------------------ */
else if (icmp.type == 3 || icmp.type == 11) {
	if ((size - ICMPHDR_SIZE) < sizeof(struct myiphdr)) {
		printf("[|icmp quoted ip]\n");
		return 0;
	memcpy(&quoted_ip, packet+ICMPHDR_SIZE, sizeof(quoted_ip));
	if (memcmp(&quoted_ip.daddr, &remote.sin_addr,
		sizeof(quoted_ip.daddr)) ||
	    memcmp(&ip.daddr, &local.sin_addr, sizeof(ip.daddr)))
		return 0; /* addresses don't match */
	/* Now we can handle the specific type */
	switch(icmp.type) {
	case 3:
		if (!opt_quiet)
			log_icmp_unreach(inet_ntoa(src), icmp.code);
		return 1;
	case 11:
		if (opt_traceroute)
			log_traceroute(packet, size, icmp.code);
			log_icmp_timeexc(inet_ntoa(src), icmp.code);
		return 1;

I don't know if this problem exists also for different packet types but it is very likely. I think this is not too hard to fix:
  • if src_id != -1 then compare the src_id with &quoted_ip.id
  • if src_id == -1 then you would have to have saved the ids of your previous sent packets (because they were random) and compare &quoted_ip.id to them.

Note that this would not entirely fix the problem because (in this case) traceroute could use the same id numbers by accident but this is not very likely. BEWARE of including a fix signature in the data part and mark all packets from hping this way to can easily recognize them because IDSs and Firewalls could then recognize them too.
Any discussion on this is appreciated... please write me an e-mail.

Bug Report: hping2 uses for its source IP for all packets. (erickson at netapp.com)
OS: 2.6.11-1.27_FC3smp Hping version: 2.0.0-rc3 gcc version 3.4.3
All of the hping packets have for the source ip when using tcp mode. The server where this is running has 587 routes, 512 IP aliases configured, other than that it is pretty normal.
hping -1 <IP> succeeds, and the source IP is correct, but hping <IP> does not, all the source IPs are the loopback IP.

Bug Report: Hping2-rc3 ALWAYS dies on OS X on Intel Processors with: "[send_ip] sendto: Invalid argument" (nathan dot stocks at gmail dot com)
Fix is documented here: http://lists.apple.com/archives/macnetworkprog/2006/Jun/msg00049.html
OS: OS X 10.4 on Intel
Hping: 2.0.0-rc3
GCC: i686-apple-darwin8-gcc-4.0.1 (GCC) 4.0.1 (Apple Computer, Inc. build 5363)
TCL: 8.4.12
Walking through the fix (documented at the link above), here are the specific patches that need to be applied to hping2-rc3 to make it work on OS X 10.4 on Intel processors:
--- libpcap_stuff.c.org 2006-01-23 17:58:11.000000000 +0100
+++ libpcap_stuff.c     2006-01-23 17:58:46.000000000 +0100
@@ -16,8 +16,8 @@
 #include <string.h>
 #include <stdlib.h>
 #include <sys/ioctl.h>
-#include <pcap.h>
 #include <net/bpf.h>
+#include <pcap.h>
 #include "globals.h"

--- ars.c.orig  2006-11-20 13:20:01.000000000 -0700
+++ ars.c       2006-11-20 13:20:46.000000000 -0700
@@ -830,7 +830,7 @@
                return -ARS_INVALID;
        ip = (struct ars_iphdr*) packet;
-#if defined OSTYPE_FREEBSD || defined OSTYPE_NETBSD || defined OSTYPE_BSDI
+#if defined OSTYPE_DARWIN || defined  OSTYPE_FREEBSD || defined OSTYPE_NETBSD || defined OSTYPE_BSDI
        ip->tot_len = ntohs(ip->tot_len);
        ip->frag_off = ntohs(ip->frag_off);

