Free icmp software for linux

ETrace is a configurable static port network tracing tool, similar to traceroute, but supporting ICMP, TCP, UDP and other IP protocols.

Usage:

etrace [ -BbCcnv ] [ -p profile ] [ -F config ] [ -i interface ] [ -I icmp-type ] [ -T port ] [ -U port ] [ -P protocol ] [ -r probe-count ] [ -t timeout ] [ -1 hop ] [ -h hop ] [ -m hop ] [ -A address ] [ -s port ] [ -f flags ] [ -d data ] [ -D data-file ] [ -R count ] [ -q seq] [ -w window ] target [...]

Options:

etrace has a wealth of options ranging in function from controlling output to the detailed construction of trace packets.

Profile Options:

A profile is a pre-configured list of options stored in a shared, or user specific configuration file. By defining profiles, complex etrace option sets can be easily accessed with a single command line option.

-p, --profile
Specify a profile.
-C, --clear
Clear the current list of probes. This option can be used to allow a profile to inherit options from another profile, but specify its own list of probes.
-F, --config
Specify an alternative profiles file.

Interface options

-i, --interface
Specify interface. If unspecified, etrace will examine the routing table and select the most appropriate interface for each target address.
-c, --promisc
Put in interface into promiscuous mode. As this option increases the load on the system in general, it should only be used if spoofing of source packets address is enabled with the "-A" option.
Trace Type Options
-I, --icmp
Specify an ICMP trace and the packet type to use. ICMP traces may use Echo (E or P), Timestamp (T or S), Netmask (N or M) or Info (I). The default trace probe is an ICMP Echo.
-h, --hop
Specify a specific hop to investigate.
-m, --maximum
Specify the maximum number of hops.
-r, --probes
Set the maximum number of probes to send per hop. The default is 3.
-t, --timeout
Set the maximum amount of time, in milli-seconds, to wait for a response to a probe. The default is 3000 (three seconds).

Packet Construction Options

-A, --address
Specify the source IP address of generated packets.
-s, --source
Set the source port of the generated probe packets. If unspecified, etrace uses a random high port.
-f, --flags
Specify TCP and/or IP flags. Takes a comma delimitered list of any of the following flags: RF, DF, MF, FIN, SYN, RST, PSH, ACK, URG, ECE, CWR (Default: SYN)
-d, --data
Specify the data content of generated probe packets. Standard meta-characters are recognised (e.g. "nt") as are binary values given in octal (e.g. " 00x00");
-D, --data-file
Load the data content of the generated probe packets from the specified file. Filenames beginning with @ a loaded from the etrace shared data directory (usually /usr/local/share/etrace). etrace currently ships with the following predfined packet data files: dns, ike.
-R, --random
Fill the data content of the generated probe packets with the specified number of random bytes.
-b, --badcksum
Generate and send probe packets with bad checksums.
-q, --seq
Specify the TCP sequence number.
-w, --window
Specify the TCP window size.

Output Options

-v, --verbose
Increase output verbosity.
-B, --debug
Enable debugging output.
-n, --numeric
Disable name resolution.

Examples:

etrace www.sample.com

Launches a trace ICMP Echo, the default, trace to www.sample.com. Specifiying the options "-I E" whould accomplish the same results.

etrace -T 80 www.sample.com

Similar to the previous example, except the trace is performed on TCP port 80.

etrace --udp 53 --data-file @dns ns.sample.com

Starts are trace to ns.sample.com on UDP port 53 with the trace packets containing data loaded from the file /usr/local/share/etrace/dns (a file supplied with etrace that contains a simple dns request to resolve 127.0.0.1).

etrace -p dns -p fast ns.sample.com

The default profiles shipped with etrace include "dns" (which equates to the options shown in the previous example) and "fast" (which decreases both timeouts and the number of probes sent for each hop, as well as disabling name resolution). Profiles are stackable, with latter options overriding those specified in earlier profiles.

jail (Just Another IP Logger) is a simple, but often useful network security tool which displays ICMP packets and attempted TCP connections from remote hosts.

The application features better configuration and logging options than the iplogger package it was written to replace.

icmplog and tcplog can either ignore any packet, or log it at any of the
syslog levels (as defined in < syslog.h >). The log level is configurable
depending on the ICMP type (icmplog) or the port on which a connection is
requested (tcplog). The default facility (LOG_DAEMON) for logging messages
can also be changed in the configurations files.

The level at which a given type of packet is logged is specified in the
configuration files (/etc/icmplog.conf and /etc/tcplog.conf by default,
which can be overriden with the --file option). You can also specify
a default level, which matches packets that have an unknown or unconfigured
type. See the example configurations included and the icmplog(8) and
tcplog(8) manual pages for more information.

