How to compile ?
GPS requires libnet and libpcap (take a look at the 'links' section for further information).
To compile it with 'make':
sh$ tar zxf gps-XXX.tar.gz
sh$ cd gps-XXX
sh$ ./configure
sh$ make
sh# make install (be careful if you already have a binary named 'gps')

-s hostname1[,[,hostname3/hostname4..]]
This option is required if you want to scan your localhost.
If no IP list is given, GPS will determine the IPs which are usable without breaking things.
The list of IP addresses specified here is used by GPS as spoofed source addresses (the host been scanned will think that the packets come from these IPs).
For example: -s,, tells GPS to use as spoofed source IP.
Important: if you are scanning a host through the Internet and if you want to get some packets back, you need to specify source IP addresses which belong to your LAN, in order to make the responses to come back on a wire you may sniff.
-d or hostname
This option is simply used to specify the targets'name or IP address.
-t scan_type
scan_type is the scan mode to use.
The default mode is 'syn', which is the most reliable. The other types are: udp, fin, null, xmas, rand, ack and fwrd. Take a look to the 'features' section for details.
-r packets_flow
packets_flow influes on the time between each packet injection.
The available packets flows are: insane (default), aggressive, normal, polite and paranoid (deja vu ?).
-p first_port-last_port
first_port and last_port are used to specify a port range (I am sure you didn't guess :).
The default port range is 1-1024.
The port scan order is hopefully randomized.
-k 0|1
This option is used to scan 'well-known' ports (if 1 is specified).
These ports are listed in the services.c file.
-e ping_port
This option determines the port on which the TCP pings will be sent, in order to evaluate a timeout value.
Verbose. Use twice or more for better results.
-f t|o
Fragmentation. 't' stands for tiny frags, and 'o' for 'frag overlapping'.
Fragmentation is usually used to make the work of an IDS harder.
Default is no framentation.
-i device
This option is used to specify the network device to use for packet injection and sniffing.
Use it if GPS does not choose the suitable device for the scan.
-S mac|ip
This option is used to specify the spoofing level: 'ip' for IP spoofing, 'mac' for both IP and MAC spoofing.
Default is MAC spoofing.
-w window_size
This option is used to specify manually the size of the emission window. Note that this size is dynamicaly modified during scaning.

bash# gps -s -d
This is the most basic command line. GPS will perform a SYN scan against using the spoofed IP
bash# gps -s, -d -t fin
GPS will scan using randomly chosen IPs from to and The scan is a FIN scan.
bash# gps -s -d -t rand -p 1-200
Here is the stealthest scan you may perform with GPS. The IPs are chosen randomly from to and the TCP flags are randomly set (see -t option comment for more details). GPS will scan ports from 1 to 200.
bash# gps -s -d -t fwrd -p 23
The FireWall Rules Disclosure mode will test the settings of's firewall on port 23. GPS will use sequentially IPs from to (host200) to send ACKs on target's port 23, and determine which IPs are allowed to pass through.
bash# gps -d host254 -Sip -ft -e 23 -vvv -i eth1
This command will perform a SYN scan against 'host254', using spoofing at IP level. The interface the packets will be routed through is 'eth1'. The timeout value will be evaluated by TCP pinging the port 23, and the TCP segments will be cut in tiny fragments. To have more information, the verbose option is used three times.