Hacking TCP/IP with tcpping
Sat Feb 14th 2004, 11:18pm
Update March 1, 2010: Jim Wyllie is hosting future development of tcpping at: http://github.com/jwyllie83/tcpping, please go there for an updated version and for any new bug fixes and development. Thanks Jim!

tcpping is a tool I wrote to determine network latency between two points despite ICMP filtering. The idea is pretty much just like normal ping, but instead of using ICMP, it sends TCP SYN packets to the target and times how long it takes to receive the subsequent SYN/ACKs or RSTs.

It all started when I was shopping around various web hosting providers. Among other criteria, I was trying to find one that didn't have too high of latency from my machines here at home so working on them wouldn't be a complete lag fest. But a number of the providers have ICMP filtered so you can't ping their web sites, and can't tell what the latency is like.

The tool uses libnet to create and send off a fabricated SYN packet to the taget, and libpcap to sniff for the return traffic. If the port you choose (default 80) on the target server has a service listening, the target sends back a SYN/ACK packet. Your local operating system gets this packet, doesn't know what to do with it, and subsequently sends the target a RST packet. This is actually quite nice since it cleans everything up so we can't be accused of creating tons of half-open TCP connections. If you choose a port on the target that doesn't have a service listening (and isn't filtered), the target sends back a RST packet. Your local OS just drops these.

You can download it here. It's free software under the new BSD license, anyone is welcome to download it, study it, modify it, and/or redistribute it in either a proprietary or free fashion. I've tested it on Mac OS X and Linux. You must be root to run it since it uses raw sockets. Update Nov 3, 2008: thanks to Jim Wyllie for a patch to specify the timeout (-W <timeout>), move the root check to after the options check, and to compile cleanly on gcc4. Thanks Jim! Please find tcpping at its new home here at Github, now maintained by Jim Wyllie.

Here is some example output, by default pinging port 80 (where my web server is running):
[6:22pm] luthien:~/proj/tcpping-% sudo ./tcpping sumatra
TCP PING sumatra.internal.kehlet.cx (10.16.74.2:80) on en1
SYN/ACK from 10.16.74.2: seq=1 ttl=64 time=1.047ms
SYN/ACK from 10.16.74.2: seq=2 ttl=64 time=0.965ms
SYN/ACK from 10.16.74.2: seq=3 ttl=64 time=1.081ms
SYN/ACK from 10.16.74.2: seq=4 ttl=64 time=1.245ms
^C
--- sumatra.internal.kehlet.cx TCP ping statistics ---
4 SYN packets transmitted, 4 SYN/ACKs and 0 RSTs received, 0.0% packet loss
round-trip min/avg/max = 0.965/1.084/1.245 ms
Here's the tool in action against port 92, which sends back RSTs (no service is running on that port):
[6:22pm] luthien:~/proj/tcpping-% sudo ./tcpping -p 92 sumatra
TCP PING sumatra.internal.kehlet.cx (10.16.74.2:92) on en1
RST from 10.16.74.2: seq=1 ttl=64 time=0.862ms
RST from 10.16.74.2: seq=2 ttl=64 time=1.040ms
RST from 10.16.74.2: seq=3 ttl=64 time=1.019ms
RST from 10.16.74.2: seq=4 ttl=64 time=1.044ms
^C
--- sumatra.internal.kehlet.cx TCP ping statistics ---
4 SYN packets transmitted, 0 SYN/ACKs and 4 RSTs received, 0.0% packet loss
round-trip min/avg/max = 0.862/0.991/1.044 ms
With verbose mode (-v), the tools will show you the actual packets. Here's a site that's filtering ICMP pings, but we can get around that with tcpping:
[11:08pm] luthien:~/proj/tcpping-% sudo ./tcpping -v www.apollohosting.com
TCP PING www.apollohosting.com (208.56.13.233:80) on en1
1076828929.146519 10.16.74.8:8674 -> 208.56.13.233:80 [S]
1076828929.238506 208.56.13.233:80 -> 10.16.74.8:8674 [SA]
SYN/ACK from 208.56.13.233: seq=1 ttl=48 time=90.847ms
1076828929.240317 10.16.74.8:8674 -> 208.56.13.233:80 [R]
1076828930.241348 10.16.74.8:61062 -> 208.56.13.233:80 [S]
1076828930.326531 208.56.13.233:80 -> 10.16.74.8:61062 [SA]
SYN/ACK from 208.56.13.233: seq=2 ttl=48 time=85.162ms
1076828930.328364 10.16.74.8:61062 -> 208.56.13.233:80 [R]
1076828931.329304 10.16.74.8:17802 -> 208.56.13.233:80 [S]
1076828931.412466 208.56.13.233:80 -> 10.16.74.8:17802 [SA]
SYN/ACK from 208.56.13.233: seq=3 ttl=48 time=83.164ms
1076828931.414274 10.16.74.8:17802 -> 208.56.13.233:80 [R]
1076828932.415249 10.16.74.8:60598 -> 208.56.13.233:80 [S]
1076828932.496567 208.56.13.233:80 -> 10.16.74.8:60598 [SA]
SYN/ACK from 208.56.13.233: seq=4 ttl=48 time=81.255ms
1076828932.498290 10.16.74.8:60598 -> 208.56.13.233:80 [R]
^C
--- www.apollohosting.com TCP ping statistics ---
4 SYN packets transmitted, 4 SYN/ACKs and 0 RSTs received, 0.0% packet loss
round-trip min/avg/max = 1.000/85.107/90.847 ms
You can see from above the behavior I described: we send a fake SYN packet, the target sends back a SYN/ACK (at which point the tool prints out the timing information). Just after that the local OS sends a RST to the target.

