hping wiki

Differences for page Open bugs

Current version compared with version Fri Jun 18 21:18:55 GMT 2004

...
  
  Please write the bug report in any case even if you have only some of this information.
  
+ -----------------------------------
+ ->OS Ubuntu 8.10
+ ->hping version 2.0.0-rc3, 3.0.0-alpha-2
+ ->gcc version 4.3.2 (Ubuntu 4.3.2-1ubuntu12
  
+ Buffer overflow is in place when options --scan and -t uses at the same time. At the list below I used ttl 1 (there are two hops to the target 10.201.1.100). But situation is the same for any ttl=target_ttl-1 and less. Also I mentioned that if I use one remote port to scan sometimes issue not shown and I can see the normal output of hping. Situation is the same both for hping2 and hping3.
+ 
+ root@bt:~# traceroute -T 10.201.1.100
+  traceroute to 10.201.1.100 (10.201.1.100), 30 hops max, 40 byte packets
+  1  my.firewall (10.201.2.1)  5.406 ms  10.532 ms  15.561 ms
+  2  10.201.1.100 (10.201.1.100)  58.799 ms  60.190 ms  61.298 ms
+ 
+ root@bt:~# hping -S -p 80 10.201.1.100
+  HPING 10.201.1.100 (eth0 10.201.1.100): S set, 40 headers + 0 data bytes
+  len=46 ip=10.201.1.100 ttl=127 DF id=20607 sport=80 flags=SA seq=0 win=65535 rtt=4.9 ms
+  len=46 ip=10.201.1.100 ttl=127 DF id=20610 sport=80 flags=SA seq=1 win=65535 rtt=4.9 ms
+  ^C
+  --- 10.201.1.100 hping statistic ---
+  2 packets transmitted, 2 packets received, 0% packet loss
+  round-trip min/avg/max = 4.9/4.9/4.9 ms
+ 
+ root@bt:~# hping -S -p 80 -t 1 10.201.1.100
+  HPING 10.201.1.100 (eth0 10.201.1.100): S set, 40 headers + 0 data bytes
+  TTL 0 during transit from ip=10.201.2.1 name=my.firewall
+  TTL 0 during transit from ip=10.201.2.1 name=my.firewall
+  TTL 0 during transit from ip=10.201.2.1 name=my.firewall
+  ^C
+  --- 10.201.1.100 hping statistic ---
+  3 packets transmitted, 3 packets received, 0% packet loss
+  round-trip min/avg/max = 0.0/0.0/0.0 ms
+ 
+ root@bt:~# hping -S --scan 80 -t 1 10.201.1.100
+  Scanning 10.201.1.100 (10.201.1.100), port 80
+  1 ports to scan, use -V to see all the replies
+  +----+-----------+---------+---+-----+-----+
+  |port| serv name |  flags  |ttl| id  | win |
+  +----+-----------+---------+---+-----+-----+
+  *** buffer overflow detected ***: hping terminated
+  ======= Backtrace: =========
+  /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7f746d8]
+  /lib/tls/i686/cmov/libc.so.6[0xb7f72800]
+  hping[0x8050529]
+  hping[0x805100a]
+  hping[0x8049be8]
+  /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7e90685]
+  hping[0x8049461]
+  ======= Memory map: ========
+  08048000-08058000 r-xp 00000000 03:05 1058310    /usr/sbin/hping2
+  08058000-0805a000 rw-p 0000f000 03:05 1058310    /usr/sbin/hping2
+  0805a000-08060000 rw-p 00000000 00:00 0
+  080fb000-0811c000 rw-p 00000000 00:00 0          [heap]
+  b7d98000-b7da5000 r-xp 00000000 03:05 1038415    /lib/libgcc_s.so.1
+  b7da5000-b7da6000 r--p 0000c000 03:05 1038415    /lib/libgcc_s.so.1
+  b7da6000-b7da7000 rw-p 0000d000 03:05 1038415    /lib/libgcc_s.so.1
+  b7db9000-b7e7a000 rw-s 00000000 00:08 1736725    /SYSV00000000 (deleted)
+  b7e7a000-b7fd2000 r-xp 00000000 03:05 1048034    /lib/tls/i686/cmov/libc-2.8.90.so
+  b7fd2000-b7fd4000 r--p 00158000 03:05 1048034    /lib/tls/i686/cmov/libc-2.8.90.so
+  b7fd4000-b7fd5000 rw-p 0015a000 03:05 1048034    /lib/tls/i686/cmov/libc-2.8.90.so
+  b7fd5000-b7fd8000 rw-p 00000000 00:00 0
+  b7fea000-b7fec000 rw-p 00000000 00:00 0
+  b7fec000-b8006000 r-xp 00000000 03:05 1038373    /lib/ld-2.8.90.so
+  b8006000-b8007000 rw-p 00000000 00:00 0
+  b8007000-b8008000 r--p 0001a000 03:05 1038373    /lib/ld-2.8.90.so
+  b8008000-b8009000 rw-p 0001b000 03:05 1038373    /lib/ld-2.8.90.so
+  bf8fd000-bf912000 rw-p 00000000 00:00 0          [stack]
+  ffffe000-fffff000 r-xp 00000000 00:00 0          [vdso]
+  Aborted
+  Not responding ports: (80 www)
+  All replies received. Done.
