← Back Published on

Capturing Ping Traffic

Let's read Ping Traffic !! :)

In this article, we will be going over the process of how we can capture, document, and interpret ping traffic on a Linux-based system. We will be using ping, tcpdump, and Wireshark. I will be using Kali Linux to display this information.

Let's begin by a simple nmap to check and see if the target is up. A ping command works just as well and is more preferred for quick determination if the host is up. For now, I'm just using a regular nmap as we are not conducting any specific types of activities. This is a friendly server 🙂

  • Specific nmap commands to come in a future article!

Let's get the tcpdump up and running

The command will look like this.

sudo tcpdump -i eth0 -vv icmp -w pin.txt (let's break it down)

sudo - asking permission from our terminal

tcpdump - what we are doing ‘the command’

i - specified where at

Eth0 - what the signal is being sent through (physical ethernet cable in this case)

vv - capturing a full picture of the scan

Icmp - this is known as internet protocol message protocol and it does not use a specific port number. It is directed at all IP addresses of the target

w - write this info to….

ping.txt - the file we are making for this

Let's open a new terminal window and make some noise. We will ping the target

The command used is ping -c 5 10.1.16.12

We are using a ping command with only sending 5 probes to the target. Hence the (-c) ‘count’ 5 command otherwise the ping requests would not stop until we stop it. 5 is a good amount! 

5 sent / 5 recieved! perfect.

We go to our tcpdump terminal and we can see our results!

Notice how we have 10. Why is that? Well. 5 sent and 5 received. The tcp dump is picking up the total amount of packets.

Imagine someone saying hi to you and you say hi back, it is the same thing with the sender and receiver of ping.

It would simply be ping and reply in the case of user to destination

We open our ping.txt file and we can see our traffic.

Edit this block to edit the article content or add new blocks...

Wireshark will also show this as well. Lets open it up.

Ping -- reply. That simple

But.. what else can a ping request show us, with wire shark, we can open each packet. And see information

what was sent (FRAME)

where it was sent through(Ethernet)

the IP addresses used in this packet transfer

and the protocol used for this packet.

Quick recap- why did we not target a port number to see this ping traffic? Because ping uses ICMP and does not operate at the transport layer. This is where port numbers are located.