Differences for page Open bugs -- hping network security tool

hping wiki

Differences for page Open bugs

Current version compared with version Thu Sep 13 08:30:36 GMT 2007

...
  
  Please write the bug report in any case even if you have only some of this information.
  
+ -----------------------------------
+ ->OS Ubuntu 8.10
+ ->hping version 2.0.0-rc3, 3.0.0-alpha-2
+ ->gcc version 4.3.2 (Ubuntu 4.3.2-1ubuntu12
  
+ Buffer overflow is in place when options --scan and -t uses at the same time. At the list below I used ttl 1 (there are two hops to the target 10.201.1.100). But situation is the same for any ttl=target_ttl-1 and less. Also I mentioned that if I use one remote port to scan sometimes issue not shown and I can see the normal output of hping. Situation is the same both for hping2 and hping3.
+ 
+ root@bt:~# traceroute -T 10.201.1.100
+  traceroute to 10.201.1.100 (10.201.1.100), 30 hops max, 40 byte packets
+  1  my.firewall (10.201.2.1)  5.406 ms  10.532 ms  15.561 ms
+  2  10.201.1.100 (10.201.1.100)  58.799 ms  60.190 ms  61.298 ms
+ 
+ root@bt:~# hping -S -p 80 10.201.1.100
+  HPING 10.201.1.100 (eth0 10.201.1.100): S set, 40 headers + 0 data bytes
+  len=46 ip=10.201.1.100 ttl=127 DF id=20607 sport=80 flags=SA seq=0 win=65535 rtt=4.9 ms
+  len=46 ip=10.201.1.100 ttl=127 DF id=20610 sport=80 flags=SA seq=1 win=65535 rtt=4.9 ms
+  ^C
+  --- 10.201.1.100 hping statistic ---
+  2 packets transmitted, 2 packets received, 0% packet loss
+  round-trip min/avg/max = 4.9/4.9/4.9 ms
+ 
+ root@bt:~# hping -S -p 80 -t 1 10.201.1.100
+  HPING 10.201.1.100 (eth0 10.201.1.100): S set, 40 headers + 0 data bytes
+  TTL 0 during transit from ip=10.201.2.1 name=my.firewall
+  TTL 0 during transit from ip=10.201.2.1 name=my.firewall
+  TTL 0 during transit from ip=10.201.2.1 name=my.firewall
+  ^C
+  --- 10.201.1.100 hping statistic ---
+  3 packets transmitted, 3 packets received, 0% packet loss
+  round-trip min/avg/max = 0.0/0.0/0.0 ms
+ 
+ root@bt:~# hping -S --scan 80 -t 1 10.201.1.100
+  Scanning 10.201.1.100 (10.201.1.100), port 80
+  1 ports to scan, use -V to see all the replies
+  +----+-----------+---------+---+-----+-----+
+  |port| serv name |  flags  |ttl| id  | win |
+  +----+-----------+---------+---+-----+-----+
+  *** buffer overflow detected ***: hping terminated
+  ======= Backtrace: =========
+  /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7f746d8]
+  /lib/tls/i686/cmov/libc.so.6[0xb7f72800]
+  hping[0x8050529]
+  hping[0x805100a]
+  hping[0x8049be8]
+  /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7e90685]
+  hping[0x8049461]
+  ======= Memory map: ========
+  08048000-08058000 r-xp 00000000 03:05 1058310    /usr/sbin/hping2
+  08058000-0805a000 rw-p 0000f000 03:05 1058310    /usr/sbin/hping2
+  0805a000-08060000 rw-p 00000000 00:00 0
+  080fb000-0811c000 rw-p 00000000 00:00 0          [heap]
+  b7d98000-b7da5000 r-xp 00000000 03:05 1038415    /lib/libgcc_s.so.1
+  b7da5000-b7da6000 r--p 0000c000 03:05 1038415    /lib/libgcc_s.so.1
+  b7da6000-b7da7000 rw-p 0000d000 03:05 1038415    /lib/libgcc_s.so.1
+  b7db9000-b7e7a000 rw-s 00000000 00:08 1736725    /SYSV00000000 (deleted)
+  b7e7a000-b7fd2000 r-xp 00000000 03:05 1048034    /lib/tls/i686/cmov/libc-2.8.90.so
+  b7fd2000-b7fd4000 r--p 00158000 03:05 1048034    /lib/tls/i686/cmov/libc-2.8.90.so
+  b7fd4000-b7fd5000 rw-p 0015a000 03:05 1048034    /lib/tls/i686/cmov/libc-2.8.90.so
+  b7fd5000-b7fd8000 rw-p 00000000 00:00 0
+  b7fea000-b7fec000 rw-p 00000000 00:00 0
+  b7fec000-b8006000 r-xp 00000000 03:05 1038373    /lib/ld-2.8.90.so
+  b8006000-b8007000 rw-p 00000000 00:00 0
+  b8007000-b8008000 r--p 0001a000 03:05 1038373    /lib/ld-2.8.90.so
+  b8008000-b8009000 rw-p 0001b000 03:05 1038373    /lib/ld-2.8.90.so
+  bf8fd000-bf912000 rw-p 00000000 00:00 0          [stack]
+  ffffe000-fffff000 r-xp 00000000 00:00 0          [vdso]
+  Aborted
+  Not responding ports: (80 www)
+  All replies received. Done.
+ 
+ root@bt:~# hping -S --scan 80 10.201.1.100
+  Scanning 10.201.1.100 (10.201.1.100), port 80
+  1 ports to scan, use -V to see all the replies
+  +----+-----------+---------+---+-----+-----+
+  |port| serv name |  flags  |ttl| id  | win |
+  +----+-----------+---------+---+-----+-----+
+     80 www        : .S..A... 127 46672 65535
+  All replies received. Done.
+  Not responding ports:
+ 
+ ------------------------------------------------------------
+ 
+ 
  ----
  *FIXME fixed:* The IP id issue for fragments can be resolved with this path. 13.09.2007 (oliver dot stampfli @ epfl dot ch)
  Index: sendip.c
...