+ 
+ root@bt:~# hping -S --scan 80 10.201.1.100
+  Scanning 10.201.1.100 (10.201.1.100), port 80
+  1 ports to scan, use -V to see all the replies
+  +----+-----------+---------+---+-----+-----+
+  |port| serv name |  flags  |ttl| id  | win |
+  +----+-----------+---------+---+-----+-----+
+     80 www        : .S..A... 127 46672 65535
+  All replies received. Done.
+  Not responding ports:
+ 
+ ------------------------------------------------------------
+ 
+ 
+ ----
+ *FIXME fixed:* The IP id issue for fragments can be resolved with this path. 13.09.2007 (oliver dot stampfli @ epfl dot ch)
+ Index: sendip.c
+  ===================================================================
+  RCS file: /cvsroot/hping2/hping3s/sendip.c,v
+  retrieving revision 1.2
+  diff -r1.2 sendip.c
+  67c67,68
+  < 	else /* if you need fragmentation id must not be randomic */
+  ---
+  > 	else /* if you need fragmentation id must not be random but all fragments belonging to the
+  > 		  * the same IP packet must have the same id that is unique amongst other fragments. */
+  69,73c70,79
+  < 		/* FIXME: when frag. enabled sendip_handler shold inc. ip->id */
+  < 		/*        for every frame sent */
+  < 		ip->id		= (src_id == -1) ?
+  < 			htons(getpid() & 255) :
+  < 			htons((unsigned short) src_id);
+  ---
+  > 		if(src_id == -1)
+  > 		{
+  > 			__u16 b16_counter = (__u16)sent_pkt;
+  > 			__u16 b16_pid = getpid() & 0xff;
+  > 			ip->id = htons(b16_pid + b16_counter);
+  > 		}
+  > 		else
+  > 		{
+  > 			ip->id = htons((unsigned short) src_id);
+  > 		}
+ ----
+ *Bug Report:* Error in computation of checksums for odd packet size. 31.8.2007 (oliver dot stampfli @ epfl dot ch)
+ It is the same bug that was already discovered in the ars.c file but this one is in the cksum.c file:
+ Change line 22 of cksum.c.
+  *((__u16 *) &oddbyte) = *(__u16 *) buf;
+ To
+  *((__u16 *) &oddbyte) = *(__u8 *) buf;
+ ----
+ *Bug Report:* Not possible to send maximal data size. (oliver dot stampfli at epfl dot ch)
+ 
+ One can not send packets with the maximal size of 65535 byte.
+ Patch attached to fix this problem : {patch_maxsize.diff}
+ ----
+ *Bug Report:* Too early auto-fragmentation (oliver dot stampfli at epfl dot ch)
+ 
+ The problem is that if someone wants to send packets with exactly the MTU size of an interface then
+ hping activates auto-fragmentation although it is not needed at this point. The effect is that
+ one cannot send MTU sized packets with the DF bit on.
+ After this patch hping will send packets with exactly the same packet size but it will no more
+ activate the auto-fragment mode too early and therefore one can send packets with MTU size that
+ still have the DF bit set.
+ 
+         diff -urb hping3s/sendip_handler.c hping3.work/sendip_handler.c
+         --- hping3s/sendip_handler.c        2003-09-01 02:22:06.000000000 +0200
+         +++ hping3.work/sendip_handler.c   2007-05-29 11:03:07.000000000 +0200
+         @@ -19,7 +19,7 @@
+          {
+                 ip_optlen = ip_opt_build(ip_opt);
+          
+         -       if (!opt_fragment && (size+ip_optlen+20 >= h_if_mtu))
+         +       if (!opt_fragment && (size+ip_optlen+20 > h_if_mtu))
+                 {
+                         /* auto-activate fragmentation */
+                         virtual_mtu = h_if_mtu-20;
+ 
+ ----
+ *Bug Report:* hping2 and hping3 accepts ICMP error messages which are not meant for it. (oliver dot stampfli at epfl dot ch)
+ 
+ OS: any
+ Hping version: any 
+ GCC: any
+ Tcl/Tk any
+ 
+ When you do with a host H a 'traceroute H' and a 'hping -A -p 22 -fast -q H' at the same time then hping wrongly takes
+ the ICMP ttl exceeded messages meant for traceroute for its own.
+ The problem is that hping machtes these ICMP packets only on the IP addresses and not on other criterias.
+ 
+ From `waitpacket.c` in method `recv_icmp`:
+         /* ------------------------------------ *
+ 	 * ICMP DEST UNREACHABLE, TIME EXCEEDED *
+ 	 * ------------------------------------ */
+ 	else if (icmp.type == 3 || icmp.type == 11) {
+ 		if ((size - ICMPHDR_SIZE) < sizeof(struct myiphdr)) {
+ 			printf("[|icmp quoted ip]\n");
+ 			return 0;
+ 		}
+ 		memcpy(&quoted_ip, packet+ICMPHDR_SIZE, sizeof(quoted_ip));
+ 		if (memcmp(&quoted_ip.daddr, &remote.sin_addr,
+ 			sizeof(quoted_ip.daddr)) ||
+ 		    memcmp(&ip.daddr, &local.sin_addr, sizeof(ip.daddr)))
+ 			return 0; /* addresses don't match */
+ 		/* Now we can handle the specific type */
+ 		switch(icmp.type) {
+ 		case 3:
+ 			if (!opt_quiet)
+ 				log_icmp_unreach(inet_ntoa(src), icmp.code);
+ 			return 1;
+ 		case 11:
+ 			if (opt_traceroute)
+ 				log_traceroute(packet, size, icmp.code);
+ 			else
+ 				log_icmp_timeexc(inet_ntoa(src), icmp.code);
+ 			return 1;
+ 		}
+         }
+ 
+ I don't know if this problem exists also for different packet types but it is very likely.