Log entries contain the source and type (icmplog) or destination port
(tcplog) of the received packet. If a packet is of an unknown type, its
numeric value is logged instead of its name. The source is logged
either as a hostname or as an IP address (see the -n option). Typical
entries look like:

Jun 16 17:47:30 lustre icmplog: started
Jun 16 17:47:31 lustre tcplog: started
Jun 16 18:54:14 lustre icmplog: time exceeded from sunsite.unc.edu
Jun 16 18:56:14 lustre tcplog: port 1039 request from ftp.cs.umn.edu
Jun 16 19:47:24 lustre icmplog: destination unreachable from 209.39.121.4

The INSTALL file contains detailed installation instructions. Read the
icmplog(8), icmplog.conf(5), tcplog(8) and tcplog.conf(5) manual pages, and
the example configuration files (icmplog.conf and tcplog.conf) for
more information on setting up and using jail.

jail was originally based on the iplogger package, but offers greater
configurability and better options. It bears very little resemblance to
the original program now.

jail is distributed under the Artistic License (a copy of which is included
in the distribution) and comes with no warranty, express or implied. If it
breaks...well, keep the pieces.

Host enumeration is the act of determining the IP address of potential targets on a network. This can be done in both layer 2 and layer 3. Icmpenum project can send ICMP traffic for such enumeration.

The ICMP packets supported are: Echo, Timestamp, Information and Netmask. Furthermore, it supports spoofing and promiscuous listening for reply packets. Icmpenum is great for enumerating networks which allow ICMP traffic.

fwsnort parses the rules files included in the snort intrusion detection system and builds an equivalent iptables ruleset for as many rules as possible.
fwsnort accepts command line arguments to restrict processing to any particular class of snort rules such as "ddos", "backdoor", or "web-attacks". Processing can even be restricted to a specific snort rule as identified by its "snort id" or "sid".
fwsnort utilizes the iptables string match module (together with a custom patch that adds a --hex-string option to the iptables user space code) to detect application level signatures.
fwsnort (optionally) makes use of the IPTables::Parse module (to be submitted to CPAN) to translate snort rules for which matching traffic could potentially be passed through the existing iptables ruleset.
Main features:
- Detection for tcp syn, fin, null, and xmas scans as well as udp scans.
- Detection of many signature rules from the snort intrusion detection system.
- Forensics mode iptables logfile analysis (useful as a forensics tool for extracting scan information from old iptables logfiles).
- Passive operating system fingerprinting via tcp syn packets. Two different fingerprinting strategies are supported; a re-implementation of p0f that strictly uses iptables log messages (requires the --log-tcp-options command line switch), and a TOS-based strategy.
- Email alerts that contain tcp/udp/icmp scan characteristics, reverse dns and whois information, snort rule matches, remote OS guess information, and more.
- Content-based alerts for buffer overflow attacks, suspicious application commands, and other suspect traffic through the use of the iptables string match extension and fwsnort.
- Icmp type and code header field validation.
- Configurable scan thresholds and danger level assignments.
- Iptables ruleset parsing to verify "default drop" policy stance.
- IP/network danger level auto-assignment (can be used to ignore or automatically escalate danger levels for certain networks).
- DShield alerts.
- Auto-blocking of scanning IP addresses via iptables and/or tcpwrappers based on scan danger level. (This is NOT enabled by default.)
- Status mode that displays a summary of current scan information with associated packet counts, iptables chains, and danger levels.
Enhancements:
- This is a major update to add the ability to send packets that match content or uricontent criteria to userspace via the iptables QUEUE or NFQUEUE targets.
- This can be used to speed up snort_inline IPS.
- A fwsnort mailing list was added.
- A bug was fixed to remove any existing jump rules from the built-in INPUT, OUTPUT, and FORWARD chains before creating a new jump rules.
- This allows the fwsnort.sh script to be executed multiple times without creating a new jump rule in the fwsnort chains for each execution.

POE::Component::Client::Ping is a non-blocking ICMP ping client.

SYNOPSIS

use POE qw(Component::Client::Ping);

POE::Component::Client::Ping->spawn(
Alias => "pingthing", # defaults to "pinger"
Timeout => 10, # defaults to 1 second
Retry => 3, # defaults to 1 attempt
OneReply => 1, # defaults to disabled
Parallelism => 20, # defaults to undef
BufferSize => 65536, # defaults to undef
AlwaysDecodeAddress => 1, # defaults to 0
);

sub some_event_handler {
$kernel->post(
"pingthing", # Post the request to the "pingthing" component.
"ping", # Ask it to "ping" an address.
"pong", # Have it post an answer as a "pong" event.
$address, # This is the address we want to ping.
$timeout, # Optional timeout. It overrides the default.
$retry, # Optional retries. It overrides the default.
);
}

# This is the sub which is called when the session receives a "pong"
# event. It handles responses from the Ping component.
sub got_pong {
my ($request, $response) = @_[ARG0, ARG1];

my ($req_address, $req_timeout, $req_time) = @$request;
my ($resp_address, $roundtrip_time, $resp_time, $resp_ttl) = @$response;

# The response address is defined if this is a response.
if (defined $resp_address) {
printf(
"ping to %-15.15s at %10d. pong from %-15.15s in %6.3f sn",
$req_address, $req_time,
$resp_address, $roundtrip_time,
);
return;
}

# Otherwise the timeout period has ended.
printf(
"ping to %-15.15s is done.n", $req_address,
);
}

or

use POE::Component::Client::Ping ":const";