--- sendip.c.orig       2006-11-20 13:23:28.000000000 -0700
+++ sendip.c    2006-11-20 13:23:05.000000000 -0700
@@ -48,7 +48,8 @@
        ip->ihl         = (IPHDR_SIZE + optlen + 3) >> 2;
        ip->tos         = ip_tos;
-#if defined OSTYPE_FREEBSD || defined OSTYPE_NETBSD || defined OSTYPE_BSDI
+#if defined OSTYPE_DARWIN || defined OSTYPE_FREEBSD || defined OSTYPE_NETBSD || defined OSTYPE_BSDI
+/* OS X */
 /* FreeBSD */
 /* NetBSD */
        ip->tot_len     = packetsize;
@@ -73,7 +74,8 @@
                        htons((unsigned short) src_id);
-#if defined OSTYPE_FREEBSD || defined OSTYPE_NETBSD | defined OSTYPE_BSDI
+#if defined OSTYPE_DARWIN || defined OSTYPE_FREEBSD || defined OSTYPE_NETBSD | defined OSTYPE_BSDI
+/* OS X */
 /* FreeBSD */
 /* NetBSD */
        ip->frag_off    |= more_fragments;

Bug Report: Hping3s compile error: ../hping3s/main.c:186: undefined reference to 'hping_script' (zarxcky, z4rxcky AT inbox DOT com)
OS: Suse Linux Pro 9.3
Hping version: Hping3s
GCC version: gcc-3.3.5-5
TCL version: tcl-8.4.9-7
Hping3s failed to compile on my Suse 9.3 box. The following error are seen during compiling time:
./configure does not give any problem, but when trying to run make, there is 1 error which is stated below:
main.o(.text+0x52): In function 'main': ../../hping3s/main.c:186: undefined reference to 'hping_script' collect2: ld returned 1 exit status make:
hping3 Error 1
So far look like nobody else get the same error as I got. Any ideas?
Solution1: I was getting the exact same error when trying to compile the source. I had to do a 'make strip' before 'make' for hping to compile successfully.
Solution2: I had to do a 'make clean' before 'make' for hping to compile successfully.
Solution3: mekanik
I had to remove the following list of files and then rerun "./configure && make" for hping to compile successfully with TCL support.
-rw-r--r--  1 root     root     20020 Feb 19 03:04 rapd.o
-rw-r--r--  1 root     root     16996 Feb 19 03:04 split.o
-rw-r--r--  1 root     root     43840 Feb 19 03:04 apd.o
-rw-r--r--  1 root     root     27540 Feb 19 03:04 ars.o
-rw-r--r--  1 root     root     19172 Feb 19 03:04 scan.o
-rw-r--r--  1 root     root      5044 Feb 19 03:04 arsglue.o
-rw-r--r--  1 root     root      8840 Feb 19 03:04 send.o
-rw-r--r--  1 root     root      4684 Feb 19 03:04 sendrawip.o
-rw-r--r--  1 root     root      6684 Feb 19 03:04 display_ipopt.o
-rw-r--r--  1 root     root      5620 Feb 19 03:04 ip_opt_build.o
-rw-r--r--  1 root     root      6324 Feb 19 03:04 libpcap_stuff.o
-rw-r--r--  1 root     root      6496 Feb 19 03:04 sendip_handler.o
-rw-r--r--  1 root     root      4712 Feb 19 03:04 relid.o
-rw-r--r--  1 root     root      6968 Feb 19 03:04 rtt.o
-rw-r--r--  1 root     root      5708 Feb 19 03:04 sendhcmp.o
-rw-r--r--  1 root     root      6516 Feb 19 03:04 listen.o
-rw-r--r--  1 root     root      4556 Feb 19 03:04 version.o
-rw-r--r--  1 root     root      5788 Feb 19 03:04 statistics.o
-rw-r--r--  1 root     root      4504 Feb 19 03:04 cksum.o
-rw-r--r--  1 root     root      8344 Feb 19 03:04 sendtcp.o
-rw-r--r--  1 root     root      6944 Feb 19 03:04 sendudp.o
-rw-r--r--  1 root     root     11872 Feb 19 03:04 sendicmp.o
-rw-r--r--  1 root     root      8272 Feb 19 03:04 sendip.o
-rw-r--r--  1 root     root     23604 Feb 19 03:04 waitpacket.o
-rw-r--r--  1 root     root      6528 Feb 19 03:04 logicmp.o
-rw-r--r--  1 root     root      5268 Feb 19 03:04 binding.o
-rw-r--r--  1 root     root      5332 Feb 19 03:04 datahandler.o
-rw-r--r--  1 root     root      5936 Feb 19 03:04 datafiller.o
-rw-r--r--  1 root     root     26008 Feb 19 03:04 parseoptions.o
-rw-r--r--  1 root     root      6624 Feb 19 03:04 getlhs.o
-rw-r--r--  1 root     root      9932 Feb 19 03:04 getifname.o
-rw-r--r--  1 root     root     21200 Feb 19 03:04 main.o
-rw-r--r--  1 root     root        86 Feb 19 03:04 systype.h
-rw-r--r--  1 root     root      2460 Feb 19 03:04 Makefile
-rw-r--r--  1 root     root       177 Feb 19 03:04 byteorder.h
-rwxr-xr-x  1 root     root      5458 Feb 19 03:04 byteorder