+ I think this is not too hard to fix:
+ -> if src_id != -1 then compare the src_id with &quoted_ip.id
+ -> if src_id == -1 then you would have to have saved the ids of your previous sent packets (because they were random) and compare &quoted_ip.id to them.
+ 
+ Note that this would not entirely fix the problem because (in this case) traceroute could use the same id numbers by accident but this is not very likely.
+ BEWARE of including a fix signature in the data part and mark all packets from hping this way to can easily recognize them because IDSs and Firewalls could then recognize them too.
+ 
+ Any discussion on this is appreciated... please write me an e-mail.
+ 
+ 
+ ----
+ Bug Report: hping2 uses 127.0.0.1 for its source IP for all packets. (erickson at netapp.com)
+ 
+ OS: 2.6.11-1.27_FC3smp
+ Hping version: 2.0.0-rc3
+ gcc version 3.4.3
+ 
+ All of the hping packets have 127.0.0.1 for the source ip when using tcp mode.
+ The server where this is running has 587 routes, 512 IP aliases configured, other
+ than that it is pretty normal.
+ 
+ hping -1 <IP> succeeds, and the source IP is correct, but hping <IP> does not,
+ all the source IPs are the loopback IP.
+ 
+ 
+ ----
+ *Bug Report:* Hping2-rc3 ALWAYS dies on OS X on Intel Processors with: "\[send_ip\] sendto: Invalid argument" (nathan dot stocks at gmail dot com)
+ 
+ `Fix is documented here: [link http://lists.apple.com/archives/macnetworkprog/2006/Jun/msg00049.html]`
+ 
+ *OS:* OS X 10.4 on Intel
+ 
+ *Hping:* 2.0.0-rc3
+ 
+ *GCC:* i686-apple-darwin8-gcc-4.0.1 (GCC) 4.0.1 (Apple Computer, Inc. build 5363)
+ 
+ *TCL:* 8.4.12
+ 
+ Walking through the fix (documented at the link above), here are the specific patches that need to be applied to hping2-rc3 to make it work on OS X 10.4 on Intel processors:
+ 
+  --- libpcap_stuff.c.org 2006-01-23 17:58:11.000000000 +0100
+  +++ libpcap_stuff.c     2006-01-23 17:58:46.000000000 +0100
+  @@ -16,8 +16,8 @@
+   #include <string.h>
+   #include <stdlib.h>
+   #include <sys/ioctl.h>
+  -#include <pcap.h>
+   #include <net/bpf.h>
+  +#include <pcap.h>
+   
+   #include "globals.h"
+  
+ 
+  --- ars.c.orig  2006-11-20 13:20:01.000000000 -0700
+  +++ ars.c       2006-11-20 13:20:46.000000000 -0700
+  @@ -830,7 +830,7 @@
+                  return -ARS_INVALID;
+          }
+          ip = (struct ars_iphdr*) packet;
+  -#if defined OSTYPE_FREEBSD || defined OSTYPE_NETBSD || defined OSTYPE_BSDI
+  +#if defined OSTYPE_DARWIN || defined  OSTYPE_FREEBSD || defined OSTYPE_NETBSD || defined OSTYPE_BSDI
+          ip->tot_len = ntohs(ip->tot_len);
+          ip->frag_off = ntohs(ip->frag_off);
+   #endif
+ 
+ 
+ 
+  --- sendip.c.orig       2006-11-20 13:23:28.000000000 -0700
+  +++ sendip.c    2006-11-20 13:23:05.000000000 -0700
+  @@ -48,7 +48,8 @@
+          ip->ihl         = (IPHDR_SIZE + optlen + 3) >> 2;
+          ip->tos         = ip_tos;
+   
+  -#if defined OSTYPE_FREEBSD || defined OSTYPE_NETBSD || defined OSTYPE_BSDI
+  +#if defined OSTYPE_DARWIN || defined OSTYPE_FREEBSD || defined OSTYPE_NETBSD || defined OSTYPE_BSDI
+  +/* OS X */
+   /* FreeBSD */
+   /* NetBSD */
+          ip->tot_len     = packetsize;
+  @@ -73,7 +74,8 @@
+                          htons((unsigned short) src_id);
+          }
+   
+  -#if defined OSTYPE_FREEBSD || defined OSTYPE_NETBSD | defined OSTYPE_BSDI
+  +#if defined OSTYPE_DARWIN || defined OSTYPE_FREEBSD || defined OSTYPE_NETBSD | defined OSTYPE_BSDI
+  +/* OS X */
+   /* FreeBSD */
+   /* NetBSD */
+          ip->frag_off    |= more_fragments;
+ 
+ 
+ 
+ ----
+ 
+ *Bug Report: Hping3s compile error: ../hping3s/main.c:186: undefined reference to 'hping_script' (zarxcky, z4rxcky AT inbox DOT com)
+ 
+ OS: Suse Linux Pro 9.3
+ 
+ Hping version: Hping3s
+ 
+ GCC version: gcc-3.3.5-5
+ 
+ TCL version: tcl-8.4.9-7
+ 
+ Hping3s failed to compile on my Suse 9.3 box. The following error are seen during compiling time:
+ 
+ ./configure does not give any problem, but when trying to run make, there is 1 error which is stated below:
+ 
+ main.o(.text+0x52): In function 'main':
+ ../../hping3s/main.c:186: undefined reference to 'hping_script'
+ collect2: ld returned 1 exit status
+ make: *** [hping3] Error 1
+ 
+ So far look like nobody else get the same error as I got. Any ideas?