The following is the old page content

Please, write here your bug report, and a patch if you have it.
You should specify (ideally):

-> Operating system and version
-> Hping version
-> GCC version if you have access to the info
-> Tcl/Tk version you linked against
-> How to reproduce the bug.

Please write the bug report in any case even if you have only some of this information.

----
*FIXME fixed:* The IP id issue for fragments can be resolved with this path. 13.09.2007 (oliver dot stampfli @ epfl dot ch)
Index: sendip.c
 ===================================================================
 RCS file: /cvsroot/hping2/hping3s/sendip.c,v
 retrieving revision 1.2
 diff -r1.2 sendip.c
 67c67,68
 < 	else /* if you need fragmentation id must not be randomic */
 ---
 > 	else /* if you need fragmentation id must not be random but all fragments belonging to the
 > 		  * the same IP packet must have the same id that is unique amongst other fragments. */
 69,73c70,79
 < 		/* FIXME: when frag. enabled sendip_handler shold inc. ip->id */
 < 		/*        for every frame sent */
 < 		ip->id		= (src_id == -1) ?
 < 			htons(getpid() & 255) :
 < 			htons((unsigned short) src_id);
 ---
 > 		if(src_id == -1)
 > 		{
 > 			__u16 b16_counter = (__u16)sent_pkt;
 > 			__u16 b16_pid = getpid() & 0xff;
 > 			ip->id = htons(b16_pid + b16_counter);
 > 		}
 > 		else
 > 		{
 > 			ip->id = htons((unsigned short) src_id);
 > 		}
----
*Bug Report:* Error in computation of checksums for odd packet size. 31.8.2007 (oliver dot stampfli @ epfl dot ch)
It is the same bug that was already discovered in the ars.c file but this one is in the cksum.c file:
Change line 22 of cksum.c.
 *((__u16 *) &oddbyte) = *(__u16 *) buf;
To
 *((__u16 *) &oddbyte) = *(__u8 *) buf;
----
*Bug Report:* Not possible to send maximal data size. (oliver dot stampfli at epfl dot ch)

One can not send packets with the maximal size of 65535 byte.
Patch attached to fix this problem : {patch_maxsize.diff}
----
*Bug Report:* Too early auto-fragmentation (oliver dot stampfli at epfl dot ch)

The problem is that if someone wants to send packets with exactly the MTU size of an interface then
hping activates auto-fragmentation although it is not needed at this point. The effect is that
one cannot send MTU sized packets with the DF bit on.
After this patch hping will send packets with exactly the same packet size but it will no more
activate the auto-fragment mode too early and therefore one can send packets with MTU size that
still have the DF bit set.

diff -urb hping3s/sendip_handler.c hping3.work/sendip_handler.c
        --- hping3s/sendip_handler.c        2003-09-01 02:22:06.000000000 +0200
        +++ hping3.work/sendip_handler.c   2007-05-29 11:03:07.000000000 +0200
        @@ -19,7 +19,7 @@
         {
                ip_optlen = ip_opt_build(ip_opt);
         
        -       if (!opt_fragment && (size+ip_optlen+20 >= h_if_mtu))
        +       if (!opt_fragment && (size+ip_optlen+20 > h_if_mtu))
                {
                        /* auto-activate fragmentation */
                        virtual_mtu = h_if_mtu-20;

----
*Bug Report:* hping2 and hping3 accepts ICMP error messages which are not meant for it. (oliver dot stampfli at epfl dot ch)

OS: any
Hping version: any 
GCC: any
Tcl/Tk any

When you do with a host H a 'traceroute H' and a 'hping -A -p 22 -fast -q H' at the same time then hping wrongly takes
the ICMP ttl exceeded messages meant for traceroute for its own.
The problem is that hping machtes these ICMP packets only on the IP addresses and not on other criterias.

From `waitpacket.c` in method `recv_icmp`:
        /* ------------------------------------ *
	 * ICMP DEST UNREACHABLE, TIME EXCEEDED *
	 * ------------------------------------ */
	else if (icmp.type == 3 || icmp.type == 11) {
		if ((size - ICMPHDR_SIZE) < sizeof(struct myiphdr)) {
			printf("[|icmp quoted ip]\n");
			return 0;
		}
		memcpy(&quoted_ip, packet+ICMPHDR_SIZE, sizeof(quoted_ip));
		if (memcmp(&quoted_ip.daddr, &remote.sin_addr,
			sizeof(quoted_ip.daddr)) ||
		    memcmp(&ip.daddr, &local.sin_addr, sizeof(ip.daddr)))
			return 0; /* addresses don't match */
		/* Now we can handle the specific type */
		switch(icmp.type) {
		case 3:
			if (!opt_quiet)
				log_icmp_unreach(inet_ntoa(src), icmp.code);
			return 1;
		case 11:
			if (opt_traceroute)
				log_traceroute(packet, size, icmp.code);
			else
				log_icmp_timeexc(inet_ntoa(src), icmp.code);
			return 1;
		}
        }

I don't know if this problem exists also for different packet types but it is very likely.
I think this is not too hard to fix:
-> if src_id != -1 then compare the src_id with &quoted_ip.id
-> if src_id == -1 then you would have to have saved the ids of your previous sent packets (because they were random) and compare &quoted_ip.id to them.