Bug Report: Hping3 does not compile on Solaris 8 (Jim Halfpenny, jim AT watersheep DOT org)
OS: SunOS 5.8 Generic_108528-13 sun4u sparc
Hping version: Hping3s
GCC version: 3.3
TCL version: none
Hping3 fails to compile on my Solaris box. The following errors are seen at compile time:
In file included from arsglue.c:7:
ars.h:186: error: parse error before "u_int8_t"
ars.h:186: warning: no semicolon at end of struct or union
ars.h:191: warning: type defaults to `int' in declaration of `tos'
ars.h:191: warning: data definition has no type or storage class
ars.h:192: error: parse error before "tot_len"
ars.h:192: warning: type defaults to `int' in declaration of `tot_len'
ars.h:192: warning: data definition has no type or storage class

Any ideas?

antirez 27May2004:
That's very simple to fix, just add this lines at top of ars.h:
#define u_int8_t unsigned char
#define u_int16_t unsigned short
#define u_int32_t unsigned int

and all should compile without problem. Please if this really fix the probelm write it here (or otherwise), so I know if it's worth to commit the change to the CVS. Thanks.

underdog 17June2004:
  • hping version: 3.0.0-alpha-1
  • OS: Linux 2.4.22
  • GCC: 3.3.2
  • TCL: 8.3.5

  • TARGET SYSTEM: Linux 2.4.7

hping --scan option seems to be flaky:
I run hping -S --scan 1-200 against a machine that has ftp, ssh, http, and samba on it:

[root@linuxlaptop root]# hping --scan 1-200 -S

  Scanning (, port 1-200
  200 ports to scan, use -V to see all the replies
  |port| serv name |  flags  |ttl| id  | win | len | 
     21 ftp        : .S..A...  64     0  5840    46
     22 ssh        : .S..A...  64     0  5840    46
  All replies received. Done.
  Not responding ports:

I run the command hping -S --scan 138-139 and it returns telling me that ports 139 is open:

  [root@linuxlaptop root]# hping --scan 138-139 -S
  Scanning (, port 138-139
  2 ports to scan, use -V to see all the replies
  |port| serv name |  flags  |ttl| id  | win | len |
    139 netbios-ssn: .S..A...  64     0  5840    46
  All replies received. Done.
  Not responding ports:

I can do a hping -S -p ++1 and it does return with all the correct ports being open. It appears that something is up with the --scan option. Thanks

underdog update
I figured out that apparently the beginning port on the scan option needs to be within 36ish ports to see a port open. Example below...notice the beginning port number on each scan and the results:
  [root@linuxlaptop hping2-rc3]# hping -S --scan 44-100
  Scanning (, port 44-100
  57 ports to scan, use -V to see all the replies
  |port| serv name |  flags  |ttl| id  | win |
     53 domain     : .S..A...  64     0  5840
     80 http       : .S..A...  64     0  5840
  All replies received. Done.
  Not responding ports: 

  [root@linuxlaptop hping2-rc3]# hping -S --scan 43-100
  Scanning (, port 43-100
  58 ports to scan, use -V to see all the replies
  |port| serv name |  flags  |ttl| id  | win |
     53 domain     : .S..A...  64     0  5840
  All replies received. Done.
  Not responding ports:

antirez 18June2004:
Thanks for the report underdog. There is something of odd here, not related to the fact that hping3 may send packets too fast probably. May you try if it works if you add --fast to the command line? And more important is to try

and report here the same scan with the -V switch added. This can help a lot. Thanks for your support.

underdog 22June2004:
The --fast option does seem to fix this issue. I should have mentioned that this is going over a wireless connection also. That could have something to do with it. Also it appears that Linux behaves totally different from the TCP/IP behavior than the windows sytems I have tested.
Thanks antirez.