+ 
+ {*Solution1:*}
+ {`I was getting the exact same error when trying to compile the source.`}
+ {`I had to do a 'make strip' before 'make' for hping to compile successfully.`}
+ 
+ {*Solution2:*}
+ I had to do a {'make clean'} before 'make' for hping to compile successfully.
+ 
+ *Solution3:* [mekanik]
+ 
+ I had to remove the following list of files and then rerun "*./configure && make*" for hping to compile successfully with TCL support.
+  -rw-r--r--  1 root     root     20020 Feb 19 03:04 rapd.o
+  -rw-r--r--  1 root     root     16996 Feb 19 03:04 split.o
+  -rw-r--r--  1 root     root     43840 Feb 19 03:04 apd.o
+  -rw-r--r--  1 root     root     27540 Feb 19 03:04 ars.o
+  -rw-r--r--  1 root     root     19172 Feb 19 03:04 scan.o
+  -rw-r--r--  1 root     root      5044 Feb 19 03:04 arsglue.o
+  -rw-r--r--  1 root     root      8840 Feb 19 03:04 send.o
+  -rw-r--r--  1 root     root      4684 Feb 19 03:04 sendrawip.o
+  -rw-r--r--  1 root     root      6684 Feb 19 03:04 display_ipopt.o
+  -rw-r--r--  1 root     root      5620 Feb 19 03:04 ip_opt_build.o
+  -rw-r--r--  1 root     root      6324 Feb 19 03:04 libpcap_stuff.o
+  -rw-r--r--  1 root     root      6496 Feb 19 03:04 sendip_handler.o
+  -rw-r--r--  1 root     root      4712 Feb 19 03:04 relid.o
+  -rw-r--r--  1 root     root      6968 Feb 19 03:04 rtt.o
+  -rw-r--r--  1 root     root      5708 Feb 19 03:04 sendhcmp.o
+  -rw-r--r--  1 root     root      6516 Feb 19 03:04 listen.o
+  -rw-r--r--  1 root     root      4556 Feb 19 03:04 version.o
+  -rw-r--r--  1 root     root      5788 Feb 19 03:04 statistics.o
+  -rw-r--r--  1 root     root      4504 Feb 19 03:04 cksum.o
+  -rw-r--r--  1 root     root      8344 Feb 19 03:04 sendtcp.o
+  -rw-r--r--  1 root     root      6944 Feb 19 03:04 sendudp.o
+  -rw-r--r--  1 root     root     11872 Feb 19 03:04 sendicmp.o
+  -rw-r--r--  1 root     root      8272 Feb 19 03:04 sendip.o
+  -rw-r--r--  1 root     root     23604 Feb 19 03:04 waitpacket.o
+  -rw-r--r--  1 root     root      6528 Feb 19 03:04 logicmp.o
+  -rw-r--r--  1 root     root      5268 Feb 19 03:04 binding.o
+  -rw-r--r--  1 root     root      5332 Feb 19 03:04 datahandler.o
+  -rw-r--r--  1 root     root      5936 Feb 19 03:04 datafiller.o
+  -rw-r--r--  1 root     root     26008 Feb 19 03:04 parseoptions.o
+  -rw-r--r--  1 root     root      6624 Feb 19 03:04 getlhs.o
+  -rw-r--r--  1 root     root      9932 Feb 19 03:04 getifname.o
+  -rw-r--r--  1 root     root     21200 Feb 19 03:04 main.o
+  -rw-r--r--  1 root     root        86 Feb 19 03:04 systype.h
+  -rw-r--r--  1 root     root      2460 Feb 19 03:04 Makefile
+  -rw-r--r--  1 root     root       177 Feb 19 03:04 byteorder.h
+  -rwxr-xr-x  1 root     root      5458 Feb 19 03:04 byteorder
+ ----
+ 
  *Bug Report: Hping3 does not compile on Solaris 8* (Jim Halfpenny, jim AT watersheep DOT org)
  
  OS: SunOS 5.8 Generic_108528-13 sun4u sparc
...
  
  
   [root@linuxlaptop root]# hping --scan 1-200 -S 10.1.1.1
+ 
     Scanning 10.1.1.1 (10.1.1.1), port 1-200
     200 ports to scan, use -V to see all the replies
     +----+-----------+---------+---+-----+-----+-----+
...
- and report here the same scan with the -V switch added. This can help a lot. Thanks for your support.+ 
+ 
+ 
+ and report here the same scan with the -V switch added. This can help a lot. Thanks for your support.
+ 
+ 
+ [underdog] 22June2004:
+ 
+ The --fast option does seem to fix this issue.  I should have mentioned that this is going over a wireless connection also.  That could have
+ something to do with it.  Also it appears that Linux behaves totally different from the TCP/IP behavior than the windows sytems I have tested.
+ 
+ Thanks antirez.
