Linux for Network Engineers: How to use nping

By September 2, 2020Linux

linux_nping_blog_netbeez

We’ve talked about several testing utilities in the past such as ping, traceroute, iperf, and others. And every so often a new one pops into my radar, and I keep repeating “How come I didn’t know about this already?” In this case, the utility in question is nping.

There are so many ping variations out there: ping, fping, hping3, psping, hrping. I am sure I will discover a couple more in the following years. I was surprised I didn’t know about nping because it’s a very well maintained and updated utility, while some of the ones listed above are unmaintained and haven’t aged well over the years.

Nping can do so much more than simple ICMP pinging. It can manipulate pretty much any parameter and field of TCP, UDP, ICMP packets, and it can be used for network stack stress testing, ARP poisoning, Denial of Service attacks, route tracing, etc. 

Installation

Nping is part of the nmap package and it’s installed by default if you install nmap on your Linux system with:

Nmap and nping are supported on Linux, Windows, Mac OS X, so if you learn to use it on one platform your knowledge is transferable to the rest. That’s not the case for other utilities, such as hping, fping, and psping.

On Windows specifically you’d need to install the npcap driver for nping to work properly. If you run the nmap or the nping installer (or you have Wireshark installed), the drivers will be installed automatically.

Usage

The simplest thing you can do with nping is to test if a port of any kind (TCP, UDP, ICMP) is open. 

ICMP Mode

There are several ICMP utilities, and most of them do the basics of sending an echo request packet, waiting for an echo reply and messing the latency. Nping includes that functionality as shown below (you might need to run this with elevated privileges).

The -c option just tells nping to send 2 packets instead of the default 5.

The beauty of nping is that it allows you to manipulate parameters such as the ICMP sequence number field, the originate timestamp, and many others. 

TCP Connect Mode

Testing a TCP port is very simple with the --tcp-connect option. With this option you can change some basic parameters of a TCP connection such as source and destination port.

TCP Mode

The TCP mode is very similar to the TC connect, but it allows you to manipulate several other parameters such as the packet flags and the system’s TCP windows size. Below you can see how you can send a TCP packet with the SYN flag set.

UDP Mode

The UDP mode works as follows:

For all of these modes, nping measures latency and prints statistics following every execution.

Echo Mode

The most interesting feature of nping is the “echo mode” This is a nifty network troubleshooting functionality that uses a server and a client that communicate with each other on a side TCP channel, while sending testing traffic to each other. To put it in the their own words:

The Echo mode is based on a client/server architecture. Both ends run Nping, one of them in server mode and the other in client mode. The way it works is: the Nping client performs an initial handshake with the server over some standard port (creating a side-channel). Then it notifies the server what packets are about to be sent. The server sets up a liberal BPF filter that captures those packets, and starts listening. When the server receives a packet it encapsulates it (including the link layer frame) into our own protocol packet and sends it back to the nping client. This would be essentially like running tcpdump on the remote machine and having it report back the packets you sent to it with Nping.

There is a protocol specification that describes how this works, and here is an example:

scanme.nmap.org is a test echo server nmap.org is maintaining for testing purposes.

The “SENT” line tells us what IPs are in the outgoing test traffic from the client to the destination server. 

The “CAPT” like tells us what the destination server actually received. The destination server sees a source IP (99.xx.xx.xx) that is different than the actual IP of the client (172.31.0.69) which reveals the presence of a NAT between the client and the server. 

The “RCVD” line is the packet the client actually received from the server.

In the past we talked about hping3 as a network testing utility. Hping3 offers a wide range of packet manipulation and testing capabilities. The problem is hping3 is not maintained any more, and works only on Linux. For what I personally usually use hping3, nping is a full replacement and it might be for you as well.