Note that this would not entirely fix the problem because (in this case) traceroute could use the same id numbers by accident but this is not very likely.
BEWARE of including a fix signature in the data part and mark all packets from hping this way to can easily recognize them because IDSs and Firewalls could then recognize them too.

Any discussion on this is appreciated... please write me an e-mail.

----
Bug Report: hping2 uses 127.0.0.1 for its source IP for all packets. (erickson at netapp.com)

OS: 2.6.11-1.27_FC3smp
Hping version: 2.0.0-rc3
gcc version 3.4.3

All of the hping packets have 127.0.0.1 for the source ip when using tcp mode.
The server where this is running has 587 routes, 512 IP aliases configured, other
than that it is pretty normal.

hping -1 <IP> succeeds, and the source IP is correct, but hping <IP> does not,
all the source IPs are the loopback IP.

----
*Bug Report:* Hping2-rc3 ALWAYS dies on OS X on Intel Processors with: "\[send_ip\] sendto: Invalid argument" (nathan dot stocks at gmail dot com)

`Fix is documented here: [link http://lists.apple.com/archives/macnetworkprog/2006/Jun/msg00049.html]`

*OS:* OS X 10.4 on Intel

*Hping:* 2.0.0-rc3

*GCC:* i686-apple-darwin8-gcc-4.0.1 (GCC) 4.0.1 (Apple Computer, Inc. build 5363)

*TCL:* 8.4.12

Walking through the fix (documented at the link above), here are the specific patches that need to be applied to hping2-rc3 to make it work on OS X 10.4 on Intel processors:

--- libpcap_stuff.c.org 2006-01-23 17:58:11.000000000 +0100
 +++ libpcap_stuff.c     2006-01-23 17:58:46.000000000 +0100
 @@ -16,8 +16,8 @@
  #include <string.h>
  #include <stdlib.h>
  #include <sys/ioctl.h>
 -#include <pcap.h>
  #include <net/bpf.h>
 +#include <pcap.h>
  
  #include "globals.h"

--- ars.c.orig  2006-11-20 13:20:01.000000000 -0700
 +++ ars.c       2006-11-20 13:20:46.000000000 -0700
 @@ -830,7 +830,7 @@
                 return -ARS_INVALID;
         }
         ip = (struct ars_iphdr*) packet;
 -#if defined OSTYPE_FREEBSD || defined OSTYPE_NETBSD || defined OSTYPE_BSDI
 +#if defined OSTYPE_DARWIN || defined  OSTYPE_FREEBSD || defined OSTYPE_NETBSD || defined OSTYPE_BSDI
         ip->tot_len = ntohs(ip->tot_len);
         ip->frag_off = ntohs(ip->frag_off);
  #endif

--- sendip.c.orig       2006-11-20 13:23:28.000000000 -0700
 +++ sendip.c    2006-11-20 13:23:05.000000000 -0700
 @@ -48,7 +48,8 @@
         ip->ihl         = (IPHDR_SIZE + optlen + 3) >> 2;
         ip->tos         = ip_tos;
  
 -#if defined OSTYPE_FREEBSD || defined OSTYPE_NETBSD || defined OSTYPE_BSDI
 +#if defined OSTYPE_DARWIN || defined OSTYPE_FREEBSD || defined OSTYPE_NETBSD || defined OSTYPE_BSDI
 +/* OS X */
  /* FreeBSD */
  /* NetBSD */
         ip->tot_len     = packetsize;
 @@ -73,7 +74,8 @@
                         htons((unsigned short) src_id);
         }
  
 -#if defined OSTYPE_FREEBSD || defined OSTYPE_NETBSD | defined OSTYPE_BSDI
 +#if defined OSTYPE_DARWIN || defined OSTYPE_FREEBSD || defined OSTYPE_NETBSD | defined OSTYPE_BSDI
 +/* OS X */
  /* FreeBSD */
  /* NetBSD */
         ip->frag_off    |= more_fragments;

----

*Bug Report: Hping3s compile error: ../hping3s/main.c:186: undefined reference to 'hping_script' (zarxcky, z4rxcky AT inbox DOT com)

OS: Suse Linux Pro 9.3

Hping version: Hping3s

GCC version: gcc-3.3.5-5

TCL version: tcl-8.4.9-7

Hping3s failed to compile on my Suse 9.3 box. The following error are seen during compiling time:

./configure does not give any problem, but when trying to run make, there is 1 error which is stated below:

main.o(.text+0x52): In function 'main':
../../hping3s/main.c:186: undefined reference to 'hping_script'
collect2: ld returned 1 exit status
make: *** [hping3] Error 1

So far look like nobody else get the same error as I got. Any ideas?

{*Solution1:*}
{`I was getting the exact same error when trying to compile the source.`}
{`I had to do a 'make strip' before 'make' for hping to compile successfully.`}

{*Solution2:*}
I had to do a {'make clean'} before 'make' for hping to compile successfully.