+ 
+ End
+ 
+ 
+ Philippe Lovis (binomial at gmx dot net), 26June2004:
+ 
+ -> hping version: 3.0.0-alpha-2
+ -> OS: Linux 2.6.6
+ -> GCC: 3.3.4
+ -> TCL: 8.4.6
+ 
+ There is a bug in ars_multi_cksum() in ars.c which corrupts the TCP checksum if the oddbyte flag is set. You can reproduce the bug i.e. with:
+ 
+  append syn "ip(saddr=127.0.0.1,daddr=127.0.0.1)"
+  append syn "+tcp(sport=80,dport=22,flags=s)"
+  append syn "+tcp.nop()+tcp.mss(size=255)"
+  hping send $syn
+ 
+ tcpdump -i lo -v will report a 'bad tcp cksum'.
+ 
+ Fix: Adapt line 453 in ars.c from
+ 
+  *((u_int16_t *) &oddbyte) |= *(u_int16_t *) buf;
+ 
+ to
+ 
+  *((u_int16_t *) &oddbyte) |= *(u_int8_t *) buf;
+ 
+ 
+ And some little detail: RFC793 states that the padding bytes of the TCP options should be 0x0, but hping3 fills the padding bytes with 0x1.
+ 
+ Fix: Adapt line 778 in ars.c (in ars_compiler_tcpopt()) from
+ 
+  memset(t+cur_size, ARS_TCPOPT_NOP, padding);
+ 
+ to
+ 
+  memset(t+cur_size, ARS_TCPOPT_EOL, padding);
+ 
+ [Flibble] 09July2004:
+ 
+ -> hping version: 3.0.0-alpha-2 (CVS)
+ -> OS: Fedora Core 2 - Linux 2.6.5
+ -> GCC: 3.3.3
+ -> TCL: 8.4.5
+ -> LIBPCAP: 0.8.3
+ 
+ In order to complete the compile I needed to change references from net/bpf.h to pcap-bpf.h 
+ in libpcap_stuff.c and script.c.  Compiled and RPM'd fine after that, will check functionality and post results.
+ 
+ ----
+ 
+ Bug Report: hping crashes
+ 
+ OS: linux-2.2.25-ow1
+ 
+ Hping version: version 3.0.0-alpha-2
+ 
+ GCC version: gcc version 2.95.3 20010315 (release)
+ 
+ TCL version: tcl8.4.6
+ 
+ steps to reproduce the bug: 
+  1. hping exec passivets.htcl
+  2. ftp from machine in this subnet and transfer some files
+  3. ftp from machine in other subnet and transfer some files
+ 
+ gdb information: 
+  bash-2.05# gdb ../hping3
+  GNU gdb 5.0 (UI_OUT)
+  Copyright 2000 Free Software Foundation, Inc.
+  GDB is free software, covered by the GNU General Public License, and you are
+  welcome to change it and/or distribute copies of it under certain conditions.
+  Type "show copying" to see the conditions.
+  There is absolutely no warranty for GDB.  Type "show warranty" for details.
+  This GDB was configured as "i386-unknown-linux"...
+  (gdb) set args exec passivets.htcl
+  (gdb) r
+  Starting program: /home/dima/src/hping3-alpha-2/lib/../hping3 exec passivets.htc
+  l
+  [New Thread 1024 (runnable)]
+  192.168.22.81 (192.168.22.81) UPTIME=0 days, 2 hours, 49 minutes, 17 seconds
+  192.168.22.193 (192.168.22.193) UPTIME=0 days, 0 hours, 0 minutes, 14 seconds
+  192.168.22.85 (192.168.22.85) UPTIME=0 days, 0 hours, 0 minutes, 13 seconds
+  
+  Program received signal SIGSEGV, Segmentation fault.
+  [Switching to Thread 1024 (runnable)]
+  0x40137b19 in chunk_free (ar_ptr=0x401c2c20, p=0x8094408) at malloc.c:3111
+  3111    malloc.c: No such file or directory.
+          in malloc.c
+  (gdb) bt
+  #0  0x40137b19 in chunk_free (ar_ptr=0x401c2c20, p=0x8094408) at malloc.c:3111
+  #1  0x401379ae in __libc_free (mem=0x8094410) at malloc.c:3023
+  #2  0x08056a64 in ars_remove_layer (pkt=0xbffed948, layer=3) at ars.c:385
+  #3  0x0805a460 in ars_split_tcp (pkt=0xbffed948, packet=0xbffeee5a, size=8,
+      state=0xbffed914, len=0xbffed918) at split.c:394
+  #4  0x08059f23 in ars_split_packet (packet=0xbffeee2a, size=56, ipoff=0,
+      pkt=0xbffed948) at split.c:132
+  #5  0x08051322 in GetPacketDescription (data=0xbffeee2a "E", len=56, hexdata=0)
+      at script.c:274
+  #6  0x0805150e in HpingRecvPackets (ra=0x807df60, interp=0x8083b48,
+      o=0x80914b0, timeout=-1, maxpackets=1, rapd=1, hexdata=0) at script.c:352
+  #7  0x0805167c in __HpingRecvCmd (clientData=0x0, interp=0x8083b48, objc=4,
+      objv=0x80859a0, rapd=1, hexdata=0) at script.c:412
+  #8  0x08051726 in HpingRecvCmd (clientData=0x0, interp=0x8083b48, objc=4,
+      objv=0x80859a0) at script.c:438
+  #9  0x080524aa in HpingObjCmd (clientData=0x0, interp=0x8083b48, objc=4,
