icmpush - ICMP packet builder
icmpush type [options] host
is a tool that builds ICMP packets fully customized from command
It supports the following ICMP error types: Redirect
, Time Exceeded
, Destination Unreach
And the following ICMP information types: Address Mask Request
, Information Request
, Echo Request
and Router Advertisement
Is not of our concern to give a fully description of how ICMP protocol works,
but the more knowledgement we have we can fully understand its management, use
and posibilities of this tool.
The quantity of arguments needed can appear excessive but his own author reminds
that some imperative data must be given through a command line for a fully
adjustment to the protocol format on a ICMP packet construction.
A long number of examples is given at the EXAMPLES
section of this page
that shows a real use of this program.
- -h, --help
- -V, --version
- Program version.
- -v, --verbose
- Informative mode.
- -vv, --more_verbose
- More informative. Useful when debugging.
The ICMP type type
can be any of the following below:
- -du, --dest_unreach
- Destination Unreach. IP packet couldn't be given. This ICMP
type is error.
- -sq, --src_quench
- Source Quench. IP packet is not given do a congestion on
the net. This ICMP type is error.
- -red, --redirect
- Redirect. Request to forward IP packets through another
router. This ICMP type is error.
- -echo, --echo_request
- Echo Request. Request sent to a host to receive an echo
reply. This ICMP type is information.
- -rta, --router_advert
- Router Advertisement. Router trasmits one or more routers
with address address and preference preference. If this is
ommited, default preference 0 is given. This ICMP type is
- -rts, --router_solicit
- Router Solicitation. Host requeriment for a message of one
or more routers. Like the previous, is a part of the messages exchange
Router Discovery and this ICMP type is information.
- -tx, --time_exc
- Time Exceeded. Time Exceeded for an IP packet. This ICMP
type is error.
- -param, --param_problem
- Parameter Problem. Erroneous value on a variable of IP
header. This ICMP type is error.
- -tstamp, --timestamp
- Timestamp. Host request to receive the time of another
host. This ICMP type is information.
- -info, --info_req
- Information Request. Host request to receive an Info Reply
from another host. This ICMP type is information.
- -mask, --mask_req
- Address Mask Request. Used to find out a host network mask.
This ICMP type is information.
can be any of the following:
- -sp, --spoof address
- IP address to be used as the source of the ICMP
- -to, --timeout secs
- Timeout in seconds to read the answers. Only valid on ICMPs
of information type but the Router Advertisement type
(-rta). Default is 5 seconds. If 0 is given answers can not be
- -n, --no_resolve
- Don't use name resolution.
- -lt, --lifetime secs
- Lifetime in seconds of the router announcement. Only valid
with Router Advertisement ( -rta) type. 1800 seconds on default
- -gw, --gateway address
- Route gateway address on an ICMP Redirect (-red). On
default will be the spoof address ( -sp), if it has been specified,
or the outgoing IP address if it has not been specified.
- -dest, --route_dest address
- Route destination address on an ICMP Redirect
(-red). This is a required option when sending an ICMP
- -orig, --orig_host address
- Original host within the IP header sent in the 64 bits data
field of an ICMP error. On default will be the same as the IP of
the host that sends the ICMP packet.
- -psrc, --port_src port
- Source port (tcp or udp) within the IP header sent in the
64 bits data field of an ICMP error. 0 on default.
- -pdst, --port_dest port
- Destination port (tcp or udp) within the IP header sent in
the 64 bits data field of an ICMP error. 0 on default.
- -prot, --protocol
- Protocol to be used within the IP header sent in the 64
bits data field of an ICMP error. Must be one of the three listed
above. Tcp on default.
- -id, --echo_id identificator
- Echo identificator within the IP header sent in the 64 bits
data field of an ICMP error when the IP header protocol of the 64
bits data field ( -prot) is icmp. 0 on default.
- -seq, --echo_seq sequence
- Echo sequence number within the IP header sent in the 64
bits data field of an ICMP error when the IP header protocol of the
64 bits data field ( -prot) is icmp. 0 on default.
- -pat, --pattern pattern
- Data pattern to send on an Echo Request
- -gbg, --garbage bytes|max
- Number of garbage bytes that will be sent on any ICMP
packet. With max the maximum possible will be sent.