*Solution3:* [mekanik]

I had to remove the following list of files and then rerun "*./configure && make*" for hping to compile successfully with TCL support.
 -rw-r--r--  1 root     root     20020 Feb 19 03:04 rapd.o
 -rw-r--r--  1 root     root     16996 Feb 19 03:04 split.o
 -rw-r--r--  1 root     root     43840 Feb 19 03:04 apd.o
 -rw-r--r--  1 root     root     27540 Feb 19 03:04 ars.o
 -rw-r--r--  1 root     root     19172 Feb 19 03:04 scan.o
 -rw-r--r--  1 root     root      5044 Feb 19 03:04 arsglue.o
 -rw-r--r--  1 root     root      8840 Feb 19 03:04 send.o
 -rw-r--r--  1 root     root      4684 Feb 19 03:04 sendrawip.o
 -rw-r--r--  1 root     root      6684 Feb 19 03:04 display_ipopt.o
 -rw-r--r--  1 root     root      5620 Feb 19 03:04 ip_opt_build.o
 -rw-r--r--  1 root     root      6324 Feb 19 03:04 libpcap_stuff.o
 -rw-r--r--  1 root     root      6496 Feb 19 03:04 sendip_handler.o
 -rw-r--r--  1 root     root      4712 Feb 19 03:04 relid.o
 -rw-r--r--  1 root     root      6968 Feb 19 03:04 rtt.o
 -rw-r--r--  1 root     root      5708 Feb 19 03:04 sendhcmp.o
 -rw-r--r--  1 root     root      6516 Feb 19 03:04 listen.o
 -rw-r--r--  1 root     root      4556 Feb 19 03:04 version.o
 -rw-r--r--  1 root     root      5788 Feb 19 03:04 statistics.o
 -rw-r--r--  1 root     root      4504 Feb 19 03:04 cksum.o
 -rw-r--r--  1 root     root      8344 Feb 19 03:04 sendtcp.o
 -rw-r--r--  1 root     root      6944 Feb 19 03:04 sendudp.o
 -rw-r--r--  1 root     root     11872 Feb 19 03:04 sendicmp.o
 -rw-r--r--  1 root     root      8272 Feb 19 03:04 sendip.o
 -rw-r--r--  1 root     root     23604 Feb 19 03:04 waitpacket.o
 -rw-r--r--  1 root     root      6528 Feb 19 03:04 logicmp.o
 -rw-r--r--  1 root     root      5268 Feb 19 03:04 binding.o
 -rw-r--r--  1 root     root      5332 Feb 19 03:04 datahandler.o
 -rw-r--r--  1 root     root      5936 Feb 19 03:04 datafiller.o
 -rw-r--r--  1 root     root     26008 Feb 19 03:04 parseoptions.o
 -rw-r--r--  1 root     root      6624 Feb 19 03:04 getlhs.o
 -rw-r--r--  1 root     root      9932 Feb 19 03:04 getifname.o
 -rw-r--r--  1 root     root     21200 Feb 19 03:04 main.o
 -rw-r--r--  1 root     root        86 Feb 19 03:04 systype.h
 -rw-r--r--  1 root     root      2460 Feb 19 03:04 Makefile
 -rw-r--r--  1 root     root       177 Feb 19 03:04 byteorder.h
 -rwxr-xr-x  1 root     root      5458 Feb 19 03:04 byteorder
----

*Bug Report: Hping3 does not compile on Solaris 8* (Jim Halfpenny, jim AT watersheep DOT org)

OS: SunOS 5.8 Generic_108528-13 sun4u sparc

Hping version: Hping3s

GCC version: 3.3

TCL version: none

Hping3 fails to compile on my Solaris box. The following errors are seen at compile time:

In file included from arsglue.c:7:
 ars.h:186: error: parse error before "u_int8_t"
 ars.h:186: warning: no semicolon at end of struct or union
 ars.h:191: warning: type defaults to `int' in declaration of `tos'
 ars.h:191: warning: data definition has no type or storage class
 ars.h:192: error: parse error before "tot_len"
 ars.h:192: warning: type defaults to `int' in declaration of `tot_len'
 ars.h:192: warning: data definition has no type or storage class
 <snip>

Any ideas?

[antirez] 27May2004:

That's very simple to fix, just add this lines at top of ars.h:

#define u_int8_t unsigned char
 #define u_int16_t unsigned short
 #define u_int32_t unsigned int

and all should compile without problem. Please if this really fix
the probelm write it here (or otherwise), so I know if it's worth
to commit the change to the CVS. Thanks.

[underdog] 17June2004:

-> hping version: 3.0.0-alpha-1
-> OS: Linux 2.4.22
-> GCC: 3.3.2
-> TCL: 8.3.5

-> TARGET SYSTEM: Linux 2.4.7

hping --scan option seems to be flaky:

I run hping -S --scan 1-200 10.1.1.1 against a machine that has ftp, ssh, http, and samba on it:

[root@linuxlaptop root]# hping --scan 1-200 -S 10.1.1.1

Scanning 10.1.1.1 (10.1.1.1), port 1-200
   200 ports to scan, use -V to see all the replies
   +----+-----------+---------+---+-----+-----+-----+
   |port| serv name |  flags  |ttl| id  | win | len | 
   +----+-----------+---------+---+-----+-----+-----+
      21 ftp        : .S..A...  64     0  5840    46
      22 ssh        : .S..A...  64     0  5840    46
   All replies received. Done.
   Not responding ports:

I run the command hping -S --scan 138-139 10.1.1.1 and it returns telling me that ports 139 is open:

[root@linuxlaptop root]# hping --scan 138-139 -S 10.1.1.1
   Scanning 10.1.1.1 (10.1.1.1), port 138-139
   2 ports to scan, use -V to see all the replies
   +----+-----------+---------+---+-----+-----+-----+
   |port| serv name |  flags  |ttl| id  | win | len |
   +----+-----------+---------+---+-----+-----+-----+
     139 netbios-ssn: .S..A...  64     0  5840    46
   All replies received. Done.
   Not responding ports:

I can do a hping -S -p ++1 10.1.1.1 and it does return with all the correct ports being open.  It appears that something is up with the --scan option.  Thanks

[underdog] update

I figured out that apparently the beginning port on the scan option needs to be within 36ish ports to see a port open.
Example below...notice the beginning port number on each scan and the results:

[root@linuxlaptop hping2-rc3]# hping -S --scan 44-100 10.1.1.1
   Scanning 10.1.1.1 (10.1.1.1), port 44-100
   57 ports to scan, use -V to see all the replies
   +----+-----------+---------+---+-----+-----+
   |port| serv name |  flags  |ttl| id  | win |
   +----+-----------+---------+---+-----+-----+
      53 domain     : .S..A...  64     0  5840
      80 http       : .S..A...  64     0  5840
   All replies received. Done.
   Not responding ports:

[root@linuxlaptop hping2-rc3]# hping -S --scan 43-100 10.1.1.1
   Scanning 10.1.1.1 (10.1.1.1), port 43-100
   58 ports to scan, use -V to see all the replies
   +----+-----------+---------+---+-----+-----+
   |port| serv name |  flags  |ttl| id  | win |
   +----+-----------+---------+---+-----+-----+
      53 domain     : .S..A...  64     0  5840
   All replies received. Done.
   Not responding ports:

End

[antirez] 18June2004:

Thanks for the report [underdog]. There is something of odd here, not related to the fact that hping3 may send packets
too fast probably. May you try if it works if you add --fast to the command line? And more important is to try

and report here the same scan with the -V switch added. This can help a lot. Thanks for your support.

[underdog] 22June2004:

The --fast option does seem to fix this issue.  I should have mentioned that this is going over a wireless connection also.  That could have
something to do with it.  Also it appears that Linux behaves totally different from the TCP/IP behavior than the windows sytems I have tested.

Thanks antirez.

End

Philippe Lovis (binomial at gmx dot net), 26June2004:

-> hping version: 3.0.0-alpha-2
-> OS: Linux 2.6.6
-> GCC: 3.3.4
-> TCL: 8.4.6

There is a bug in ars_multi_cksum() in ars.c which corrupts the TCP checksum if the oddbyte flag is set. You can reproduce the bug i.e. with:

append syn "ip(saddr=127.0.0.1,daddr=127.0.0.1)"
 append syn "+tcp(sport=80,dport=22,flags=s)"
 append syn "+tcp.nop()+tcp.mss(size=255)"
 hping send $syn

tcpdump -i lo -v will report a 'bad tcp cksum'.

Fix: Adapt line 453 in ars.c from

*((u_int16_t *) &oddbyte) |= *(u_int16_t *) buf;

*((u_int16_t *) &oddbyte) |= *(u_int8_t *) buf;

And some little detail: RFC793 states that the padding bytes of the TCP options should be 0x0, but hping3 fills the padding bytes with 0x1.

Fix: Adapt line 778 in ars.c (in ars_compiler_tcpopt()) from

memset(t+cur_size, ARS_TCPOPT_NOP, padding);

memset(t+cur_size, ARS_TCPOPT_EOL, padding);

[Flibble] 09July2004:

-> hping version: 3.0.0-alpha-2 (CVS)
-> OS: Fedora Core 2 - Linux 2.6.5
-> GCC: 3.3.3
-> TCL: 8.4.5
-> LIBPCAP: 0.8.3

In order to complete the compile I needed to change references from net/bpf.h to pcap-bpf.h 
in libpcap_stuff.c and script.c.  Compiled and RPM'd fine after that, will check functionality and post results.

----

Bug Report: hping crashes

OS: linux-2.2.25-ow1

Hping version: version 3.0.0-alpha-2

GCC version: gcc version 2.95.3 20010315 (release)

TCL version: tcl8.4.6

steps to reproduce the bug: 
 1. hping exec passivets.htcl
 2. ftp from machine in this subnet and transfer some files
 3. ftp from machine in other subnet and transfer some files

gdb information: 
 bash-2.05# gdb ../hping3
 GNU gdb 5.0 (UI_OUT)
 Copyright 2000 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you are
 welcome to change it and/or distribute copies of it under certain conditions.
 Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB.  Type "show warranty" for details.
 This GDB was configured as "i386-unknown-linux"...
 (gdb) set args exec passivets.htcl
 (gdb) r
 Starting program: /home/dima/src/hping3-alpha-2/lib/../hping3 exec passivets.htc
 l
 [New Thread 1024 (runnable)]
 192.168.22.81 (192.168.22.81) UPTIME=0 days, 2 hours, 49 minutes, 17 seconds
 192.168.22.193 (192.168.22.193) UPTIME=0 days, 0 hours, 0 minutes, 14 seconds
 192.168.22.85 (192.168.22.85) UPTIME=0 days, 0 hours, 0 minutes, 13 seconds
 