+      objv=0x80859a0) at script.c:857
+  #10 0x40037c80 in TclEvalObjvInternal () from /usr/lib/libtcl8.4.so
+  #11 0x4005a2f4 in TclExecuteByteCode () from /usr/lib/libtcl8.4.so
+  #12 0x400597e0 in TclCompEvalObj () from /usr/lib/libtcl8.4.so
+  #13 0x40038b95 in Tcl_EvalObjEx () from /usr/lib/libtcl8.4.so
+  #14 0x40049089 in Tcl_WhileObjCmd () from /usr/lib/libtcl8.4.so
+  #15 0x40037c80 in TclEvalObjvInternal () from /usr/lib/libtcl8.4.so
+  #16 0x4003862a in Tcl_EvalEx () from /usr/lib/libtcl8.4.so
+  ---Type <return> to continue, or q <return> to quit---
+  #17 0x400728b8 in Tcl_FSEvalFile () from /usr/lib/libtcl8.4.so
+  #18 0x40078c5a in Tcl_Main () from /usr/lib/libtcl8.4.so
+  #19 0x08052f89 in hping_script (argc=2, argv=0xbffffd08) at script.c:1356
+  #20 0x0804a3b6 in main (argc=2, argv=0xbffffd04) at main.c:186
+  #21 0x400ffcc9 in __libc_start_main (main=0x804a360 <main>, argc=3,
+      argv=0xbffffd04, init=0x8049a5c <_init>, fini=0x8065e5c <_fini>,
+      rtld_fini=0x4000ad04 <_dl_fini>, stack_end=0xbffffcfc)
+      at ../sysdeps/generic/libc-start.c:92
+  (gdb) info reg
+  eax            0x8094418        134824984
+  ecx            0x401c0000       1075576832
+  edx            0x8094418        134824984
+  ebx            0x401c465c       1075594844
+  esp            0xbffed81c       0xbffed81c
+  ebp            0xbffed844       0xbffed844
+  esi            0x401c2c28       1075588136
+  edi            0x8094408        134824968
+  eip            0x40137b19       0x40137b19
+  eflags         0x297    663
+  cs             0x23     35
+  ss             0x2b     43
+  ds             0x2b     43
+  es             0x2b     43
+  fs             0x0      0
+  gs             0x0      0
+  fctrl          0x37f    895
+  fstat          0x20     32
+  ftag           0xffff   65535
+  fiseg          0x23     35
+  fioff          0x40060043       1074135107
+  foseg          0x2b     43
+  fooff          0xe6b4   59060
+  fop            0x7a3    1955
+ 
+ ----
+ 
+ Bug Report: hping3-alpha-2 with TCL 8.5
+ 
+ -> hping version: 3.0.0-alpha-2 (tar.gz)
+ -> OS: Trustix 2.1 - Linux 2.4.25-8tr
+ -> GCC: 3.3.3
+ -> TCL: 8.5
+ -> LIBPCAP: 0.8.3
+ 
+ 
+ This isn't really a bug..more of an incompatibility which can be resolved using the below 
+ steps. I didn't find any directions on this site as to which version of TCL should be used
+ or is supported.
+ 
+ To get hping3-alpha-2 to compile with TCL 8.5 installed, I had to manually make the following
+ changes to the configure file :
+ 
+ line 66 :
+ 
+     for TCLVER_TRY in "8.4" "8.3" "8.2" "8.1" "8.0"
+ 
+ becomes :
+ 
+     for TCLVER_TRY in "8.5" "8.4" "8.3" "8.2" "8.1" "8.0"
+ 
+ line 90-92 :
+ 
+     elif [ -e /usr/local/include/tcl${TCL_VER} ]        
+     then                                                
+         TCL_INC="-I/usr/local/include/tcl${TCL_VER}"
+ 
+ becomes :
+ 
+     elif [ -e /usr/local/include/tcl.h ]        
+     then                                                
+         TCL_INC="-I/usr/local/include"
+ 
+ (make and make install completed without errors.)
+ 
+ PS - I'm no installer guru, and I hope this isn't a distro specific thing. 
+ I just adjusted them as I saw fit. Hope this is correct!
+ 
+ 
+ Stephen.
+ 
+ ----
+ 
+ Bug Report: hping2 rc3 fails to compile on AMD64 and probably Intel 64 Bit processors.
+ 
+ -> hping version: 2.0.0 rc3 (tar.gz)
+ -> OS: SuSE Linux 9.2 ADM64 (Kernel 2.6.8-24)
+ -> GCC: 3.3.4
+ 
+ *Reason:*
+ The file bytesex.h does not include detection of the said architectures.
+ 
+ *Solution:*
+ Add __ia64__ and __amd64__ to the list of architectures. Patch the file bytesex.h as follows:
+ 
+  #if     defined(__i386__) \
+          || defined(__ia64__) \
+          || defined(__amd64__) \
+          || defined(__alpha__) \
+          || (defined(__mips__) && (defined(MIPSEL) || defined (__MIPSEL__)))
+ 
+ Now run "make" again. Good Luck!