Philippe Lovis (binomial at gmx dot net), 26June2004:
  • hping version: 3.0.0-alpha-2
  • OS: Linux 2.6.6
  • GCC: 3.3.4
  • TCL: 8.4.6

There is a bug in ars_multi_cksum() in ars.c which corrupts the TCP checksum if the oddbyte flag is set. You can reproduce the bug i.e. with:
append syn "ip(saddr=,daddr="
append syn "+tcp(sport=80,dport=22,flags=s)"
append syn "+tcp.nop()+tcp.mss(size=255)"
hping send $syn

tcpdump -i lo -v will report a 'bad tcp cksum'.
Fix: Adapt line 453 in ars.c from
*((u_int16_t *) &oddbyte) |= *(u_int16_t *) buf;

*((u_int16_t *) &oddbyte) |= *(u_int8_t *) buf;

And some little detail: RFC793 states that the padding bytes of the TCP options should be 0x0, but hping3 fills the padding bytes with 0x1.
Fix: Adapt line 778 in ars.c (in ars_compiler_tcpopt()) from
memset(t+cur_size, ARS_TCPOPT_NOP, padding);

memset(t+cur_size, ARS_TCPOPT_EOL, padding);

Flibble 09July2004:
  • hping version: 3.0.0-alpha-2 (CVS)
  • OS: Fedora Core 2 - Linux 2.6.5
  • GCC: 3.3.3
  • TCL: 8.4.5
  • LIBPCAP: 0.8.3

In order to complete the compile I needed to change references from net/bpf.h to pcap-bpf.h in libpcap_stuff.c and script.c. Compiled and RPM'd fine after that, will check functionality and post results.

Bug Report: hping crashes
OS: linux-2.2.25-ow1
Hping version: version 3.0.0-alpha-2
GCC version: gcc version 2.95.3 20010315 (release)
TCL version: tcl8.4.6
steps to reproduce the bug:
1. hping exec passivets.htcl
2. ftp from machine in this subnet and transfer some files
3. ftp from machine in other subnet and transfer some files

gdb information:
bash-2.05# gdb ../hping3
GNU gdb 5.0 (UI_OUT)
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-linux"...
(gdb) set args exec passivets.htcl
(gdb) r
Starting program: /home/dima/src/hping3-alpha-2/lib/../hping3 exec passivets.htc
[New Thread 1024 (runnable)] ( UPTIME=0 days, 2 hours, 49 minutes, 17 seconds ( UPTIME=0 days, 0 hours, 0 minutes, 14 seconds ( UPTIME=0 days, 0 hours, 0 minutes, 13 seconds

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (runnable)]
0x40137b19 in chunk_free (ar_ptr=0x401c2c20, p=0x8094408) at malloc.c:3111
3111    malloc.c: No such file or directory.
        in malloc.c
(gdb) bt
#0  0x40137b19 in chunk_free (ar_ptr=0x401c2c20, p=0x8094408) at malloc.c:3111
#1  0x401379ae in __libc_free (mem=0x8094410) at malloc.c:3023
#2  0x08056a64 in ars_remove_layer (pkt=0xbffed948, layer=3) at ars.c:385
#3  0x0805a460 in ars_split_tcp (pkt=0xbffed948, packet=0xbffeee5a, size=8,
    state=0xbffed914, len=0xbffed918) at split.c:394
#4  0x08059f23 in ars_split_packet (packet=0xbffeee2a, size=56, ipoff=0,
    pkt=0xbffed948) at split.c:132
#5  0x08051322 in GetPacketDescription (data=0xbffeee2a "E", len=56, hexdata=0)
    at script.c:274
#6  0x0805150e in HpingRecvPackets (ra=0x807df60, interp=0x8083b48,
    o=0x80914b0, timeout=-1, maxpackets=1, rapd=1, hexdata=0) at script.c:352
#7  0x0805167c in __HpingRecvCmd (clientData=0x0, interp=0x8083b48, objc=4,
    objv=0x80859a0, rapd=1, hexdata=0) at script.c:412
#8  0x08051726 in HpingRecvCmd (clientData=0x0, interp=0x8083b48, objc=4,
    objv=0x80859a0) at script.c:438
#9  0x080524aa in HpingObjCmd (clientData=0x0, interp=0x8083b48, objc=4,
    objv=0x80859a0) at script.c:857
#10 0x40037c80 in TclEvalObjvInternal () from /usr/lib/libtcl8.4.so
#11 0x4005a2f4 in TclExecuteByteCode () from /usr/lib/libtcl8.4.so
#12 0x400597e0 in TclCompEvalObj () from /usr/lib/libtcl8.4.so
#13 0x40038b95 in Tcl_EvalObjEx () from /usr/lib/libtcl8.4.so
#14 0x40049089 in Tcl_WhileObjCmd () from /usr/lib/libtcl8.4.so
#15 0x40037c80 in TclEvalObjvInternal () from /usr/lib/libtcl8.4.so
#16 0x4003862a in Tcl_EvalEx () from /usr/lib/libtcl8.4.so
---Type <return> to continue, or q <return> to quit---
#17 0x400728b8 in Tcl_FSEvalFile () from /usr/lib/libtcl8.4.so
#18 0x40078c5a in Tcl_Main () from /usr/lib/libtcl8.4.so
#19 0x08052f89 in hping_script (argc=2, argv=0xbffffd08) at script.c:1356
#20 0x0804a3b6 in main (argc=2, argv=0xbffffd04) at main.c:186
#21 0x400ffcc9 in __libc_start_main (main=0x804a360 <main>, argc=3,
    argv=0xbffffd04, init=0x8049a5c <_init>, fini=0x8065e5c <_fini>,
    rtld_fini=0x4000ad04 <_dl_fini>, stack_end=0xbffffcfc)
    at ../sysdeps/generic/libc-start.c:92
(gdb) info reg
eax            0x8094418        134824984
ecx            0x401c0000       1075576832
edx            0x8094418        134824984
ebx            0x401c465c       1075594844
esp            0xbffed81c       0xbffed81c
ebp            0xbffed844       0xbffed844
esi            0x401c2c28       1075588136
edi            0x8094408        134824968
eip            0x40137b19       0x40137b19
eflags         0x297    663
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x20     32
ftag           0xffff   65535
fiseg          0x23     35
fioff          0x40060043       1074135107
foseg          0x2b     43
fooff          0xe6b4   59060
fop            0x7a3    1955