 Program received signal SIGSEGV, Segmentation fault.
 [Switching to Thread 1024 (runnable)]
 0x40137b19 in chunk_free (ar_ptr=0x401c2c20, p=0x8094408) at malloc.c:3111
 3111    malloc.c: No such file or directory.
         in malloc.c
 (gdb) bt
 #0  0x40137b19 in chunk_free (ar_ptr=0x401c2c20, p=0x8094408) at malloc.c:3111
 #1  0x401379ae in __libc_free (mem=0x8094410) at malloc.c:3023
 #2  0x08056a64 in ars_remove_layer (pkt=0xbffed948, layer=3) at ars.c:385
 #3  0x0805a460 in ars_split_tcp (pkt=0xbffed948, packet=0xbffeee5a, size=8,
     state=0xbffed914, len=0xbffed918) at split.c:394
 #4  0x08059f23 in ars_split_packet (packet=0xbffeee2a, size=56, ipoff=0,
     pkt=0xbffed948) at split.c:132
 #5  0x08051322 in GetPacketDescription (data=0xbffeee2a "E", len=56, hexdata=0)
     at script.c:274
 #6  0x0805150e in HpingRecvPackets (ra=0x807df60, interp=0x8083b48,
     o=0x80914b0, timeout=-1, maxpackets=1, rapd=1, hexdata=0) at script.c:352
 #7  0x0805167c in __HpingRecvCmd (clientData=0x0, interp=0x8083b48, objc=4,
     objv=0x80859a0, rapd=1, hexdata=0) at script.c:412
 #8  0x08051726 in HpingRecvCmd (clientData=0x0, interp=0x8083b48, objc=4,
     objv=0x80859a0) at script.c:438
 #9  0x080524aa in HpingObjCmd (clientData=0x0, interp=0x8083b48, objc=4,
     objv=0x80859a0) at script.c:857
 #10 0x40037c80 in TclEvalObjvInternal () from /usr/lib/libtcl8.4.so
 #11 0x4005a2f4 in TclExecuteByteCode () from /usr/lib/libtcl8.4.so
 #12 0x400597e0 in TclCompEvalObj () from /usr/lib/libtcl8.4.so
 #13 0x40038b95 in Tcl_EvalObjEx () from /usr/lib/libtcl8.4.so
 #14 0x40049089 in Tcl_WhileObjCmd () from /usr/lib/libtcl8.4.so
 #15 0x40037c80 in TclEvalObjvInternal () from /usr/lib/libtcl8.4.so
 #16 0x4003862a in Tcl_EvalEx () from /usr/lib/libtcl8.4.so
 ---Type <return> to continue, or q <return> to quit---
 #17 0x400728b8 in Tcl_FSEvalFile () from /usr/lib/libtcl8.4.so
 #18 0x40078c5a in Tcl_Main () from /usr/lib/libtcl8.4.so
 #19 0x08052f89 in hping_script (argc=2, argv=0xbffffd08) at script.c:1356
 #20 0x0804a3b6 in main (argc=2, argv=0xbffffd04) at main.c:186
 #21 0x400ffcc9 in __libc_start_main (main=0x804a360 <main>, argc=3,
     argv=0xbffffd04, init=0x8049a5c <_init>, fini=0x8065e5c <_fini>,
     rtld_fini=0x4000ad04 <_dl_fini>, stack_end=0xbffffcfc)
     at ../sysdeps/generic/libc-start.c:92
 (gdb) info reg
 eax            0x8094418        134824984
 ecx            0x401c0000       1075576832
 edx            0x8094418        134824984
 ebx            0x401c465c       1075594844
 esp            0xbffed81c       0xbffed81c
 ebp            0xbffed844       0xbffed844
 esi            0x401c2c28       1075588136
 edi            0x8094408        134824968
 eip            0x40137b19       0x40137b19
 eflags         0x297    663
 cs             0x23     35
 ss             0x2b     43
 ds             0x2b     43
 es             0x2b     43
 fs             0x0      0
 gs             0x0      0
 fctrl          0x37f    895
 fstat          0x20     32
 ftag           0xffff   65535
 fiseg          0x23     35
 fioff          0x40060043       1074135107
 foseg          0x2b     43
 fooff          0xe6b4   59060
 fop            0x7a3    1955

----

Bug Report: hping3-alpha-2 with TCL 8.5

-> hping version: 3.0.0-alpha-2 (tar.gz)
-> OS: Trustix 2.1 - Linux 2.4.25-8tr
-> GCC: 3.3.3
-> TCL: 8.5
-> LIBPCAP: 0.8.3

This isn't really a bug..more of an incompatibility which can be resolved using the below 
steps. I didn't find any directions on this site as to which version of TCL should be used
or is supported.

To get hping3-alpha-2 to compile with TCL 8.5 installed, I had to manually make the following
changes to the configure file :

line 66 :

for TCLVER_TRY in "8.4" "8.3" "8.2" "8.1" "8.0"

becomes :

for TCLVER_TRY in "8.5" "8.4" "8.3" "8.2" "8.1" "8.0"

line 90-92 :

elif [ -e /usr/local/include/tcl${TCL_VER} ]        
    then                                                
        TCL_INC="-I/usr/local/include/tcl${TCL_VER}"

becomes :

elif [ -e /usr/local/include/tcl.h ]        
    then                                                
        TCL_INC="-I/usr/local/include"

(make and make install completed without errors.)