- -ptr, --pointer byte
- Pointer to erroneus byte byte on an ICMP packet
showing a parameter problem. Valid only on Parameter Problem type (
- -c, --code
- ICMP code to send. Code code valid for Destination
Unreach ( -du), Redirect ( -red) and Time Exceeded
Numerical code can be specified for the ICMP types that doesn't have (Echo
Request, Information Request, Address Mask Request, Router Solicitation,
Router Advertisement, Source Quench, Parameter Problem and Timestamp).
Using max an ICMP code bigger than the admited ones will be sent.
Next ICMP CODES section enumerates the valid code types.
used with Destination Unreach, Redirect y Time Exceeded types
- - Used with Destination Unreach type
(Net Unreachable) The destination net is unreacheable.
(Host Unreachable) The destination host is unreacheable.
(Protocol Unreachable) desired protocol is unreacheable to
(Port Unreachable) desired port is unreacheable to
(Fragmentation Needed and Don't Fragment was Set) Shows that
IP packet had to be fragmented because of its size but the sender did not
allowed it because of DF (DON'T FRAGMENT) flag.
(Source Route Failed) could'nt follow the route indicated on
(Destination Network Unknown) Destination network is unknown.
(Destination Host Unknown) Destination host unknown but
(Source Host Isolated) Can't reach destination host.
(Communication with Destination Network is Administratively
Prohibited) access network is denied through firewall or similar on receiver
(Communication with Destination Host is Administratively
Prohibited) access host is denied through firewall or similar on receiver
(Destination Network Unreachable for Type of Service)
indicates on destination network that the Type Of Service (TOS) applied for is
(Destination Host Unreachable for Type of Service) shows
that destination host is unreachable with applied TOS.
(Communication Administratively Prohibited) a router
can't forward a packet because of administrative filter.
(Host Precedence Violation) IP packet procedence is
(Precedence cutoff in effect) a smaller IP packet
precedence has tried to be sent over the minimous impossed by network's
- - To be used with Redirect type (-red):
(Redirect Datagram for the Network) shows that destination is a
(Redirect Datagram for the Host) shows that destination is a host.
(Redirect Datagram for the Type Of Service and Network)
destination is a type of service and network.
(Redirect Datagram for the Type Of Service and Host)
destination is a type of service and host.
- - to be used with Time Exceeded type
(Time to Live exceeded in Transit) time is over on an IP's header
(Fragment Reassembly Time Exceeded) could not put IP's packet
fragment together again.
can be easily used within shell scripts. Program returns the
following data to the shell:
Value Meaning ----- ----------- 0 Finished program OK. 1 Incorrect argument
number. 2 Unkown ICMP protocol. 3 Cannot create RAW socket type. 4 Erroneous
ICMP packet. 5 Erroneous gateway. 6 Erroneous destination route. 7 Erroneous
ICMP packet code. 8 Erroneous source host. 9 Error sending packet. 10 Protocol
still not implemented. 11 Erroneous IP address or spoof host incorrect. 12
Could not save memory for the data_hdr union. 13 Erroneous IP address or
packet destination host. 14 Unkown protocol. 16 Error reading RAW socket. 17
Error initializing signal handler SIGALARM. 18 Echo Request packet data too
big. 19 Source port incorrect. 20 Destination port incorrect. 21 Incorrect
timeout value. 22 Incorrect Echo ID. 23 Incorrect sequence number. 24
Erroneous Echo data. 25 IP_HDRINCL error. 26 Erroneous router address in
Router Advertisement. 27 Incorrect garbage bytes number. 28 Incorrect ICMP
pointer Parameter Problem.
- In response to a packet send with TCP source port 100 and destination on port
90, we want to send and ICMP Redirect to asshole.es to modify its routing
table with the following data: 10.12.12.12 as a gateway to the host death.es
masking the packet source as if it was sent from infect.comx host:
icmpush -red -sp infect.comx -gw 10.12.12.12
-dest death.es -c host -prot tcp
-psrc 100 -pdst 90 asshole.es
- In response to an ICMP packet Echo Request sent with Echo Request id 100 and
Echo Request sequence number 90, we want to send an ICMP Redirect to the host
hemorroids.es to modify its routing table with the following data: the host
pizza.death as a gateway to the host death.es, masking the packet source as if
iit was sent from infect.comx host.
icmpush -red -sp infect.comx -gw pizza.death
-dest death.es -c host -prot icmp
-id 100 -seq 90 hemorroids.es
- We want to send an ICMP packet Destination Unreach to the host 10.2.3.4 saying
that our TCP port number 20 connected with his TCP port 2100, is unreachable.