Bug Report: hping3-alpha-2 with TCL 8.5
  • hping version: 3.0.0-alpha-2 (tar.gz)
  • OS: Trustix 2.1 - Linux 2.4.25-8tr
  • GCC: 3.3.3
  • TCL: 8.5
  • LIBPCAP: 0.8.3

This isn't really a bug..more of an incompatibility which can be resolved using the below steps. I didn't find any directions on this site as to which version of TCL should be used or is supported.
To get hping3-alpha-2 to compile with TCL 8.5 installed, I had to manually make the following changes to the configure file :
line 66 :
   for TCLVER_TRY in "8.4" "8.3" "8.2" "8.1" "8.0"

becomes :
   for TCLVER_TRY in "8.5" "8.4" "8.3" "8.2" "8.1" "8.0"

line 90-92 :
   elif [ -e /usr/local/include/tcl${TCL_VER} ]        

becomes :
   elif [ -e /usr/local/include/tcl.h ]        

(make and make install completed without errors.)
PS - I'm no installer guru, and I hope this isn't a distro specific thing. I just adjusted them as I saw fit. Hope this is correct!


Bug Report: hping2 rc3 fails to compile on AMD64 and probably Intel 64 Bit processors.
  • hping version: 2.0.0 rc3 (tar.gz)
  • OS: SuSE Linux 9.2 ADM64 (Kernel 2.6.8-24)
  • GCC: 3.3.4

Reason: The file bytesex.h does not include detection of the said architectures.
Solution: Add __ia64__ and __amd64__ to the list of architectures. Patch the file bytesex.h as follows:
#if     defined(__i386__) \
        || defined(__ia64__) \
        || defined(__amd64__) \
        || defined(__alpha__) \
        || (defined(__mips__) && (defined(MIPSEL) || defined (__MIPSEL__)))

Now run "make" again. Good Luck! Eisfuchs

Bug Report : hping3 doesn't set the window scale TCP option correctly

OS: Knoppix 3.4 (Kernel 2.4.27) Hping version: Hping3 Alpha2 (CVS) GCC version: 3.3.5 TCL version: 8.4 Libpcap: 0.8
Patch: file apd.c line 559
   tcpopt->un.win.shift = htons(ars_atou(v));

   tcpopt->un.win.shift = ars_atou(v);

Good luck,

matth 27Jul2005 : hping3 does not check properly command line options
  • OS: Debian SID (Kernel 2.6.11)
  • Hping version: Hping3 (CVS)
  • GCC version: 3.3.5
  • TCL version: 8.4

