Narrowing down the cause of ICMP traffic

Most StackOverflow questions which cover narrowing down the source of traffic on a machine deal with TCP or UDP. There's a few for other protocols, but ICMP isn't one that I saw a lot of coverage on.

So lets say we are made aware that there is some odd ICMP traffic on our local machine. To lab this up, we'll start a ping to something (# ping 8.8.8.8). Now we can monitor this traffic with tcpdump icmp -vvv.

[email protected]:~# tcpdump icmp -vvv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:02:15.947860 IP (tos 0x0, ttl 64, id 14809, offset 0, flags [DF], proto ICMP (1), length 84)
    kali > google-public-dns-a.google.com: ICMP echo request, id 13507, seq 359, length 64
09:02:15.968925 IP (tos 0x0, ttl 128, id 20191, offset 0, flags [none], proto ICMP (1), length 84)
    google-public-dns-a.google.com > kali: ICMP echo reply, id 13507, seq 359, length 64

The netstat -peanut command will give you active TCP and UDP connections. We want to go down a layer and see ICMP traffic though. In this case we want the -w flag (--raw) as ICMP traffic shows up in netstat as a raw connection. (peanut is just easy to remember, the important flag here is the -w, framiliarize yourself with the rest at your leasure)

netstat -peanutw

[email protected]:~# netstat -peanutw
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name    
[...SNIP...]       
raw        0      0 0.0.0.0:1               0.0.0.0:*               7           0          87829      13638/ping  

At this point, we can see the process ID (PID) is 13638. We can use ps -aux | grep 13638 to find this process, and see what process is creating this traffic.

[email protected]:~# ps -aux | grep 13638
root      13638  0.0  0.0  12448   868 pts/1    S+   09:09   0:00 ping 8.8.8.8

Another useful command before we move on from netstat is the -s flag, which will show statistics. From here we can see only our ICMP statistics. Hit this a few times and watch the messages sent/received grow.

netstat -s | grep ICMP

[email protected]:~# netstat -s | grep ICMP
    743 ICMP messages received
    0 input ICMP message failed.
    ICMP input histogram:
    747 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:

One more way to find the process ID, because multiple methods are useful. According to the StackOverflow linked below, you can use lsof and look for a connection state type of 07 (st=07).

lsof -n | grep -i st=07

[email protected]:~# lsof -n | grep -i st=07
NetworkMa   522             root   18u     raw6                         0t0      86248 00000000000000000000000000000000:003A->00000000000000000000000000000000:0000 st=07
gmain       522   621       root   18u     raw6                         0t0      86248 00000000000000000000000000000000:003A->00000000000000000000000000000000:0000 st=07
gdbus       522   623       root   18u     raw6                         0t0      86248 00000000000000000000000000000000:003A->00000000000000000000000000000000:0000 st=07
ping      13638             root    3u      raw                         0t0      87829 00000000:0001->00000000:0000 st=07
ping      13638             root    4u     raw6                         0t0      87831 00000000000000000000000000000000:003A->00000000000000000000000000000000:0000 st=07

Again, if we look closely here, we can see our raw connection with a PID of 13638. The same ps -aux command we used above will give us the process that is creating this traffic.

StackOverflow Question: http://stackoverflow.com/questions/23327689/identify-the-pid-of-process-which-is-transmitting-icmp-packets

BBK

BBK

Infosec analyst, lover of passwords, and owner of a giant goofy puppy.

Read More