Most StackOverflow questions which cover narrowing down the source of traffic on a machine deal with TCP or UDP. There's a few for other protocols, but ICMP isn't one that I saw a lot of coverage on.
So lets say we are made aware that there is some odd ICMP traffic on our local machine. To lab this up, we'll start a ping to something (# ping 126.96.36.199). Now we can monitor this traffic with tcpdump icmp -vvv.
[email protected]:~# tcpdump icmp -vvv tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 09:02:15.947860 IP (tos 0x0, ttl 64, id 14809, offset 0, flags [DF], proto ICMP (1), length 84) kali > google-public-dns-a.google.com: ICMP echo request, id 13507, seq 359, length 64 09:02:15.968925 IP (tos 0x0, ttl 128, id 20191, offset 0, flags [none], proto ICMP (1), length 84) google-public-dns-a.google.com > kali: ICMP echo reply, id 13507, seq 359, length 64
The netstat -peanut command will give you active TCP and UDP connections. We want to go down a layer and see ICMP traffic though. In this case we want the -w flag (--raw) as ICMP traffic shows up in netstat as a raw connection. (peanut is just easy to remember, the important flag here is the -w, framiliarize yourself with the rest at your leasure)
[email protected]:~# netstat -peanutw Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name [...SNIP...] raw 0 0 0.0.0.0:1 0.0.0.0:* 7 0 87829 13638/ping
At this point, we can see the process ID (PID) is 13638. We can use ps -aux | grep 13638 to find this process, and see what process is creating this traffic.
[email protected]:~# ps -aux | grep 13638 root 13638 0.0 0.0 12448 868 pts/1 S+ 09:09 0:00 ping 188.8.131.52
Another useful command before we move on from netstat is the -s flag, which will show statistics. From here we can see only our ICMP statistics. Hit this a few times and watch the messages sent/received grow.
netstat -s | grep ICMP
[email protected]:~# netstat -s | grep ICMP 743 ICMP messages received 0 input ICMP message failed. ICMP input histogram: 747 ICMP messages sent 0 ICMP messages failed ICMP output histogram:
One more way to find the process ID, because multiple methods are useful. According to the StackOverflow linked below, you can use lsof and look for a connection state type of 07 (st=07).
lsof -n | grep -i st=07
[email protected]:~# lsof -n | grep -i st=07 NetworkMa 522 root 18u raw6 0t0 86248 00000000000000000000000000000000:003A->00000000000000000000000000000000:0000 st=07 gmain 522 621 root 18u raw6 0t0 86248 00000000000000000000000000000000:003A->00000000000000000000000000000000:0000 st=07 gdbus 522 623 root 18u raw6 0t0 86248 00000000000000000000000000000000:003A->00000000000000000000000000000000:0000 st=07 ping 13638 root 3u raw 0t0 87829 00000000:0001->00000000:0000 st=07 ping 13638 root 4u raw6 0t0 87831 00000000000000000000000000000000:003A->00000000000000000000000000000000:0000 st=07
Again, if we look closely here, we can see our raw connection with a PID of 13638. The same ps -aux command we used above will give us the process that is creating this traffic.