Eli Fulkerson .com HomeProjectsRaw-socket-icmp-spy
 

ICMP Spy

Description:

The idea here was to use an open raw ICMP socket to make an inverted ping utility - one that would run in a cmd window and report when it was... pung. Unfortunately, it doesn't appear that this is possible with this approach (although it would certainly be doable with something like pcap), as the 'echo request' packets, being the only ones I was interested in, appear to be quietly handled and dropped by the underlying OS. The open socket never sees that particular ICMP type.

If anyone has a solution to this issue (that doesn't involve dragging in dependencies on pcap or any other packet capture driver) let me know. Maybe I'm missing something silly.

The source code is a twisted version of the ICMP example located here. It will likely never be cleaned up, as the utility does not serve the purpose I had for it.

Platform:

  • Windows. Written/tested on XP.
  • Example Output:

    C:\>icmpspy.exe
    
    ICMP-SPY
    --------------------------------------------------------
    Before you get all excited, this utility does NOT show
    incoming ICMP echo requests.  Apparently incoming pings
    are handled quietly by the OS and are not visible to the
    raw socket that this utility uses.
    
    This utility lives at http://www.elifulkerson.com
    
    >>> Now watching for incoming ICMP traffic, press control-c to quit.
    >>> ignore the first Echo Reply, its just me clearing my throat.
    
    32 bytes from 127.0.0.1, icmp_seq 0, TTL:128, type: Echo Reply
    32 bytes from 192.168.2.1, icmp_seq 251, TTL:106, type: Echo Reply
    32 bytes from 192.168.2.1, icmp_seq 252, TTL:106, type: Echo Reply
    32 bytes from 192.168.2.1, icmp_seq 253, TTL:106, type: Echo Reply
    32 bytes from 192.168.2.1, icmp_seq 254, TTL:106, type: Echo Reply
    ^C
    C:\>
    

    ... this is from running a 'ping 192.168.2.1' in a second cmd window. Notice that only the echo replies are detected, not the echo requests themselves.


    icmpspy.exe

    source (zipped)