What is TCP ping and how is it used
There can be instances where a remote host, has blocked ICMP traffic towards it. Due to which you cant ping the host, to check its presence. In this kind of a situation, what you can do to check the host's presence is to telnet to a known port or to try making a TCP connection to the host.
Whenever you try to establish a TCP connection to the remote host, the remote host will either accept the connection or refuse the connection by sending a RST package. Even this information is more than enough to confirm the presence of the host.
So below two methods can be used to determine whether the host is online or not, whenever PING is disabled or blocked.
- A TCP connection to, well known publicly available ports like http,ftp,ssh etc.
- A connection refused error with a RST package.
Lets use two machine's to test this by disabling PING on them.
Related: How does TCP Three way Handshake work
How to disable PING on Linux?
You can disable all ICMP traffic on a linux machine, by the following method.
[root@slashroot2 ~]# echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all [root@slashroot2 ~]#
An important thing to note in the above method is that, its only temporary.(In fact anything you modify on inside /proc will only stay until the reboot.)
To make that permanent, you need to add the below line in /etc/sysctl.conf file
net.ipv4.conf.icmp_echo_ignore_all = 1
Doing a TCPDUMP on the machine, with icmp disabled will show you only echo_requests, because all ICMP request are ignored by the machine(No reply of any kind, so there is no mechnism to know whether its dropped or not).
[root@slashroot2 ~]# tcpdump -v icmp tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 02:50:51.827077 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: ICMP (1), length: 84) 192.168.0.102 > 192.168.0.103: ICMP echo request, id 34826, seq 11, length 64 02:50:52.827101 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: ICMP (1), length: 84) 192.168.0.102 > 192.168.0.103: ICMP echo request, id 34826, seq 12, length 64 02:50:53.826859 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: ICMP (1), length: 84) 192.168.0.102 > 192.168.0.103: ICMP echo request, id 34826, seq 13, length 64
How to check whether a host is alive with TCP?
As mentioned before you can use, TCP to check the host's presence without using ICMP ping. This can be done, using multiple tools, We will see them one by one.
Hping is a very big tool, out there for linux. This tool can be used to send custom TCP packets to remote host with desired flags to analyse the reply. This can be a good testing tool that can be used against your firewall configuration. I will be doing a dedicated post on hping tool, as it requires special attention.
So now lets check the host's presence with the help of TCP and hping.
[root@slashroot1 ~]# hping -S -p 80 192.168.0.103 HPING 192.168.0.103 (eth0 192.168.0.103): S set, 40 headers + 0 data bytes len=46 ip=192.168.0.103 ttl=64 DF id=0 sport=80 flags=SA seq=0 win=5840 rtt=0.8 ms len=46 ip=192.168.0.103 ttl=64 DF id=0 sport=80 flags=SA seq=1 win=5840 rtt=1.5 ms len=46 ip=192.168.0.103 ttl=64 DF id=0 sport=80 flags=SA seq=2 win=5840 rtt=2.2 ms len=46 ip=192.168.0.103 ttl=64 DF id=0 sport=80 flags=SA seq=3 win=5840 rtt=1.2 ms
Let's have a look at the tcpdump output at the host with PING disabled.
[root@slashroot2 ~]# tcpdump -i eth0 -s0 host 192.168.0.102 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 03:13:11.708350 IP 192.168.0.102.instantia > 192.168.0.103.http: S 1718487905:1718487905(0) win 512 03:13:11.730329 IP 192.168.0.103.http > 192.168.0.102.instantia: S 1566252172:1566252172(0) ack 1718487906 win 5840 <mss 1460> 03:13:11.708587 IP 192.168.0.102.instantia > 192.168.0.103.http: R 1718487906:1718487906(0) win 0 03:13:12.709646 IP 192.168.0.102.nessus > 192.168.0.103.http: S 1845389890:1845389890(0) win 512 03:13:12.709815 IP 192.168.0.103.http > 192.168.0.102.nessus: S 1576213111:1576213111(0) ack 1845389891 win 5840 <mss 1460> 03:13:12.710429 IP 192.168.0.102.nessus > 192.168.0.103.http: R 1845389891:1845389891(0) win 0
If you observe the TCPDUMP output, you will be able to see that, a SYN request (shown with "S" flag in Tcpdump output) and a Reset request(shown with "R" flag in tcpdump output), both are send by our requesting host(The host from where we send the tcp ping with hping).
Related: TCPDUMP command Examples in Linux
Hping is sending a reset packet just after the syn, as it does not need the connection to be fully established.
Another utility that can be used to check the presence of the host, when ping is disabled is tcping. This utility can be easily installed if you have rpmforge repo enabled.
Lets see its usage.
[root@slashroot1 ~]# tcping 192.168.0.103 80 192.168.0.103 port 80 open. [root@slashroot1 ~]#
The famous NMAP tool can also be used to check the host aliveness by using TCP. NMAP does this by simply sending a TCP ACK packet to the host(For which a RST packet will be send back by the remote host).
-PT option available in NMAP can be used for TCP PING. An ACK packet is send to 80 port by default when -PT flag is used with NMAP.
[root@slashroot1 yum.repos.d]# nmap -PT 192.168.0.103 Starting Nmap 4.85BETA5 ( http://nmap.org ) at 2013-01-15 14:18 IST Interesting ports on 192.168.0.103: Not shown: 995 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 111/tcp open rpcbind 443/tcp open https MAC Address: 08:00:27:55:D1:CC (Cadmus Computer Systems) Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
If you want to specify a particular port with -PT option for tcp ping, then you can do that as shown below.
[root@slashroot1 yum.repos.d]# nmap -PT443 192.168.0.103 Starting Nmap 4.85BETA5 ( http://nmap.org ) at 2013-01-15 14:20 IST Interesting ports on 192.168.0.103: Not shown: 995 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 111/tcp open rpcbind 443/tcp open https
How to block tcp ping?
You can easily block tcp ping from nmap using a stateful firewall like iptables. As i told before, tcpping in nmap works by sending an ACK packet, for which a RST packet is send back by the host.
Now this ACK packet send is not, part of any previously made connection to the host. Such kind of packets can be blocked by iptables very easily.
How to monitor a ping and icmp disabled host?
The above mentioned methods, are easy for humans to detect the presence of the host. But monitoring a remote host, 24x7 for alerts, and issues which has ping disabled can be done in another way.
Am talking about monitoring tools like nagios. These tools, by default check the aliveness of the host with the help of ping.
However you can also use tcp ping to check the aliveness of the host with nagios. A readily made plugin is available to do the job.(You dont need nagios to be installed to check and test the plugin).
[root@slashroot1 plugins]# ./check_tcp 192.168.0.103 -p 80 TCP OK - 0.003 second response time on port 80|time=0.002949s;;;0.000000;10.000000
check_tcp plugin comes by default with nagios-plugins package. This can be used to check tcp connection to any required port.
You need to have check_command ‘check_tcp -p 80′, inside the host template, to monitor the host aliveness with tcp_ping.
I will be starting to document nagios and its configuration in our documentation section, very soon.
Comments
Very complete article!
When checking hosts from a corporate network, i often find i'm limited by firewall rules. A great online version of the ICMP Ping to overcome those firewall imposed rules can be found here: http://www.letmecheck.it/ping.php
They even have a TCP Ping alternative: http://www.letmecheck.it/tcp-ping.php
How to block tcp ping through iptables?
How to block tcp ping through iptables? Please, show us any example. Thanks!
Add new comment