15+ hping3 command examples in Linux [Cheat Sheet]

Written By - Rohan Timalsina

Introduction to hping3 command

hping3 is a network utility that allows you to send custom TCP/IP packets and display target replies like ping command does with ICMP replies.

hping3 is a didactic tool to learn TCP/IP. It can do the following operations.

  • Test firewall rules
  • Advanced port scanning
  • Test internet performance using different protocols, packets size
  • Discover MTU path
  • Tracerouting under different protocols
  • Remote OS fingerprinting
  • Firewalk-like usage
  • TCP/IP stack auditing


How to install hping3

hping3 is pre-installed in Kali Linux. If it is not found in your system, you can run the following commands to install hping3 according to your Linux distribution.


Install hping3 on CentOS, RHEL, Fedora

$ sudo dnf install hping3

Install hping3 on Ubuntu and Debian

$ sudo apt install hping3


Syntax to use hping3 command

The syntax for the hping3 command is as follows:

$ sudo hping3 [options] hostname

Some important options in hping3 command are as follows:

  • -c, --count: specify the number of packets to be sent
  • -8, --scan: Scan mode
  • -9, --listen: Listen mode
  • -a, --spoof: Spoof source address
  • -t, --ttl: set TTL (time to live) of outgoing packets


Different examples to use hping3 command

1. Send TCP packets to a host

When hping3 command is used without any options, it sends TCP packets to the specified host.

$ sudo hping3

Sample Output:

hping3 command to send packets


2. Send SYN packets to the target

To send SYN packets to the target IP address, you can use the -S or --syn option.

$ sudo hping3 -S


$ sudo hping3 --syn

Sample Output:

hping3 command to send syn packets


3. Send FIN/ACK packets to the target host

The -F or --fin option is used to send FIN packets to the specified host.

$ sudo hping3 -F


$ sudo hping3 --fin

Sample Output:

hping3 to send fin packets

Similarly, you can use the below options to set the respective TCP flags in the hping3 command.

  • -R: RST TCP flag
  • -P: PUSH TCP flag
  • -A: ACK TCP flag
  • -U: URG TCP flag
  • -X: Xmas TCP flag
  • -Y: Ymas TCP flag


4. Enable raw IP mode

In raw IP mode, hping3 sends IP header with data appended with --signature and/or --file.

$ sudo hping3 -0


$ sudo hping3 --rawip

Sample Output:

hping3 raw ip mode


5. Send ICMP packets to the target

The -1 or --icmp option allows you to enable ICMP mode and send ICMP echo requests to the given IP address.

$ sudo hping3 -1


$ sudo hping3 --icmp

Sample Output:

hping3 icmp mode


6. Send UDP packets to target

You can use the -2 or --udp option to send UDP packets to the target host.

$ sudo hping3 -2


$ sudo hping3 --udp

Sample Output:

hping3 udp mode


7. Specify the destination port

The default port is 0. You can use the -p or --destport option to set the destination port when sending packets.

$ sudo hping3 -p port


$ sudo hping3 --destport port

Sample Output:

set the destination port

When double + is used before the port number, the destination port will be incremented for each packet sent.

$ sudo hping3 -p ++1024

Sample Output:

hping3 destination port to increase for each packet


8. Specify the number of packets

The -c or --count option lets you specify the number of packets to be sent.

$ sudo hping3 -c num


$ sudo hping3 --count num

Sample Output:

specify number of packets


9. hping3 listen mode

You can enable listen mode to using the -9 or --listen option.

$ sudo hping3 -9 signature


$ sudo hping3 --listen signature

Sample Output:

hping3 listen mode


10. Enable verbose output

The -V or --verbose option displays the verbose information. You can see the details of what packets are being sent.

$ sudo hping3 -V


$ sudo hping3 --verbose

Sample Output:

hping3 verbose output


11. Specify the interface to use

The -I or --interface option forces hping3 to use the interface you specify in the command.

$ sudo hping3 -I interface_name


$ sudo hping3 -I interface_name

Sample Output:

specify the interface to use


12. hping3 as a network packet sniffer

hping3 can also be used for sniffing network packets. Using the listen mode, you can intercept the traffic going through the system network interface.

For example, you can use this command to intercept all traffic containing HTTP signatures.

$ sudo hping3 -9 HTTP -I enp0s9

Sample Output:

hping3 intercept http traffic


13. Set packet body size

The -d or --data option allows you to specify the packet size.

$ sudo hping3 -d size


$ sudo hping3 --data size

Sample Output:

set packet body size


14. Enable the TCP timestamp

You can use the --tcp-timestamp option to display the TCP timestamp.  It can be used to estimate the timestamp update frequency and the remote system uptime.

$ sudo hping3 --tcp-timestamp

Sample Output:

hping3 tcp timestamp option


15. SYN flood using hping3 command

The following command does the SYN flood or DOS attack on the target host.

$ sudo hping3 -S --flood

Sample Output:

hping3 syn flood


16. Performing a TCP SYN scan

Scan mode, the option expects an argument that describes groups of ports to scan. port groups are comma separated: a number describes just a single port, so 1,2,3 means port 1, 2 and 3. ranges are specified using a start-end notation, like 1-1000, that tell hping to scan ports between 1 and 1000 (included). the special word all is an alias for 0-65535, while the special word known includes all the ports listed in /etc/services.

# hping3 --scan known -S
Scanning (, port known
337 ports to scan, use -V to see all the replies
|port| serv name |  flags  |ttl| id  | win | len |
   21 ftp        : .S..A... 128  3987  8192    46
   25 smtp       : .S..A... 128  4755  8192    46
   53 domain     : .S..A... 128  6291  8192    46
   80 http       : .S..A... 128  8595  8192    46
  110 pop3       : .S..A... 128 10643  8192    46
  443 https      : .S..A... 128 17299  8192    46
  143 imap2      : .S..A... 128 30867  8192    46
  465 ssmtp      : .S..A... 128 33427  8192    46
  587 submission : .S..A... 128 39315  8192    46
  995 pop3s      : .S..A... 128 45715  8192    46



hping3 is one of the useful network tools that send TCP/IP packets to network hosts. It is widely used for testing a network and tracerouting under different protocols.

We hope this tutorial helps you to understand different hping3 commands in Linux. If you have any questions or feedback, please let us know in the comment section.


What’s Next

Analyze TCP Receive Window with Wireshark [Step-by-Step]
How to stop ICMP ping flood attack (DOS) on Linux


Further Reading

man page for hping3 command


Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can either use the comments section or contact me form.

Thank You for your support!!

Leave a Comment