What is TCP ping and how is it used

Sarath Pillai's picture
TCP Ping

There can be instances where a remote host, has blocked ICMP traffic towards it. Due to which you cant ping the host, to check its presence. In this kind of a situation, what you can do to check the host's presence is to telnet to a known port or to try making a TCP connection to the host.

Whenever you try to establish a TCP connection to the remote host, the remote host will either accept the connection or refuse the connection by sending a RST package. Even this information is more than enough to confirm the presence of the host.

So below two methods can be used to determine whether the host is online or not, whenever PING is disabled or blocked.

  • A TCP connection to, well known publicly available ports like http,ftp,ssh etc.
  • A connection refused error with a RST package.

Lets use two machine's to test this by disabling PING on them.

 

Related: How does TCP Three way Handshake work

 

How to disable PING on Linux?

 

You can disable all ICMP traffic on a linux machine, by the following method.

[root@slashroot2 ~]# echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
[root@slashroot2 ~]#

An important thing to note in the above method is that, its only temporary.(In fact anything you modify on inside /proc will only stay until the reboot.)

To make that permanent, you need to add the below line in /etc/sysctl.conf file

 net.ipv4.conf.icmp_echo_ignore_all = 1

Doing a TCPDUMP on the machine, with icmp disabled will show you only echo_requests, because all ICMP request are ignored by the machine(No reply of any kind, so there is no mechnism to know whether its dropped or not).

[root@slashroot2 ~]# tcpdump -v icmp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
02:50:51.827077 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: ICMP (1), length: 84) 192.168.0.102 > 192.168.0.103: ICMP echo request, id 34826, seq 11, length 64
02:50:52.827101 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: ICMP (1), length: 84) 192.168.0.102 > 192.168.0.103: ICMP echo request, id 34826, seq 12, length 64
02:50:53.826859 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: ICMP (1), length: 84) 192.168.0.102 > 192.168.0.103: ICMP echo request, id 34826, seq 13, length 64


How to check whether a host is alive with TCP?

 

 

As mentioned before you can use, TCP to check the host's presence without using ICMP ping. This can be done, using multiple tools, We will see them one by one.

Hping is a very big tool, out there for linux. This tool can be used to send custom TCP packets to remote host with desired flags to analyse the reply. This can be a good testing tool that can be used against your firewall configuration. I will be doing a dedicated post on hping tool, as it requires special attention.

 

So now lets check the host's presence with the help of TCP and hping.

[root@slashroot1 ~]# hping -S -p 80 192.168.0.103
HPING 192.168.0.103 (eth0 192.168.0.103): S set, 40 headers + 0 data bytes
len=46 ip=192.168.0.103 ttl=64 DF id=0 sport=80 flags=SA seq=0 win=5840 rtt=0.8 ms
len=46 ip=192.168.0.103 ttl=64 DF id=0 sport=80 flags=SA seq=1 win=5840 rtt=1.5 ms
len=46 ip=192.168.0.103 ttl=64 DF id=0 sport=80 flags=SA seq=2 win=5840 rtt=2.2 ms
len=46 ip=192.168.0.103 ttl=64 DF id=0 sport=80 flags=SA seq=3 win=5840 rtt=1.2 ms

 

Let's have a look at the tcpdump output at the host with PING disabled.

[root@slashroot2 ~]# tcpdump -i eth0 -s0 host 192.168.0.102
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
03:13:11.708350 IP 192.168.0.102.instantia > 192.168.0.103.http: S 1718487905:1718487905(0) win 512
03:13:11.730329 IP 192.168.0.103.http > 192.168.0.102.instantia: S 1566252172:1566252172(0) ack 1718487906 win 5840 <mss 1460>
03:13:11.708587 IP 192.168.0.102.instantia > 192.168.0.103.http: R 1718487906:1718487906(0) win 0
03:13:12.709646 IP 192.168.0.102.nessus > 192.168.0.103.http: S 1845389890:1845389890(0) win 512
03:13:12.709815 IP 192.168.0.103.http > 192.168.0.102.nessus: S 1576213111:1576213111(0) ack 1845389891 win 5840 <mss 1460>
03:13:12.710429 IP 192.168.0.102.nessus > 192.168.0.103.http: R 1845389891:1845389891(0) win 0

If you observe the TCPDUMP output, you will be able to see that, a SYN request (shown with "S" flag in Tcpdump output) and a Reset request(shown with "R" flag in tcpdump output), both are send by our requesting host(The host from where we send the tcp ping with hping).

 

Related: TCPDUMP command Examples in Linux

 

Hping is sending a reset packet just after the syn, as it does not need the connection to be fully established.

Another utility that can be used to check the presence of the host, when ping is disabled is tcping. This utility can be easily installed if you have rpmforge repo enabled.

Lets see its usage.

[root@slashroot1 ~]# tcping 192.168.0.103 80
192.168.0.103 port 80 open.
[root@slashroot1 ~]#

 

The famous NMAP tool can also be used to check the host aliveness by using TCP. NMAP does this by simply sending a TCP ACK packet to the host(For which a RST packet will be send back by the remote host).

-PT option available in NMAP can be used for TCP PING. An ACK packet is send to 80 port by default when -PT flag is used with NMAP.

 

[root@slashroot1 yum.repos.d]# nmap -PT 192.168.0.103
Starting Nmap 4.85BETA5 ( http://nmap.org ) at 2013-01-15 14:18 IST
Interesting ports on 192.168.0.103:
Not shown: 995 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
111/tcp open  rpcbind
443/tcp open  https
MAC Address: 08:00:27:55:D1:CC (Cadmus Computer Systems)
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds

 

If you want to specify a particular port with -PT option for tcp ping, then you can do that as shown below.

[root@slashroot1 yum.repos.d]# nmap -PT443 192.168.0.103
Starting Nmap 4.85BETA5 ( http://nmap.org ) at 2013-01-15 14:20 IST
Interesting ports on 192.168.0.103:
Not shown: 995 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
111/tcp open  rpcbind
443/tcp open  https

 

 

How to block tcp ping?

You can easily block tcp ping from nmap using a stateful firewall like iptables. As i told before, tcpping in nmap works by sending an ACK packet, for which a RST packet is send back by the host.

 

Now this ACK packet send is not, part of any previously made connection to the host. Such kind of packets can be blocked by iptables very easily.

 

How to monitor a ping and icmp disabled host?

The above mentioned methods, are easy for humans to detect the presence of the host. But monitoring a remote host, 24x7 for alerts, and issues which has ping disabled can be done in another way.

Am talking about monitoring tools like nagios. These tools, by default check the aliveness of the host with the help of ping.

 

However you can also use tcp ping to check the aliveness of the host with nagios. A readily made plugin is available to do the job.(You dont need nagios to be installed to check and test the plugin).

[root@slashroot1 plugins]# ./check_tcp 192.168.0.103 -p 80
TCP OK - 0.003 second response time on port 80|time=0.002949s;;;0.000000;10.000000

 

check_tcp plugin comes by default with nagios-plugins package. This can be used to check tcp connection to any required port.

You need to have check_command ‘check_tcp -p 80′, inside the host template, to monitor the host aliveness with tcp_ping.

I will be starting to document nagios and its configuration in our documentation section, very soon.

Rate this article: 
Average: 3.7 (707 votes)

Comments

When checking hosts from a corporate network, i often find i'm limited by firewall rules. A great online version of the ICMP Ping to overcome those firewall imposed rules can be found here: http://www.letmecheck.it/ping.php

They even have a TCP Ping alternative: http://www.letmecheck.it/tcp-ping.php

How to block tcp ping through iptables? Please, show us any example. Thanks!

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.