What handles ping in linux?

Question

I want to override/change how linux handles ping icmp echo request packets. Meaning I want to run my own server to reply to incoming icmp (echo request or other) packets.

But for this to work properly, I guess I need to disable the default ping icmp packets handling from linux. But I can't figure out how to do this (I don't even know what handles icmp requests... The kernel ? some userspace code ?)... All I find is about dropping icmp echo requests with iptables.

To help understand, let me explain my goal: I want to be able to send some data with ping. (easy) but I need to be able to read and extract that data. also, I want to be able to answer with a special echo-reply (with some data embedded)

That should be found in your `/bin` folder. But that may depend on your type of Linux — ryekayo, Apr 07 '15 at 16:36
Hi, I'm not looking for the ping program. but for the code that handles incoming icmp echo requests packets — Ayman Khamouma, Apr 07 '15 at 16:37
no.... I'm not looking for the language, but for the thing that handles icmp echo request packets. I can't be more clear than that, sorry. PS: the linux kernel is written in C. And gnu ping is written in C as well. — Ayman Khamouma, Apr 07 '15 at 16:40
Hi, according to `man icmp` : the response to `icmp` request comes directly from the kernel: `The kernel ICMP module also answers ICMP requests.` — dafnahaktana, Aug 14 '18 at 10:47

score 7 · Accepted Answer · edited May 23 '17 at 11:51

To override the default kernel behaviour for a ICMP ECHO request (ping) you can do the following without having to poke into the kernel or writting a filter.

First: instruct iptables to drop ICMP ECHO requests. They will however come to your host and enter your network card, but they won't be answered by the kernel:

iptables -A INPUT- p icmp --icmp-type 8 -j DROP
Second: use tcpdump to sniff over ICMP packets (or write a program that uses libcap to do yourself the capture). tcpdump has options to display the payload data, or to write dunmped packets to a file. You can use this last feature to open tcpdump with -w option from your program, connect its output to a pipe and read the pipe. This way, you can access to incoming ICMP echo requests even if they are going to be discarded by iptables. From your program, you will be able to parse the payload data.

tcpdump -p icmp -i eth0 -s 0 -Xnlt

(This is for displaying data in readable human hexadecimal and ASCII on the standard output, change the -X -l options according to write raw data to a file/socket)
Third: using raw sockets, your program can send a customized packet pretending to be a response to a previous ICMP echo request, with the payload you desire. This SO question may have more clues for you in this field: How to receive ICMP request in C with raw sockets

I didn't know it was possible to receive the packets through raw sockets... but that makes sense ! thank you ! — Ayman Khamouma, Apr 07 '15 at 17:40

score 5 · Answer 2 · answered Sep 07 '16 at 12:46

Sorry for commenting on an already-answered question, but I'd like to add (for googlers maybe) that blocking ICMP packets with iptables won't allow you to read them with RAW IP sockets, because iptables works at IP layer. You might be able to do it with RAW ethernet sockets tho, but it's an objectively worse approach.

The recommended way to disable the icmp packet handling by the kernel is via the /proc/sys/net/ipv4/icmp_echo_ignore_all interface:

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

This will allow ICMP packets to pass and be captured, but won't be answered automatically.

What handles ping in linux?

2 Answers2

Linked