What Handles Ping in Linux

What handles ping in linux?

To override the default kernel behaviour for a ICMP ECHO request (ping) you can do the following without having to poke into the kernel or writting a filter.

  • First: instruct iptables to drop ICMP ECHO requests. They will however come to your host and enter your network card, but they won't be answered by the kernel:

    iptables -A INPUT- p icmp --icmp-type 8 -j DROP

  • Second: use tcpdump to sniff over ICMP packets (or write a program that uses libcap to do yourself the capture). tcpdump has options to display the payload data, or to write dunmped packets to a file. You can use this last feature to open tcpdump with -w option from your program, connect its output to a pipe and read the pipe. This way, you can access to incoming ICMP echo requests even if they are going to be discarded by iptables. From your program, you will be able to parse the payload data.

    tcpdump -p icmp -i eth0 -s 0 -Xnlt

    (This is for displaying data in readable human hexadecimal and ASCII on the standard output, change the -X -l options according to write raw data to a file/socket)

  • Third: using raw sockets, your program can send a customized packet pretending to be a response to a previous ICMP echo request, with the payload you desire. This SO question may have more clues for you in this field: How to receive ICMP request in C with raw sockets

What network layer handles responding to pings?

Its the Kernel module which responds the ICMP requests. The ICMPv4 module is net/ipv4/icmp.c.

The ICMP module defines a table of array on how to handle various ICMP requests with object being icmp_objects, named icmp_pointers which is indexed by ICMP message type.

ICMP control structure:

struct icmp_control {
  void (*handler)(struct sk_buff *skb);
  short error; /* This ICMP is classed as an error message */
};

static const struct icmp_control icmp_pointers[NR_ICMP_TYPES + 1] = {
...
  [ICMP_ECHO] = {
        .handler = icmp_echo,
  },
...
};

From above struct, when you send a echo request to google.com server the message type will be icmp_echo boiling down to subroutine call icmp_echo() which handles echo (ping) requests (ICMP_ECHO) by sending echo replies (ICMP_ECHOREPLY) with
icmp_reply().

What data is included in ICMP (ping) request?

An ICMP request is a layered packet which is sent over the internet. It contains the Ether layer, which has the target and source MAC address in it. It also contains the IP layer, which has the source and target IP and also a couple of flags included. And at last it contains the ICMP data. This contains a type, a subtype, then a checksum and the rest of the header, which can vary from type and subtype (E.g. The code for echo is 8 and reply is 0).

There is a lot of information in a network packet. Also note that ICMP is an part of the IPv4 protocol, so it cannot officially be carried by other protocols. Although the IP protocol can be carried on a different protocol than the ethernet protocol.

The MAC address will be changed after each passing of a router. So this is never the MAC address of the source IP address on the internet. But the IP address is definitely included and on a local network, the mac address of the client is still in the packet in the Ether layer.

Wikipedia has some readable article about ICMP packets: icmp message and different protocols with readable diagrams.

If you want to see some live requests, you can install wireshark, which will show and dissect all network traffic for you. It is a very convenient and cool tool.

ICMP sockets (linux)

Yes it is possible, since the ping command does ICMP.

To find out the syscalls involved, you can strace that command (under root).

You could also glance into that command's source code, e.g. Debian's ping

And there is the liboping library to help you...

Send a ping through a specific next hop in linux userspace C

You can use source-routing:

In computer networking, source routing, also called path addressing, allows a sender of a packet to partially or completely specify the route the packet takes through the network.[1] In contrast, in conventional routing, routers in the network determine the path incrementally based on the packet's destination.

Note, though, it's quite common for source-routed packets to be summarily and silently dropped as there's no way for the receiver to trust that they came from where they seem to have come from without alteration.

Sonicwall has this to say about their firewall configuration:

Drop Source Routed IP Packets - (Enabled by default.) Clear this checkbox if you are testing traffic between two specific hosts and you are using source routing.

IP Source Routing is a standard option in IP that allows the sender of a packet to specify some or all of the routers that should be used to get the packet to its destination.

This IP option is typically blocked from use as it can be used by an eavesdropper to receive packets by inserting an option to send packets from A to B via router C. The routing table should control the path that a packet takes, so that it is not overridden by the sender or a downstream router.

Output of ping command with option -T

From the ping man

-T timestamp option

Set special IP timestamp options. timestamp option may be either tsonly (only timestamps), tsandaddr (timestamps and addresses) or tsprespec host1 [host2 [host3 [host4]]] (timestamp prespecified hops)

The IP timestamp option is an IP packet option field used to record timestamps (in Universal Time) of every device that handles the datagram (and that support this option). RFC781

  • The -T tsonly requests and shows only timestamps recorded in the IP timestamps field, the first is absolute and the next ones seems to be delta:

(from the RFC: flag = 0 -- time stamps only)

  • The -T tsandaddr requests and shows timestamps next to the IP address of the devices:

(from the RFC: flag = 1 -- each timestamp is preceded with internet ID of the registering entity)

  • The -T tsprespec requests and show timestamps only for the internet IP address specified:

(from the RFC: flag = 3 -- the internet ID fields are prespecified. An IP module only
registers its timestamp if it matches its own ID with the
next specified internet ID)


Related Topics

Resolving MAC Address for Ip Address Using C++ on Linux

Running a C Program Compiled Here Causes a Glibc Library Not Found Error on Another Server - Is It My Fault or Theirs

Save Multiple Password Accounts for Git

How to Set Pthread CPU Affinity in Os X

Sleep in a While Loop Gets Its Own Pid

Change Script Directory to User's Homedir in a Shell Script

Edit Huge SQL Data File

Sending Signal from Kernel to User Space

Installing 32 Bit Libraries (Glibc) on 64 Bit Rhel Without Using Yum

Prevent Usbhid from Autoloading When Usb Hid Device Is Plugged In

Exit from Bash Script But Keep The Process Running

How Does Linux Kernel Creates Sysfs

How to Set a Global Curl Rate(Speed) Limit

Undefined Reference to Symbol 'Timer_Settime@@Glibc_2.3.3

Can a Program Read Its Own Elf Section

Dynamic Listening Ports Inside Docker Container

Using Mutexes/Semaphores with Processes

.Htaccess Redirect Index.PHP to /


Leave a reply



Submit