Tutorials » Introduction to Hping3

Introduction to Hping3

Hping3 Tutorial: Packet Crafting and Port Scanning

When we use the basic ping command, it generates only ICMP Echo Request packets to test reachability. But sometimes we need more flexibility, for example, to test TCP or UDP responses, or even to check if a particular port is open. This is where hping3 comes in.

Hping3 is a powerful packet crafting tool that allows us to create and send TCP, UDP, and ICMP packets (and even raw IP packets if required). You can think of it as an advanced version of ping with far more features. It works directly from the command line interface (CLI) and is available on most Linux distributions.

Installing Hping3

If you are using Ubuntu or Debian, you can install hping3 with:

sudo apt update
sudo apt install hping3

On CentOS or Fedora, the command is slightly different:

sudo yum install hping3      # CentOS/RHEL
sudo dnf install hping3      # Fedora

In some systems hping3 may not be available in the default packages. In that case, you will need to download the source code and install it manually.

Since hping3 works directly with the network stack, it needs root privileges. You can either switch to root mode using sudo -i or just type sudo before the command each time.

To understand hping3 better, let’s use a simple setup with two PCs.

Network diagram showing PC1 with IP 10.1.1.1/8 connected directly to PC2 with IP 10.2.2.2/8 using a cable.
Basic two-PC network topology for running hping3 commands

Examples of Hping3 Commands

From PC1, you can try:

sudo -i
hping3 10.2.2.2

First we use the command sudo -i to switch to root mode, because hping3 needs root privileges to run. Then we run hping3 10.2.2.2 , this will send TCP packets to PC2. By default, hping3 uses destination port 0, which usually has no application running, so the response we get will most likely have the flags RST + ACK.

Terminal output showing hping3 sending 4 TCP packets to 10.2.2.2 with responses from port 0 and flags RA.
Example of using hping3 with -c option to send 4 packets

In this example, we used the option -c 4 to stop the hping3 process after sending 4 packets. Otherwise, the command would continue running until you manually stopped it with Ctrl + C.

The output shows 4 responses received from PC2. Notice that the field sport=0 indicates the responses are coming from source port 0. The section flags=RA means the Reset and Ack flag bits are set, which tells us that port 0 is closed on PC2.

Setting Ports and Flags

Hping3 lets you control source and destination ports as well as TCP flag bits.

  • -p : Destination port
  • -s : Source port
  • -S : SYN flag
  • Other flags like -A (ACK), -F (FIN), -R (RST) are also available.

Example: Checking if port 80 is open on PC2

hping3 -p 80 10.2.2.2 -S

The option -S sets the SYN flag bit. With this flag, an open port responds with SYN + ACK, while a closed port usually replies with RST + ACK.

  • If the response is SYN + ACK, it means port 80 is open (an HTTP server is running).
  • If the response is RST + ACK, it means port 80 is closed.

Incrementing Port Numbers

You can also increment port numbers automatically using ++.

hping3 -p ++80 10.2.2.2 -S -c 10

If you send 10 packets, the destination ports will be 80 through 89. This is useful for scanning a range without typing multiple commands.

Output of hping3 scanning ports 20 to 24 on 10.2.2.2, showing SYN+ACK response on port 23 indicating Telnet is open.
Hping3 command with incremental destination ports and SYN flag set


Here the option -p ++20 means the destination port numbers start from 20 and increase with each packet. So the first packet goes to port 20, the second to port 21, and so on. The option -c 5 limits the test to 5 packets.

In the output, you can see the “sport” field changing with each response. For ports 20, 21, 22, and 24 the flags are RA, showing those ports are closed. But for port 23 the response contains SA, meaning SYN + ACK. This confirms that port 23 (Telnet) is open on PC2.

Sending UDP Packets

To generate UDP packets, use the -2 option.

hping3 -2 10.2.2.2

This will send UDP packets to PC2. You can combine this with the -p option to target specific UDP ports.

Sending ICMP Packets

If you want hping3 to behave like the normal ping command, use -1 for ICMP Echo Requests:

hping3 -1 10.2.2.2

This sends ICMP Echo Requests to PC2, similar to the standard ping.

Port Scanning with Hping3

One of the most powerful features of hping3 is port scanning. You can check which services are running on a target system by probing a range of ports.

Use the –scan option along with a port range and a flag.

hping3 --scan 0-1023 10.2.2.2 -S

This scans all well-known ports (0–1023) on PC2. Open ports will reply with SYN + ACK, showing you which applications are running.

Hping3 port scan result on 10.2.2.2 showing only port 23 open and other ports closed.
Port scan with hping3 across range 0–50 using SYN flag

In this example, hping3 is scanning all ports in the range 0 to 50 on PC2. The -S option keeps the SYN flag bit set.

The output shows that only port 23 is open on PC2, which matches the Telnet service. All other ports in the range returned reset responses, meaning they are closed.

Summary

  • Ping only uses ICMP, but hping3 can craft TCP, UDP, and ICMP packets.
  • It requires root privileges.
  • You can control ports and TCP flags, making it useful for troubleshooting, security testing, and learning how protocols behave.
  • Features like –scan make it handy for identifying open ports on a target system.

Courses:

Protocol Testing Course

We’d love to hear your feedback and suggestions about this article. Feel free to reach out to us using the WhatsApp number below.

Sajith Achipra has been a trainer and testing consultant at Zframez Technologies since 2009. With 15+ years of experience, he specializes in networking, Python, development, and testing. He conducts online courses to help students and professionals enhance their skills. You can reach him on WhatsApp at +91 8884 884 844 for your training and testing requirements.

+91 8884 884 844