Vers 1.11.1 - 17 August 95 ICMPINFO: icmpinfo is a tool for looking at the icmp messages received on the running host. The source code is written by Laurent Demailly, and comes from an heavily modified BSD ping source; it comes AS IS - no warranty, etc... need to be chmod 4555 , chown root, or run as root [like ping] USAGE: icmpinfo o Gives info about weird packets only [mainly icmp_unreachable]. icmpinfo -v o Gives info about all icmp packets [that includes your own traceroutes...] except pings (icmp_echo_reply). icmpinfo -vv o To see pings too. icmpinfo -vvv o Will add an ascci/hexa dump of the packet. icmpinfo -n o Avoids name queries (faster, lighter). icmpinfo -p o Avoids port number to service name queries (faster, lighter). icmpinfo -s o Also decode the ip_src field which is the address of the interface receiving the packet. This option is not usefull for hosts with a single network interface. icmpinfo -l o Run like a daemon (forks) and output to SYSLOG. (It now checks that you are root for that) The output format is as follows (output can be shorter for some icmp messages (like for echo/echo_reply (pings)) and the field names intend to be fully meaningful for icmp unreachables packets mainly (default behaviour)) : MMM DD HH:MM:SS ICMP_type[sub-type] < sender_ip [sender_name] > unreach_ip [unreach_name] sp=source_port [src_port_name] dp=dest_port [dest_port_name] seq=sequence sz=packet_size or if you use -s option : MMM DD HH:MM:SS ICMP_type[sub-type] < sender_ip [sender_name] - my_ip [my_name] > unreach_ip [unreach_name] sp=source_port [src_port_name] dp=dest_port [dest_port_name] seq=sequence sz=packet_size (Real output will be on one line, it has been show cut here.) Sample bomb output : date&time ICMP_Dest_Unreachable[Port/Source/...] < bomber > bombed ... service bombed ... Note that to be a bomb 'bomber' must not be one of the router between you and 'bombed' [in that case, it is just a normal net break,...] double check with traceroute,...etc... before complaining ! Also note that port number/service can be easily faked by bombing programs. I'll suggest that you leave icmpinfo running all time (with -l, or -lnp for minimal resource consumption (also see NOTE below)) and recording its output for further reference. It is a very light process using only few kbytes of memory and almost no cpu. GNU like free software . [with Berkeley (c) where applicable] The latest version should always be avaliable via anonymous ftp on hplyot.obspm.fr:/net/icmpinfo-*.tar.gz It is now mirrored on ftp.sunet.se:/pub/network/monitoring/icmpinfo/icmpinfo-*.tar.gz ftp.leo.org:/pub/comp/networking/net-tools/icmpinfo/icmpinfo-*.tar.gz and also (maybe less uptodate) on : ftp.funet.fi:/pub/unix/networking/icmpinfo-*.tar.gz If you have W3 access, have a look at http://hplyot.obspm.fr/~dl/icmpinfo.html INSTALLATION ------------ o If you plan to use syslog(3) facility (-l) and don't want the default daemon.notice output, edit icmpinfo.c and change ligne 128. o Have a look at the makefile, make, and maybe look at defs.h if you have compile errors/includes missing (some linux boxes might need a symlink). o Copy icmpinfo to your favorite bin path, chown root icmpinfo, chmod 4555 icmpinfo. Copy icmpinfo.man to your MANPATH/man1/icmpinfo.1 IMPORTANT NOTE : *If* you machine is running a named (is a name server) you MUST USE -n when leaving icmpinfo unattended, to avoid some possible looping, when icmpinfo tries to resolve an ip in an unreachable domain. [this problem of domain generated icmps has been worked upon... but I found no satisfary solutions, suggestions welcome, maybe a solution for v1.12 !] If you have any problems and/or suggestion, drop me a mail... Enjoy ! dl - Laurent Demailly - finger for PGP key Credits - Thanx to Vesa for help in debugging buggy bsd code! To Dave for providing the original man page! And to ScottM for making my english readable! Note 1 - icmpinfo distribution now includes PGP signed md5 CHECKSUMS Note 2 - read the file CHANGES to get information about new features.