 # hping3 hostname -1 --debug -m
 hping: option requires an argument -- m
 Try hping --help

 # hping3 hostname -1 -m --debug
 -- infinte loop here CPU=100% --

the virtual mtu seems to be set to 0 if no args passed to -m (and not at the end of the line)

 # hping3 hostname -m -1
 Specified MTU too high, fixed to 65535.

Maybe I'm missing the point, but I don't really see why -m and -d have AGO_EXCEPT0 flags.
sxav 09.12.2005: net/bpf.h file not found
  • OS: Linux x86-64 (LFS)
  • Hping3s (cvs)
  • GCC 4.0.1
  • TCL 8.4
  • Libpcap 0.9.3
Error message:
error: net/bpf.h: No such file or directory

In last version of libpcap, net/bpf.h has been moved to pcap-bpf.h and it's automatically included in pcap.h. So net/bpf.h shouldn't be included anymore... Patch:
--- hping3s/script.c.orig       2005-09-12 00:52:35.000000000 +0200
+++ hping3s/script.c    2005-09-12 00:53:00.000000000 +0200
@@ -24,7 +24,6 @@
 #include <sys/ioctl.h>
 #include <pcap.h>
-#include <net/bpf.h>
 #include "release.h"
 #include "hping2.h"  
--- hping3s/libpcap_stuff.c.orig        2005-09-12 00:52:47.000000000 +0200
+++ hping3s/libpcap_stuff.c     2005-09-12 00:53:09.000000000 +0200
@@ -17,7 +17,6 @@
 #include <stdlib.h>
 #include <sys/ioctl.h>
 #include <pcap.h>
-#include <net/bpf.h>
 #include "globals.h"

bold Alternatively:
   mkdir /usr/local/include/net/
   ln -sf /usr/include/pcap-bpf.h /usr/local/include/net/bpf.h

Checksum of returned packet

in waitpacket.c the checksum of the returned packet (= not the one generated by hping2-rc3) is reported not correctly in verbose mode. It should take the bytes the other way round, shouldn't it. The following diff provides me with results that are at least identical to what ethereal tells me.
See waitpacket.c.diff attached below.
Bye, bye,

SIGSEGV with hping2-rc3

here it is - a trivial patch to avoid SIGSEGV on a rare occasion.
diff -Nurp datafiller.c.orig datafiller.c > datafiller.c.diff
Bye, bye,

Error in configure script
(Tue Oct 31 00:32:13 CET 2006)
In ping3-20051105, the configure script states in line 96:
echo "==> WARNING: no Tcl header files found!"

which should be:
echo "==> WARNING: no Tcl header files found."

because the former one results in:
./configure: line 96: !": event not found

with me.

OS: OSX 10.4.8
I know it is mostly tested with Linux, but I figured what the heck???

gcc -c -O2 -Wall   -DUSE_TCL -g  main.c
gcc -c -O2 -Wall   -DUSE_TCL -g  getifname.c
getifname.c: In function 'get_output_if':
getifname.c:343: warning: pointer targets in passing argument 3 of 'getsockname' differ in signedness
gcc -c -O2 -Wall   -DUSE_TCL -g  getlhs.c
gcc -c -O2 -Wall   -DUSE_TCL -g  parseoptions.c
gcc -c -O2 -Wall   -DUSE_TCL -g  datafiller.c
gcc -c -O2 -Wall   -DUSE_TCL -g  datahandler.c
gcc -c -O2 -Wall   -DUSE_TCL -g  binding.c
gcc -c -O2 -Wall   -DUSE_TCL -g  logicmp.c
gcc -c -O2 -Wall   -DUSE_TCL -g  waitpacket.c
gcc -c -O2 -Wall   -DUSE_TCL -g  sendip.c
gcc -c -O2 -Wall   -DUSE_TCL -g  sendicmp.c
gcc -c -O2 -Wall   -DUSE_TCL -g  sendudp.c
gcc -c -O2 -Wall   -DUSE_TCL -g  sendtcp.c
gcc -c -O2 -Wall   -DUSE_TCL -g  cksum.c
gcc -c -O2 -Wall   -DUSE_TCL -g  statistics.c
gcc -c -O2 -Wall   -DUSE_TCL -g  version.c
gcc -c -O2 -Wall   -DUSE_TCL -g  listen.c
gcc -c -O2 -Wall   -DUSE_TCL -g  sendhcmp.c
gcc -c -O2 -Wall   -DUSE_TCL -g  rtt.c
gcc -c -O2 -Wall   -DUSE_TCL -g  relid.c
gcc -c -O2 -Wall   -DUSE_TCL -g  sendip_handler.c
gcc -c -O2 -Wall   -DUSE_TCL -g  libpcap_stuff.c
In file included from libpcap_stuff.c:20:
/usr/include/net/bpf.h:93: error: redefinition of 'struct bpf_program'
/usr/include/net/bpf.h:118: error: redefinition of 'struct bpf_version'
/usr/include/net/bpf.h:321: error: redefinition of 'struct bpf_insn'
libpcap_stuff.c: In function 'pcap_recv':
libpcap_stuff.c:61: warning: pointer targets in assignment differ in signedness
make: *** [libpcap_stuff.o] Error 1

