Nping was designed for packet crafting and traffic analysis and is perfect for a variety of networking tasks.
The following recipe will introduce Nping by showing how to perform NAT detection with some help of the Nping Echo protocol.
Open a terminal and enter the following command:
# nping --ec "public" -c 1 echo.nmap.org
This will result in an output stream similar to the following example:
Nping will return the packet traffic between the client and the Nping echo server echo.nmap.org:
Starting Nping 0.5.59BETA1 ( http://nmap.org/nping ) at 2011-10-27 16:59 PDT SENT (1.1453s) ICMP 192.168.1.102 > 74.207.244.221 Echo request (type=8/code=0) ttl=64 id=47754 iplen=28 CAPT (1.1929s) ICMP 187.136.56.27 > 74.207.244.221 Echo request (type=8/code=0) ttl=57 id=47754 iplen=28 RCVD (1.2361s) ICMP 74.207.244.221 > 192.168.1.102 Echo reply (type=0/code=0) ttl=53 id=37482 iplen=28 Max rtt: 90.751ms | Min rtt: 90.751ms | Avg rtt: 90.751ms Raw packets sent: 1 (28B) | Rcvd: 1 (46B) | Lost: 0 (0.00%)| Echoed: 1 (28B) Tx time: 0.00120s | Tx bytes/s: 23236.51 | Tx pkts/s: 829.88 Rx time: 1.00130s | Rx bytes/s: 45.94 | Rx pkts/s: 1.00 Nping done: 1 IP address pinged in 2.23 seconds
Take note of the source address 192.168.1.102 in the first packet marked as SENT.
SENT (1.1453s) ICMP 192.168.1.102 > 74.207.244.221 Echo request (type=8/code=0) ttl=64 id=47754 iplen=28
Compare this address to the source address in the second packet marked as CAPT.
CAPT (1.1929s) ICMP 187.136.56.27 > 74.207.244.221 Echo request (type=8/code=0) ttl=57 id=47754 iplen=28
The addresses are different, indicating the presence of NAT.
Nping's echo mode was designed to help troubleshoot firewall and routing problems. Basically, it returns a copy of the received packet back to the client.
The command is:
# nping --ec "public" -c 1 echo.nmap.org
It uses Nping's echo mode (--ec or --echo-client) to help us analyze the traffic between Nmap's Nping echo server, to determine if there is a NAT device on the network. The argument after –ec corresponds to a secret passphrase known by the server to encrypt and authenticate the session.
The flag -c is used to specify how many iterations of packets must be sent.
With Nping it is really simple to generate custom TCP packets. For example, to send a TCP SYN packet to port 80, use the following command:
# nping --tcp -flags syn -p80 -c 1 192.168.1.254
This will result in the following output:
SENT (0.0615s) TCP 192.168.1.102:33599 > 192.168.1.254:80 S ttl=64 id=21546 iplen=40 seq=2463610684 win=1480 RCVD (0.0638s) TCP 192.168.1.254:80 > 192.168.1.102:33599 SA ttl=254 id=30048 iplen=44 seq=457728000 win=1536 <mss 768> Max rtt: 2.342ms | Min rtt: 2.342ms | Avg rtt: 2.342ms Raw packets sent: 1 (40B) | Rcvd: 1 (46B) | Lost: 0 (0.00%) Tx time: 0.00122s | Tx bytes/s: 32894.74 | Tx pkts/s: 822.37 Rx time: 1.00169s | Rx bytes/s: 45.92 | Rx pkts/s: 1.00 Nping done: 1 IP address pinged in 1.14 seconds
Nping is a very powerful tool for traffic analysis and packet crafting. Take a moment to go through all of its options by using the following command:
$ nping -h
To learn more about the Nping Echo Protocol visit http://nmap.org/svn/nping/docs/EchoProtoRFC.txt.
- The Finding live hosts in your network recipe
- The Comparing scan results with Ndiff recipe
- The Managing multiple scanning profiles with Zenmap recipe
- The Monitoring servers remotely with Nmap and Ndiff recipe
- The Gathering network information with broadcast scripts recipe Chapter 2, Network Exploration
- The Brute forcing DNS records recipe Chapter 3, Gathering Additional Host Information
- The Spoofing the origin IP of a port scan recipe Chapter 3, Gathering Additional Host Information
- The Generating a network topology graph with Zenmap recipe Chapter 8, Generating Scan Reports