+ Eisfuchs
+ 
+ ----
+ 
+ * Bug Report *: hping3 doesn't set the window scale TCP option correctly
+ 
+ 
+ OS: Knoppix 3.4 (Kernel 2.4.27)
+ Hping version: Hping3 Alpha2 (CVS)
+ GCC version: 3.3.5
+ TCL version: 8.4
+ Libpcap: 0.8
+ 
+ Patch: file apd.c line 559
+ 
+ Replace: 
+     
+     tcpopt->un.win.shift = htons(ars_atou(v));
+ 
+ With:    
+    
+     tcpopt->un.win.shift = ars_atou(v);
+ 
+ Good luck,
+ 
+ Melvin
+ 
+ ----
+ 
+ [link mailto:geliATenseirbDOTfr matth] 27Jul2005 : *hping3 does not check properly command line options*
+ 
+ -> OS: Debian SID (Kernel 2.6.11)
+ -> Hping version: Hping3 (CVS)
+ -> GCC version: 3.3.5
+ -> TCL version: 8.4
+ 
+   # hping3 hostname -1 --debug -m
+   hping: option requires an argument -- m
+   Try hping --help
+ 
+ 
+   # hping3 hostname -1 -m --debug
+   -- infinte loop here CPU=100% --
+ 
+ the virtual mtu seems to be set to 0 if no args passed to -m (and not at the end of the line)
+ 
+ 
+   # hping3 hostname -m -1
+   Specified MTU too high, fixed to 65535.
+ 
+ 
+ Maybe I'm missing the point, but I don't really see why -m and -d have `AGO_EXCEPT0` flags.
+ ----
+ sxav 09.12.2005: *net/bpf.h file not found*
+ -> OS: Linux x86-64 (LFS)
+ -> Hping3s (cvs)
+ -> GCC 4.0.1
+ -> TCL 8.4
+ -> Libpcap 0.9.3
+ Error message:
+  error: net/bpf.h: No such file or directory
+ In last version of libpcap, net/bpf.h has been moved to pcap-bpf.h and it's automatically
+ included in pcap.h. So net/bpf.h shouldn't be included anymore...
+ Patch:
+ 
+  --- hping3s/script.c.orig       2005-09-12 00:52:35.000000000 +0200
+  +++ hping3s/script.c    2005-09-12 00:53:00.000000000 +0200
+  @@ -24,7 +24,6 @@
+   
+   #include <sys/ioctl.h>
+   #include <pcap.h>
+  -#include <net/bpf.h>
+   
+   #include "release.h"
+   #include "hping2.h"  
+  --- hping3s/libpcap_stuff.c.orig        2005-09-12 00:52:47.000000000 +0200
+  +++ hping3s/libpcap_stuff.c     2005-09-12 00:53:09.000000000 +0200
+  @@ -17,7 +17,6 @@
+   #include <stdlib.h>
+   #include <sys/ioctl.h>
+   #include <pcap.h>
+  -#include <net/bpf.h>
+   
+   #include "globals.h"
+ 
+ 
+ 
+ *bold* Alternatively:
+     mkdir /usr/local/include/net/
+     ln -sf /usr/include/pcap-bpf.h /usr/local/include/net/bpf.h
+ 
+ ----
+ 
+ ===Checksum of returned packet===
+ 
+ Hi,
+ 
+ in waitpacket.c
+ the checksum of the `returned` packet (= not the one `generated` by hping2-rc3) is reported not correctly in verbose mode. It should take the bytes the other way round, shouldn't it. The following diff provides me with results that are at least identical to what ethereal tells me.
+ 
+ See waitpacket.c.diff attached below.
+ 
+ Bye, bye,
+ 
+ Juergen
+ 
+ 
+ ----
+ 
+ ===SIGSEGV with hping2-rc3===
+ 
+ here it is - a trivial patch
+ to avoid SIGSEGV on 
+ a rare occasion.
+ 
+ diff -Nurp datafiller.c.orig datafiller.c > datafiller.c.diff
+ 
+ Bye, bye,
+ 
+ Juergen
+ 
+ 
+ ----
+ 
+ ===Error in configure script===
+ (Tue Oct 31 00:32:13 CET 2006)
+ 
+ In ping3-20051105, the configure script states in line 96:
+  echo "==> WARNING: no Tcl header files found!"
+ 
+ which should be:
+  echo "==> WARNING: no Tcl header files found."
+ 
+ because the former one results in:
+  ./configure: line 96: !": event not found
+ 
+ with me.
+ 
+ ----
+ OS: OSX 10.4.8
+ 
+ I know it is mostly tested with Linux, but I figured what the heck???