It's been fun to write. If you find it useful, please let me know.



Visitor comments
On Sun Feb 15th 2004, 6:52pm, Steve Kehlet posted:
Turns out hping has TCP ping functionality and more. I'd recommend checking it out, it has a lot of really cool features. I downloaded the version out of CVS and had it up and running on my Mac OS X laptop in minutes.


On Wed Feb 18th 2004, 11:33am, eburrows posted:
Even if there is another utility out there to do the same, or similar things, I think it's absolutely awsome that you wrote this. A really nifty and useful tool, with some complex logic and understanding beind it. Just awesome Steve.


On Sat Jul 24th 2004, 10:22pm, Guest posted:
Hi i dont; know how to use this comment "tcpping" , need install or change to other format ? Could you describe how to install and perform it .Thanks for your help


On Sun Jul 25th 2004, 4:05pm, Steve Kehlet posted:
Feel free to email me directly if you have any installation questions, steven at kehlet dot cx. I would, however, point out this was more of an experiment than a production-quality piece of software :-). Also, it will likely only run on a Unix variant: Linux, *BSD, Mac OS X, etc. Try hping for a very powerful, fully featured tcp ping client.


On Sun Jan 16th 2005, 11:55am, Clay posted:
I just saw this yesterday and it reminded me of this thread. A neat way to troubleshoot networks, especially since network operators blocking all ICMP types and codes seems to be growing in popularity. Layer Four Traceroute: http://oppleman.com/lft/


On Mon Jan 17th 2005, 6:07pm, Steve Kehlet posted:
Pretty cool stuff, I'm trying some traces through my company's firewall right now. I see hping also has a similar TCP-based traceroute feature. Definitely some handy tools to have!


On Fri Mar 17th 2006, 1:40pm, gareth posted:
great tool, have used it for the exact same reason it was developed.


On Sat Mar 15th 2008, 4:48am, Visitor posted:
plz hack i got a people she ip 192.168.1.10 pzl hack him i want hack him to but i cant


On Sat Mar 15th 2008, 3:32pm, Clay posted:
wtf thats my ip plz no hax me


On Fri Jun 20th 2008, 5:34am, Visitor posted:
hay dont hack 192.168.1.10.
its on my network
my boss will kill me


On Sat Jul 26th 2008, 1:25pm, Visitor posted:
Haha, wow, you people are fucking retards, 192.168.1.whatever is on just about everyone's network!

They are different computers INSIDE your own network, you can only access that IP if you are IN that network.


On Sun Aug 17th 2008, 1:57pm, Jack Ryan posted:
-rotfl- Sounds like a 15 year old doesn't know what an internal ip address is.


On Thu Aug 21st 2008, 5:22am, Visitor posted:
Reply:
On Fri Jun 20th 2008, 5:34am, Visitor posted:
hay dont hack 192.168.1.10.
its on my network
my boss will kill me

ahahahahahahahahahahahahahhahaahhahahaah thats preety cool hahahahahahha :D:D:D:D


On Thu Aug 21st 2008, 10:36am, Steve Kehlet posted:
Enough with the 192.168.1.x jokes guys... :-) If you want a funny story about turning a would-be-hacker loose on his own system, read http://www.electric-escape.net/node/1475




On Thu Nov 13th 2008, 5:45pm, hk posted:
Ironic you release it under a BSD license but doesn't work on FreeBSD.


On Thu Nov 13th 2008, 6:00pm, Steve Kehlet posted:
Have you tried it on FreeBSD and it didn't work? Patches/bug reports welcome.


On Mon Mar 23rd 2009, 8:13am, pat posted:
Thank you for publishing this code. Will use it on my multipath solution :)). Thanx again


On Mon Apr 6th 2009, 10:22am, Igor posted:
Thanks for the utility! It failed to work at multihome host, so I had to patch a little (insert deviceName into libnet_init call).


On Sat Sep 26th 2009, 1:15pm, bitmith posted:
Hi Steve, this is very nice tool which I used to use before, but I found that you could achieve the same TCP connect (SYN/ACK) test with nmap -sS -p T:<ports>


On Fri Jan 29th 2010, 6:02am, Jim Wyllie posted:
Hey Steve, I'm getting a segfault on my Linux router when running this guy. It's a newer install of Ubuntu (and presumably an updated libnet) so that might be it... but I'm not convinced of that yet. I'll get to some debugging hopefully this weekend and send some patches.


On Fri Jan 29th 2010, 6:04am, Jim Wyllie posted:
Oh, and one other thing... there's a race condition with the program terminating via Ctrl+C and the child printing the summary results. Doesn't do anything too bad, but it will present the prompt and then write the results. Kind of annoying. Patch coming for that too when I fix the other bug :)


On Wed Mar 10th 2010, 7:54pm, dragonbalz posted:
001011


On Wed Nov 16th 2011, 4:42pm, Nils posted:
ddossing 127.0.0.1
ALLMOST GOT THE FUCKER DOWN!


On Sat Nov 10th 2012, 7:39am, preetam posted:
fuck off..!!


On Sat Nov 10th 2012, 7:44am, preetam posted:
fuck off..!!


On Mon Nov 18th 2013, 1:25pm, Ramukaka posted:
Awesome tool