| < Day Day Up > |
|
One of the most basic network diagnostic tools, Ping simply sends out Internet Control Message Protocol (ICMP) echo requests and waits for replies. Ping is used to test network connectivity, but it can also be used in a few other ways, as you’ll see.
First, let’s talk about some of Ping’s more important command-line options. Many different Ping implementations are available, but most of the Unix-based Ping utilities share similar options. The main differences lie between Unix and Windows Ping utilities, as shown in Table 14-1.
Option | Explanation |
---|---|
-c <count> (Unix) | Number of Echo Requests to send. |
-f (Unix) | Flood Ping, which sends out as many Pings as fast as it can. Prints a dot (.) for each request it sends out and a backspace (^H ) for every reply it receives. Provides a visual method of seeing how many packets you're dropping. Also a good way to eat up bandwidth! Only the super user can use this option. |
-f (Windows) | Sets the Don't Fragment flag in the IP header of the echo request. |
-i <wait> (Unix) | Waits for this number of seconds between Pings (default is 1). |
-m <TTL> (Unix) | Specifies the TTL value, which indicates how many hops (or intermediate route points) it should travel before giving up. |
-v <TOS> (Windows) | Specifies the Type of Service (TOS) value. The TOS flags tell IP stacks how they should handle certain packets. TOS is specified as a 4-bit number where 1 = minimize monetary cost, 2 = maximize reliability, 4 = maximize throughput, and 8 = minimize delay. |
-n (Unix) | The –n option in Unix tells Ping not to look up names for IP addresses (i.e., numeric output only). The –a option in Windows tells Ping that it should look up names for IP addresses. Unix Ping and Windows Ping utilities handle name resolution differently by default. |
-p <pattern> (Unix) | Lets you pad the header of the ICMP packet you're sending with a specific data pattern to see if you get that same data pattern back in return. |
-q (Unix) | Doesn't display the actual Pings—only the summary of Pings at program termination. |
-R (Unix) | Specifies the “record route” option in the ICMP packet (for count number of hops in Windows).If routers pay attention to this option, they'll record the route the packet takes in the IP options and it will be displayed by Ping when it receives the response packet. Just as most routers ignore source routing options, they ignore this option as well. |
-j <hostlist> (Windows) | Use loose source routing to force the packet to pass through the specified hosts. |
-k <hostlist> (Windows) | Use strict source routing to force the packet to pass through the exact route specified in the host list. |
-s <size> (Unix) | Lets you specify the size of the ICMP packet. An ICMP header is 8 bytes long, so your actual packet will be size + 8 bytes. 56 bytes is the default size for Unix, 24 for Windows. This translates to 64 and 32 bytes, respectively, when you figure in the 8-byte ICMP header. |
-w <wait> (Unix) | Stop Pinging the host after wait seconds. Wait timeout milliseconds before giving up on a Ping request. |
Abusing Ping I: Ping of Death No doubt you've heard of this technique. A Ping of Death is when you send a Ping packet that is larger than 65,536 bytes. Even though IP won't support datagrams larger than this size, fragmentation can allow someone to send a Ping larger than 65,536 bytes, and when it's reassembled on the receiving side, it can crash the receiving machine. It's not really a bug in Ping, per se, but rather a problem with the way IP deals with reassembling fragmented packets.
A lot of Ping utilities won't let you send packets this large, but Windows 95 and versions of NT will. Some operating systems will recognize a Ping of Death and simply ignore it (they won't process it). For other systems, the only protection against this is using port filters or firewalls on external gateways that block incoming ICMP altogether or at least ICMP packets of a certain size.
Abusing Ping II: Smurfing A neat trick you can do on your own LAN is to try to Ping your broadcast address. For example, if your IP address is 192.168.1.100 and your netmask is 255.255.255.0, you're on a 192.168.1.0 network with a broadcast address of 192.168.1.255. If you attempt to Ping 192.168.1.255 (on some systems you have to use a –b flag and have root privileges), you might get ICMP echo replies from every host on your LAN. This is useful in quickly determining what other hosts are working around you.
Problem is, this can be used to do some very bad things—smurfing, in particular. This popular Denial-of-Service (DoS) attack surfaced when people started realizing how much network traffic could be generated by Pinging a network's broadcast address. Large class B networks (with more than 65,000 hosts) would all respond with ICMP echo replies back to the Pinging host. Now, obviously, you wouldn't want to do this to yourself; the flood of echo replies would kill your system. But what if you spoofed the IP address of the Pinging host? It's easy enough to do (see Chapter 1), and since you don't care about receiving any response from your Pings (heck, you don't want to receive a response!), you can direct all those echo replies at some other poor sap and crash his system.
What's the only defense? Systems shouldn't answer to broadcast Pings. Firewalls and routers can be configured not only to keep your machine from being the victim of a smurf but from participating in a smurf as well.
By default, Ping behaves differently in Windows than it does in Unix. Most Unix Pings will continue Pinging until you press CTRL-C. Windows Pings, on the other hand, by default send out four ICMP echo requests. You have to try ping –t if you want Windows to Ping forever until you kill it by pressing CTRL-BREAK or CTRL-C. Here’s a typical Ping run from a Linux box:
%ping 192.168.1.102 PING 192.168.1.102 (192.168.1.102) from 192.168.1.100 : 56(84) bytes of data. 64 bytes from 192.168.1.102: icmp_seq=0 ttl=128 time=1.9 ms 64 bytes from 192.168.1.102: icmp_seq=1 ttl=128 time=0.7 ms 64 bytes from 192.168.1.102: icmp_seq=2 ttl=128 time=1.3 ms 64 bytes from 192.168.1.102: icmp_seq=3 ttl=128 time=0.7 ms 64 bytes from 192.168.1.102: icmp_seq=4 ttl=128 time=1.3 ms 64 bytes from 192.168.1.102: icmp_seq=5 ttl=128 time=0.7 ms 64 bytes from 192.168.1.102: icmp_seq=6 ttl=128 time=1.3 ms --- 192.168.1.102 ping statistics --- 7 packets transmitted, 7 packets received, 0% packet loss round-trip min/avg/max = 0.7/1.1/1.9 ms
| < Day Day Up > |
|