===== pingsting ===== Written by: Anthony Osborne David Goldsmith KSR[T] 1999 pingsting is an application that monitors networks for ICMP Echo Requests and attempts to determine what application generated the ICMP packets. The method and weaknesses of this method are described at the end of this document. MAILING LIST ============ To subscribe: email psting-subscribe@ksrt.org To get help with out mailing list software: email psting-help@ksrt.org WEB SITE ======== http://www.ksrt.org/psting COMPILE ======= Type 'make'. Tested on: FreeBSD 3.x OpenBSD 2.5 Linux/Alpha 2.2.x Linux/x86 2.2.x USAGE ===== psting -i interface # selects which network interface to monitor -p # Enable Promiscuous mode -v # Verbose -vv # Extra Verbosity! -t # Disable Timestamp -h # Help -? # Help EXAMPLES ======== bash$ psting -p pingsting will select an interface and put it in Promiscuous mode and monitor all traffic on the network. bash$ psting pingsting will select an interface and monitor traffic destined for that interface. If the interface is in promiscuous mode already, pingsting will monitor the entire network but the output will not be as verbose. bash$ psting -vvpt -i le0 pingsting will monitor le0 for all network traffic and output extra information, and not output a timestamp. METHOD ====== pingsting only looks at the data section of an ICMP Echo Request packet. This is a suprisingly effective way of determining the application used to generate the packet. It does have two noteworthy limitations though: 1) The first limitation is that many version of 'ping' are based on the same piece of source code. This includes most of the BSD variants, Solaris, and Linux. 2) The second limitation is that many 'ping' programs allow the data section to be controlled by the user. This makes it pretty easy to defeat pingsting.