so it all compiles except the libpcap_stuff.c (obviously). I am too lazy to figure out why....maybe someone else is motivated enough??? :)

This is because some stuff is in pcap-bpf.h AND net/bpf.h IF you have installed libpcap with fink (not sure about other setups). A dirty workaround that helped me, was to remove
#include <net/bpf.h>

from the sript.c and libpcap-stuff.c (see sxav comment above). This still leads to a compile error, because pcap.h dont defines a needed constant called BIOCIMMEDIATE. This can be solved easy by copying the needed constant from net/bpf.h
#define BIOCIMMEDIATE  _IOW('B',112, u_int)

now you should be able to compile and run hping3.
I just wrote this in case other osx users run over the issue. Im not sure how to fix this the "correct way" in the cvs, so i dont change anything.
As I am a non-native english speaker, can someone please correct typos, thanks.


OpenSuSE 10.2 has problems compiling hping 3 with gcc 4.1.2 20061115 (prerelease) (SUSE Linux), tcl-8.4.14-11. Here are patches that worked for me.
*** Makefile-orig       Wed Aug 22 10:40:02 2007
--- Makefile    Wed Aug 22 10:40:17 2007
*** 50,56 ****
        $(RANLIB) $@

  hping3: byteorder.h $(OBJ)
!       $(CC) -o hping3 $(CCOPT) $(DEBUG) $(OBJ) -L/usr/local/lib $(PCAP)  -ltcl -lm -lpthread
        ./hping3 -v
        @echo "use \`make strip' to strip hping3 binary"
--- 50,56 ----
        $(RANLIB) $@

  hping3: byteorder.h $(OBJ)
!       $(CC) -o hping3 $(CCOPT) $(DEBUG) $(OBJ) -L/usr/local/lib $(PCAP)  -ltcl8.4 -lm -lpthread
        ./hping3 -v
        @echo "use \`make strip' to strip hping3 binary"
*** bytesex.h-orig      Wed Aug 22 10:43:57 2007
--- bytesex.h   Wed Aug 22 10:43:59 2007
*** 9,14 ****
--- 9,15 ----

  #if   defined(__i386__) \
        || defined(__alpha__) \
+       || defined(__x86_64) \
        || (defined(__mips__) && (defined(MIPSEL) || defined (__MIPSEL__)))
  #elif         defined(__mc68000__) \
*** libpcap_stuff.c-orig        Wed Aug 22 10:38:06 2007
--- libpcap_stuff.c     Wed Aug 22 10:38:26 2007
*** 17,23 ****
  #include <stdlib.h>
  #include <sys/ioctl.h>
  #include <pcap.h>
! #include <net/bpf.h>

  #include "globals.h"

--- 17,23 ----
  #include <stdlib.h>
  #include <sys/ioctl.h>
  #include <pcap.h>
! #include <pcap-bpf.h>

  #include "globals.h"

*** script.c-orig       Wed Aug 22 10:38:46 2007
--- script.c    Wed Aug 22 10:39:23 2007
*** 24,30 ****

  #include <sys/ioctl.h>
  #include <pcap.h>
! #include <net/bpf.h>

  #include "release.h"
  #include "hping2.h"
--- 24,30 ----

  #include <sys/ioctl.h>
  #include <pcap.h>
! #include <pcap-bpf.h>

  #include "release.h"
  #include "hping2.h"


Edit this page Upload file Page history - Page last update: Wed Jan 20 15:14:59 GMT 2010 by | Your address: | Admin