We mask ourselves as host 10.1.1.1:
icmpush -du -sp 10.1.1.1 -c port-unreach
-prot tcp -psrc 2100 -pdst 20
- We want to send an ICMP packet Destination Unreach to host 10.2.3.4 saying
that the host inferno.hell and its TCP port 69, connected with his port TCP
666 in unreacheable. We mask ourselves as gateway router.comx:
icmpush -du -sp router.comx -c host-unreach
-prot tcp -psrc 666 -pdst 69
-orig inferno.hell 10.2.3.4
- We want to send a packet ICMP Source Quench to host ldg02.hell in response to
a packet destinated to host ldg00 with UDP protocol, source port 100 and
destination port 200. We mask ourselves as gateway 10.10.10.1:
icmpush -sq -sp 10.10.10.1 -prot udp -psrc
100 -pdst 200 -orig ldg00 ldg02.hell
- We want to send an ICMP packet Time Exceeded to host ldg02.hell in response to
a packet destinated to host ldg00 with UDP protocol, source port 100 and
destination port 200. We mask as gateway ldg04.hell:
icmpush -tx -sp ldg04.hell -c frag -prot
udp -psrc 100 -pdst 200 -orig
- We want to send an ICMP packet Address Mask Request and wait 10 seconds to see
the replies. We mask the packet with source address of 10.2.3.4 and we send it
to the address 10.0.1.255:
icmpush -mask -sp 10.2.3.4 -to 10 10.0.1.255
- We want to send an ICMP packet Timestamp to host sepultura.hell. We mask the
packet as if it were send from host 10.2.3.1. We use the default timeout (5
icmpush -tstamp --spoof 10.2.3.1 sepultura.hell
- We want to send an ICMP packet Information Request to host voucher.hell. The
source address will be our own IP address, and the timeout will be 20 seconds:
icmpush -info -to 20 voucher.hell
- We want to send an ICMP packet Router Solicitation to host lazy.hell. The
source address will be our own IP address and the timeout will be 20 seconds:
icmpush -rts --timeout 20 lazy.hell
- We want to send an ICMP packet Echo Request to host lazy.hell with the data
pattern 'MyNameIsGump'. The source address will be our own IP address and the
timeout to read the data will be 2 seconds:
icmpush -echo -data MyNameIsGump -to 2 lazy.hell
- We want to send ICMP packet Echo Request to 10.12.0.255 with the following
data pattern: and we do not want to read the answers:
icmpush -echo -sp 192.168.0.255 -data 'D E A T H'
-to 0 192.168.0.255
- We want to send an ICMP packet Destination Unreach to host destination.death
but sending it with an ICMP code bigger to the legal ones adding also 60K of
icmpush -du -c max -gbg 60000 destination.death
- We want to send an ICMP Router Advertisement to host death.es, saying that the
routers to use are: router1.xtc with preference 20, router2.xtc with
preference 50 and router3.xtc with default preference (0). We mask ourselves
icmpush -rta router1.xtc/20 -rta router2.xtc/50
-rta router3.xtc -sp fatherouter.xtc death.es
- We send an ICMP Parameter Problem to host misery.es saying that the packet
sent from the host hick.org with udp protocol, source port 13 and destination
port 53, has an error on the IP header byte 13. We will also add all garbage
bytes as possible:
icmpush -sp hick.org -param -ptr 13 -prot
udp -psrc 13 -pdest 53 -gbg
- We want to send an ICMP packet Timestamp to host www.hicks.org with code 38
instead of code (0) as usual:
icmpush -tstamp -c 38 www.hicks.org
Postel, John, "Internet Control Message Protocol - DARPA Internet Program
Protocol Specification", RFC 792
, USC/Information Sciences
Institute, September 1981.
Mogul, Jeffrey and John Postel, "Internet Standard Subnetting
Procedure", RFC 950
, Stanford, USC/Information Sciences Institute,
Braden, Robert, "Requeriments for Internet Hosts - Communication
Layers", RFC 1122
, USC/Information Sciences Institute, October
Deering, Stephen, "ICMP Router Discovery Messages", RFC 1256
Xerox PARC, September 1991.
Baker, Fred, "Requeriments for IP Version 4 Routers", RFC 1812
Cisco Systems, June 1995.
The Linux source code
, everything referent to network code and to ICMP