PS - I'm no installer guru, and I hope this isn't a distro specific thing. 
I just adjusted them as I saw fit. Hope this is correct!

Stephen.

----

Bug Report: hping2 rc3 fails to compile on AMD64 and probably Intel 64 Bit processors.

-> hping version: 2.0.0 rc3 (tar.gz)
-> OS: SuSE Linux 9.2 ADM64 (Kernel 2.6.8-24)
-> GCC: 3.3.4

*Reason:*
The file bytesex.h does not include detection of the said architectures.

*Solution:*
Add __ia64__ and __amd64__ to the list of architectures. Patch the file bytesex.h as follows:

#if     defined(__i386__) \
         || defined(__ia64__) \
         || defined(__amd64__) \
         || defined(__alpha__) \
         || (defined(__mips__) && (defined(MIPSEL) || defined (__MIPSEL__)))

Now run "make" again. Good Luck!
Eisfuchs

----

* Bug Report *: hping3 doesn't set the window scale TCP option correctly

OS: Knoppix 3.4 (Kernel 2.4.27)
Hping version: Hping3 Alpha2 (CVS)
GCC version: 3.3.5
TCL version: 8.4
Libpcap: 0.8

Patch: file apd.c line 559

Replace: 
    
    tcpopt->un.win.shift = htons(ars_atou(v));

With:    
   
    tcpopt->un.win.shift = ars_atou(v);

Good luck,

Melvin

----

[link mailto:geliATenseirbDOTfr matth] 27Jul2005 : *hping3 does not check properly command line options*

-> OS: Debian SID (Kernel 2.6.11)
-> Hping version: Hping3 (CVS)
-> GCC version: 3.3.5
-> TCL version: 8.4

# hping3 hostname -1 --debug -m
  hping: option requires an argument -- m
  Try hping --help

# hping3 hostname -1 -m --debug
  -- infinte loop here CPU=100% --

the virtual mtu seems to be set to 0 if no args passed to -m (and not at the end of the line)

# hping3 hostname -m -1
  Specified MTU too high, fixed to 65535.

Maybe I'm missing the point, but I don't really see why -m and -d have `AGO_EXCEPT0` flags.
----
sxav 09.12.2005: *net/bpf.h file not found*
-> OS: Linux x86-64 (LFS)
-> Hping3s (cvs)
-> GCC 4.0.1
-> TCL 8.4
-> Libpcap 0.9.3
Error message:
 error: net/bpf.h: No such file or directory
In last version of libpcap, net/bpf.h has been moved to pcap-bpf.h and it's automatically
included in pcap.h. So net/bpf.h shouldn't be included anymore...
Patch:

--- hping3s/script.c.orig       2005-09-12 00:52:35.000000000 +0200
 +++ hping3s/script.c    2005-09-12 00:53:00.000000000 +0200
 @@ -24,7 +24,6 @@
  
  #include <sys/ioctl.h>
  #include <pcap.h>
 -#include <net/bpf.h>
  
  #include "release.h"
  #include "hping2.h"  
 --- hping3s/libpcap_stuff.c.orig        2005-09-12 00:52:47.000000000 +0200
 +++ hping3s/libpcap_stuff.c     2005-09-12 00:53:09.000000000 +0200
 @@ -17,7 +17,6 @@
  #include <stdlib.h>
  #include <sys/ioctl.h>
  #include <pcap.h>
 -#include <net/bpf.h>
  
  #include "globals.h"

*bold* Alternatively:
    mkdir /usr/local/include/net/
    ln -sf /usr/include/pcap-bpf.h /usr/local/include/net/bpf.h

----

===Checksum of returned packet===

Hi,

in waitpacket.c
the checksum of the `returned` packet (= not the one `generated` by hping2-rc3) is reported not correctly in verbose mode. It should take the bytes the other way round, shouldn't it. The following diff provides me with results that are at least identical to what ethereal tells me.

See waitpacket.c.diff attached below.

Bye, bye,

Juergen

----

===SIGSEGV with hping2-rc3===

here it is - a trivial patch
to avoid SIGSEGV on 
a rare occasion.

diff -Nurp datafiller.c.orig datafiller.c > datafiller.c.diff

Bye, bye,

Juergen

----

===Error in configure script===
(Tue Oct 31 00:32:13 CET 2006)

In ping3-20051105, the configure script states in line 96:
 echo "==> WARNING: no Tcl header files found!"

which should be:
 echo "==> WARNING: no Tcl header files found."

because the former one results in:
 ./configure: line 96: !": event not found

with me.

----
OS: OSX 10.4.8

I know it is mostly tested with Linux, but I figured what the heck???