+ 
+ 
+ 
+  gcc -c -O2 -Wall   -DUSE_TCL -g  main.c
+  gcc -c -O2 -Wall   -DUSE_TCL -g  getifname.c
+  getifname.c: In function 'get_output_if':
+  getifname.c:343: warning: pointer targets in passing argument 3 of 'getsockname' differ in signedness
+  gcc -c -O2 -Wall   -DUSE_TCL -g  getlhs.c
+  gcc -c -O2 -Wall   -DUSE_TCL -g  parseoptions.c
+  gcc -c -O2 -Wall   -DUSE_TCL -g  datafiller.c
+  gcc -c -O2 -Wall   -DUSE_TCL -g  datahandler.c
+  gcc -c -O2 -Wall   -DUSE_TCL -g  binding.c
+  gcc -c -O2 -Wall   -DUSE_TCL -g  logicmp.c
+  gcc -c -O2 -Wall   -DUSE_TCL -g  waitpacket.c
+  gcc -c -O2 -Wall   -DUSE_TCL -g  sendip.c
+  gcc -c -O2 -Wall   -DUSE_TCL -g  sendicmp.c
+  gcc -c -O2 -Wall   -DUSE_TCL -g  sendudp.c
+  gcc -c -O2 -Wall   -DUSE_TCL -g  sendtcp.c
+  gcc -c -O2 -Wall   -DUSE_TCL -g  cksum.c
+  gcc -c -O2 -Wall   -DUSE_TCL -g  statistics.c
+  gcc -c -O2 -Wall   -DUSE_TCL -g  version.c
+  gcc -c -O2 -Wall   -DUSE_TCL -g  listen.c
+  gcc -c -O2 -Wall   -DUSE_TCL -g  sendhcmp.c
+  gcc -c -O2 -Wall   -DUSE_TCL -g  rtt.c
+  gcc -c -O2 -Wall   -DUSE_TCL -g  relid.c
+  gcc -c -O2 -Wall   -DUSE_TCL -g  sendip_handler.c
+  gcc -c -O2 -Wall   -DUSE_TCL -g  libpcap_stuff.c
+  In file included from libpcap_stuff.c:20:
+  /usr/include/net/bpf.h:93: error: redefinition of 'struct bpf_program'
+  /usr/include/net/bpf.h:118: error: redefinition of 'struct bpf_version'
+  /usr/include/net/bpf.h:321: error: redefinition of 'struct bpf_insn'
+  libpcap_stuff.c: In function 'pcap_recv':
+  libpcap_stuff.c:61: warning: pointer targets in assignment differ in signedness
+  make: *** [libpcap_stuff.o] Error 1
+ 
+ 
+ 
+ so it all compiles except the libpcap_stuff.c (obviously).  I am too lazy to figure out why....maybe someone else is motivated enough??? :)
+ 
+ tyler
+ 
+ 
+ This is because some stuff is in pcap-bpf.h AND net/bpf.h IF you have installed libpcap with *fink* (not sure about other setups).
+ A dirty workaround that helped me, was to remove 
+  #include <net/bpf.h> 
+ from the sript.c and libpcap-stuff.c (see sxav comment above).
+ This still leads to a compile error, because pcap.h dont defines a needed constant called  BIOCIMMEDIATE.
+ This can be solved easy by copying the needed constant from net/bpf.h 
+  #define BIOCIMMEDIATE  _IOW('B',112, u_int)
+ now you should be able to compile and run hping3.
+ 
+ `I just wrote this in case other osx users run over the issue. Im not sure how to fix this the "correct way" in the cvs, so i dont change anything.`
+ 
+ `As I am a non-native english speaker, can someone please correct typos, thanks.`
+ 
+ 
+ hanfi
+ 
+ 
+ -------------------------------------
+ 
+ OpenSuSE 10.2 has problems compiling hping 3 with gcc 4.1.2 20061115 (prerelease) (SUSE Linux), tcl-8.4.14-11.  Here are patches that worked for me.
+ 
+  *** Makefile-orig       Wed Aug 22 10:40:02 2007
+  --- Makefile    Wed Aug 22 10:40:17 2007
+  ***************
+  *** 50,56 ****
+          $(RANLIB) $@
+ 
+    hping3: byteorder.h $(OBJ)
+  !       $(CC) -o hping3 $(CCOPT) $(DEBUG) $(OBJ) -L/usr/local/lib $(PCAP)  -ltcl -lm -lpthread
+          @echo
+          ./hping3 -v
+          @echo "use \`make strip' to strip hping3 binary"
+  --- 50,56 ----
+          $(RANLIB) $@
+ 
+    hping3: byteorder.h $(OBJ)
+  !       $(CC) -o hping3 $(CCOPT) $(DEBUG) $(OBJ) -L/usr/local/lib $(PCAP)  -ltcl8.4 -lm -lpthread
+          @echo
+          ./hping3 -v
+          @echo "use \`make strip' to strip hping3 binary"
+  *** bytesex.h-orig      Wed Aug 22 10:43:57 2007
+  --- bytesex.h   Wed Aug 22 10:43:59 2007
+  ***************
+  *** 9,14 ****
+  --- 9,15 ----
+ 
+    #if   defined(__i386__) \
+          || defined(__alpha__) \
+  +       || defined(__x86_64) \
+          || (defined(__mips__) && (defined(MIPSEL) || defined (__MIPSEL__)))
+    #define BYTE_ORDER_LITTLE_ENDIAN
+    #elif         defined(__mc68000__) \
+  *** libpcap_stuff.c-orig        Wed Aug 22 10:38:06 2007
+  --- libpcap_stuff.c     Wed Aug 22 10:38:26 2007
+  ***************
+  *** 17,23 ****
+    #include <stdlib.h>
+    #include <sys/ioctl.h>
+    #include <pcap.h>
+  ! #include <net/bpf.h>
+ 
+    #include "globals.h"
+ 
+  --- 17,23 ----
+    #include <stdlib.h>
+    #include <sys/ioctl.h>
+    #include <pcap.h>
+  ! #include <pcap-bpf.h>
+ 
+    #include "globals.h"
+ 
+  *** script.c-orig       Wed Aug 22 10:38:46 2007
+  --- script.c    Wed Aug 22 10:39:23 2007
+  ***************
+  *** 24,30 ****
+ 
+    #include <sys/ioctl.h>
+    #include <pcap.h>
+  ! #include <net/bpf.h>
+ 
+    #include "release.h"
+    #include "hping2.h"
+  --- 24,30 ----
+ 
+    #include <sys/ioctl.h>
+    #include <pcap.h>
+  ! #include <pcap-bpf.h>
+ 
+    #include "release.h"
+    #include "hping2.h"
+ 
+ -------------------------------------
+ 
+ 

The following is the old page content