# Post an array ref as the callback to get data back to you
$kernel->post("pinger", "ping", [ "pong", $user_data ]);

# use the REQ_USER_ARGS constant to get to your data
sub got_pong {
my ($request, $response) = @_[ARG0, ARG1];
my $user_data = $request->[REQ_USER_ARGS];
...;
}

Icmpenum sends ICMP traffic to potential targets on a network.
Introduction:
Host enumeration is the act of determining the IP address of potential targets on a network. This can be done in both layer 2 and layer 3. Icmpenum sends ICMP traffic for such enumeration. The ICMP packets supported are: Echo, Timestamp, Information and Netmask. Furthermore, it supports spoofing and promiscuous listening for reply packets. Icmpenum is great for enumerating networks which allow ICMP traffic.
Installation:
1. Install the latest libpcap (libpcap 0.4, ftp://ftp.ee.lbl.gov/libpcap.tar.Z).
2. Install the latest Libnet (http://www.packetfactory.net/libnet/).
3. Compile icmpenum as follows:
gcc `libnet-config --defines` -o icmpenum icmpenum.c -lnet -lpcap
4. Copy icmpenum to your fave directory and (as root) start enumerating.
Usage:
Running icmpenum -h gives you the following screen:
# ./icmpenum -h
USAGE: ./icmpenum [opts] [-c class C] [-d dev] [-i 1-3] [-s src] [-t sec] hosts
opts are h n p r v
-h this help screen
-n no sending of packets
-p promiscuous receive mode
-r receiving packets only (no
-v verbose
-c class C in x.x.x.0 form
-i icmp type to send/receive, types include the following:
1 echo/echo reply (default)
2 timestamp request/reply
3 info request/reply
-d device to grab local IP or sniff from, default is eth0
-s spoofed source address
-t time in seconds to wait for all replies (default 5)
host(s) are target hosts (ignored if using -c)
Examples:
Here are some example uses of icmpenum to enumerate hosts.
Example 1:
[Host1]# icmpenum 192.168.1.1 192.168.1.2
This will use the default of Echo packets to try and determine if
192.168.1.1 and 192.168.1.2 are up and running.
Example 2:
[Host1]# icmpenum -i 2 -v 192.168.100.100 192.168.100.200
This will enumerate the two hosts using Timestamp packets in
verbose mode.
Example 3:
[Host1]# icmpenum -i 3 -s 10.10.10.10 -p -v 192.168.1.1 192.168.1.2
This will enumerate hosts 192.168.1.1 and 192.168.1.2 using
Information packets with a spoofed address of 10.10.10.10, since our real address is 10.10.10.11 we use the -p option to listen for the replies.
Here are some more advanced uses of icmpenum.
Example 4:
Assuming Host1 is 6.6.6.6 and Host2 is 7.7.7.7, and that the network 1.1.1.0 has potential hosts to enumerate, we use the following two entries to enumerate with Information packets:
[Host2]# icmpenum -r -t 30 -i 3 -c 1.1.1.0
[Host1]# icmpenum -s 7.7.7.7 -i 3 -c 1.1.1.0
Host2 starts first in receive mode with a timeout of 30 seconds and starts listening for Information packets from the 1.1.1.0 network. Then Host1 starts sending spoofed packets with Host2 as the source address, sending exactly what Host2 is listening for. It should be noted that this is hardly stealthy, as logs at 1.1.1s site could have 7.7.7.7s address all over them, but the -r function is good for testing.
Example 5:
Assuming Host1 is 6.6.6.6 and Host2 is 7.7.7.7, and that Host2 can sniff traffic between 1.1.1.0 and 2.2.2.0, we use the following entries to enumerate the 1.1.1.0 network:
[Host2]# icmpenum -t 20 -n -p -i 2 -c 1.1.1.0
[Host1]# icmpenum -s 2.2.2.2 -i 2 -c 1.1.1.0
Host2 starts first with a timeout of 20 seconds, makes sure not to send the packets with the -n option, listens promiscuously for Timestamp packets from the 1.1.1.0 network. Host1 sends the exact packets Host2 is listening for with a 2.2.2.2 spoofed source address. Yes, one could simply replace the -n option in Host2s command line with -s 2.2.2.2 and do the same thing from one workstation, but were demonstrating a distributed concept.
Enhancements:
- I have added ICMP MASK (type 17 and 18) requests and replys. Simply use the -i 4 option on the command line, such as; icmpenum -i 4 -c 1.2.3.1 (sends ICMP MASK requests to the Class C range 1.2.3.1/24 and reports any system as.
- Due to the use of some older versions of Libnet and Libpcap. I can see problems for some people compiling this and hence have placed two statically linked versions within the tarball

Raw Socket Library provides a simple to use raw socket library with IPV6 support.
Raw Socket Library provides a simple mechanism to send raw socket packet using IPV4 and IPV6 using a simple struct.
It currently supports TCP, ICMP, UDP, and ICMPv6.
Enhancements:
- ARP has been added but not tested. More IP4 options can be changed at code time now.