gcc -c -O2 -Wall   -DUSE_TCL -g  main.c
 gcc -c -O2 -Wall   -DUSE_TCL -g  getifname.c
 getifname.c: In function 'get_output_if':
 getifname.c:343: warning: pointer targets in passing argument 3 of 'getsockname' differ in signedness
 gcc -c -O2 -Wall   -DUSE_TCL -g  getlhs.c
 gcc -c -O2 -Wall   -DUSE_TCL -g  parseoptions.c
 gcc -c -O2 -Wall   -DUSE_TCL -g  datafiller.c
 gcc -c -O2 -Wall   -DUSE_TCL -g  datahandler.c
 gcc -c -O2 -Wall   -DUSE_TCL -g  binding.c
 gcc -c -O2 -Wall   -DUSE_TCL -g  logicmp.c
 gcc -c -O2 -Wall   -DUSE_TCL -g  waitpacket.c
 gcc -c -O2 -Wall   -DUSE_TCL -g  sendip.c
 gcc -c -O2 -Wall   -DUSE_TCL -g  sendicmp.c
 gcc -c -O2 -Wall   -DUSE_TCL -g  sendudp.c
 gcc -c -O2 -Wall   -DUSE_TCL -g  sendtcp.c
 gcc -c -O2 -Wall   -DUSE_TCL -g  cksum.c
 gcc -c -O2 -Wall   -DUSE_TCL -g  statistics.c
 gcc -c -O2 -Wall   -DUSE_TCL -g  version.c
 gcc -c -O2 -Wall   -DUSE_TCL -g  listen.c
 gcc -c -O2 -Wall   -DUSE_TCL -g  sendhcmp.c
 gcc -c -O2 -Wall   -DUSE_TCL -g  rtt.c
 gcc -c -O2 -Wall   -DUSE_TCL -g  relid.c
 gcc -c -O2 -Wall   -DUSE_TCL -g  sendip_handler.c
 gcc -c -O2 -Wall   -DUSE_TCL -g  libpcap_stuff.c
 In file included from libpcap_stuff.c:20:
 /usr/include/net/bpf.h:93: error: redefinition of 'struct bpf_program'
 /usr/include/net/bpf.h:118: error: redefinition of 'struct bpf_version'
 /usr/include/net/bpf.h:321: error: redefinition of 'struct bpf_insn'
 libpcap_stuff.c: In function 'pcap_recv':
 libpcap_stuff.c:61: warning: pointer targets in assignment differ in signedness
 make: *** [libpcap_stuff.o] Error 1

so it all compiles except the libpcap_stuff.c (obviously).  I am too lazy to figure out why....maybe someone else is motivated enough??? :)

tyler

This is because some stuff is in pcap-bpf.h AND net/bpf.h IF you have installed libpcap with *fink* (not sure about other setups).
A dirty workaround that helped me, was to remove 
 #include <net/bpf.h> 
from the sript.c and libpcap-stuff.c (see sxav comment above).
This still leads to a compile error, because pcap.h dont defines a needed constant called  BIOCIMMEDIATE.
This can be solved easy by copying the needed constant from net/bpf.h 
 #define BIOCIMMEDIATE  _IOW('B',112, u_int)
now you should be able to compile and run hping3.

`I just wrote this in case other osx users run over the issue. Im not sure how to fix this the "correct way" in the cvs, so i dont change anything.`

`As I am a non-native english speaker, can someone please correct typos, thanks.`

hanfi

-------------------------------------

OpenSuSE 10.2 has problems compiling hping 3 with gcc 4.1.2 20061115 (prerelease) (SUSE Linux), tcl-8.4.14-11.  Here are patches that worked for me.

*** Makefile-orig       Wed Aug 22 10:40:02 2007
 --- Makefile    Wed Aug 22 10:40:17 2007
 ***************
 *** 50,56 ****
         $(RANLIB) $@

hping3: byteorder.h $(OBJ)
 !       $(CC) -o hping3 $(CCOPT) $(DEBUG) $(OBJ) -L/usr/local/lib $(PCAP)  -ltcl -lm -lpthread
         @echo
         ./hping3 -v
         @echo "use \`make strip' to strip hping3 binary"
 --- 50,56 ----
         $(RANLIB) $@

hping3: byteorder.h $(OBJ)
 !       $(CC) -o hping3 $(CCOPT) $(DEBUG) $(OBJ) -L/usr/local/lib $(PCAP)  -ltcl8.4 -lm -lpthread
         @echo
         ./hping3 -v
         @echo "use \`make strip' to strip hping3 binary"
 *** bytesex.h-orig      Wed Aug 22 10:43:57 2007
 --- bytesex.h   Wed Aug 22 10:43:59 2007
 ***************
 *** 9,14 ****
 --- 9,15 ----

#if   defined(__i386__) \
         || defined(__alpha__) \
 +       || defined(__x86_64) \
         || (defined(__mips__) && (defined(MIPSEL) || defined (__MIPSEL__)))
   #define BYTE_ORDER_LITTLE_ENDIAN
   #elif         defined(__mc68000__) \
 *** libpcap_stuff.c-orig        Wed Aug 22 10:38:06 2007
 --- libpcap_stuff.c     Wed Aug 22 10:38:26 2007
 ***************
 *** 17,23 ****
   #include <stdlib.h>
   #include <sys/ioctl.h>
   #include <pcap.h>
 ! #include <net/bpf.h>

#include "globals.h"

--- 17,23 ----
   #include <stdlib.h>
   #include <sys/ioctl.h>
   #include <pcap.h>
 ! #include <pcap-bpf.h>

#include "globals.h"

*** script.c-orig       Wed Aug 22 10:38:46 2007
 --- script.c    Wed Aug 22 10:39:23 2007
 ***************
 *** 24,30 ****

#include <sys/ioctl.h>
   #include <pcap.h>
 ! #include <net/bpf.h>

#include "release.h"
   #include "hping2.h"
 --- 24,30 ----

#include <sys/ioctl.h>
   #include <pcap.h>
 ! #include <pcap-bpf.h>

#include "release.h"
   #include "hping2.h"

-------------------------------------