host alive?

The most commonly used tool to find out whether or not a remote host is alive is the venerable ping or ping6 for IPv6.

marc:~> ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=0.159 ms
64 bytes from icmp_seq=2 ttl=64 time=0.239 ms
64 bytes from icmp_seq=3 ttl=64 time=0.167 ms
64 bytes from icmp_seq=4 ttl=64 time=0.148 ms
64 bytes from icmp_seq=5 ttl=64 time=0.160 ms
64 bytes from icmp_seq=6 ttl=64 time=0.210 ms
--- ping statistics ­­­---
6 packets transmitted, 6 received, 0% packet loss, time 5000ms
rtt min/avg/max/mdev = 0.148/0.180/0.239/0.035 ms

The ping utility sends an ICMP ECHO_REQUEST datagram that should ellicit an ECHO_RESPONSE from the target provided that the packet can get to the destination and the target replies such requests. We can specify a few options with ping:

marc:~> ping -­b -­c 3 -­i 5
WARNING: pinging broadcast address
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=0.208 ms
64 bytes from icmp_seq=1 ttl=150 time=0.625 ms (DUP!)
64 bytes from icmp_seq=2 ttl=64 time=0.218 ms
64 bytes from icmp_seq=2 ttl=150 time=0.646 ms (DUP!)
64 bytes from icmp_seq=3 ttl=64 time=0.217 ms

The example above sends 3 probes per host ("-c 3") with a 5 second interval ("-i 5") to the broadcast address ("-b") to ellicit a response from all the hosts in the subnet.

The next example bounds the source address to the one used for the first probe with the “-B” flag (so it does not change mid-flight), shows the timestamp for each (“-D”) and uses the interface virbr0 as the source (“-I virbr0”):

marc:~> ping -­B -­D -I virbr0
PING ( from virbr0: 56(84) bytes of data.
[1443523219.233722] 64 bytes from icmp_seq=10 ttl=64 time=0.275 ms
[1443523220.233655] 64 bytes from icmp_seq=11 ttl=64 time=0.209 ms
[1443523221.233508] 64 bytes from icmp_seq=12 ttl=64 time=0.126 ms
[1443523222.233512] 64 bytes from icmp_seq=13 ttl=64 time=0.160 ms
[1443523223.233613] 64 bytes from icmp_seq=14 ttl=64 time=0.202 ms
[1443523224.233655] 64 bytes from icmp_seq=15 ttl=64 time=0.208 ms
--- ping statistics ­­­---
15 packets transmitted, 6 received, 60% packet loss, time 13999ms
rtt min/avg/max/mdev = 0.126/0.196/0.275/0.048 ms

The following example shows only numeric IPs (“-n”), brief output (“-q”), sets the package size to a non-default 57 bytes (“-s 57”), sends the three probes ("-c 3") two seconds apart ("-i 2") and sets a timeout after which, if there is no response whatsoever, the command exits (“-W 3”):

marc:~> ping ­-c 3 ­-i 2 ­-n -­q -­s 57 ­-W 3
PING ( 57(85) bytes of data.
--- ping statistics ­­­---
3 packets transmitted, 3 received, 0% packet loss, time 4000ms
rtt min/avg/max/mdev = 0.161/0.192/0.210/0.027 ms

ping is a fantastic tool but sometimes we need something a bit more sophisticated to deal with the intricacies of our network configuration. If that is the case, a good tool to have available is hping3. It might not come by default with your Linux distribution, you will have to dnf it from the common repositories.

root:~> dnf -y install hping3

Some of hping3's options are the same as ping's (-c, -i, -I, -n, -q, etc), but hping3 offers some more advanced features:

• Whereas ping only can send ICMP ECHO_REQUESTs (icmp code 8), hping3 can send any other icmp code (e.g. useful to work around firewalls?).

• Whereas ping can only use ICMP which “does not know about ports”, hping3 can use any IP
protocol to “ping” multiple ports at the target (e.g. TCP & UDP).

hping3 can perform TCP SYN scans in which the 3-way handshake communication is not established, and use any combination of flags: A (--ack), R (--rst), F (--fin), P (--push), U (--urg), X (-xmas) or Y (-ymas).

hping3 can listen and read packets looking for certain signatures (i.e. OS fingerprinting)

hping3 can spoof source addresses (for testing purposes obviously).

Let's look at some examples to get familiar with it and its capabilities. The following command does the same as a ping without options:

root:/etc> hping3 --­­icmp --­­icmpcode 8
HPING (virbr0 icmp mode set, 28 headers + 0 data bytes
len=28 ip= ttl=64 id=16250 icmp_seq=0 rtt=0.1 ms
len=28 ip= ttl=64 id=16251 icmp_seq=1 rtt=0.1 ms
len=28 ip= ttl=64 id=16252 icmp_seq=2 rtt=0.1 ms
len=28 ip= ttl=64 id=16253 icmp_seq=3 rtt=0.1 ms
len=28 ip= ttl=64 id=16254 icmp_seq=4 rtt=0.1 ms
len=28 ip= ttl=64 id=16255 icmp_seq=5 rtt=0.1 ms
len=28 ip= ttl=64 id=16256 icmp_seq=6 rtt=0.1 ms
--- hping statistic ­­­---
7 packets transmitted, 7 packets received, 0% packet loss
round­trip min/avg/max = 0.1/0.1/0.1 ms

Three other ways of doing exactly the same would be:

root:/etc> hping3 --­­icmp -­C 8
root:/etc> hping3 ­-1 ­-C 8
root:/etc> hping3 ­-1

In the next example we are sending 1003 TCP ACK probes to the target host, starting on port 21 and going up one at a time until 1024 every 1000 microseconds (1ms):

root:/etc> hping3 ­-A ­-p +21 -­c 1003 -­i u1000
HPING (virbr0 A set, 40 headers + 0 data bytes
ICMP Unreachable type=10 from ip= name=UNKNOWN
ICMP Unreachable type=10 from ip= name=UNKNOWN
ICMP Unreachable type=10 from ip= name=UNKNOWN
--- hping statistic ---­­­
1003 packets transmitted, 7 packets received, 100% packet loss
round­trip min/avg/max = 0.0/0.0/0.0 ms

As seen in the examples above, hping3 is way more sophisticated and capable than old rusty ping. However, if we need to go up to a whole new level and perform reconnaissance, host discovery, OS fingerprinting, firewall ruleset mapping, etc... then what we need is nmap.

root:~> dnf -y install nmap

nmap is an extremely capable network scanning tool with a ton of tweaks available to the user. If you want to get it in depth I would recommend starting your study at:


Or buying the excellent book by Gordon "Fyodor" Lyon (its creator): nmap network scanning .

So that you get a brief idea let's execute an aggressive scan of a certain host:

root:/etc> nmap ­-A -­T4
Starting Nmap 6.47 ( ) at 2015­09­30 09:15 BST
Nmap scan report for
Host is up (0.000084s latency).
Not shown: 999 filtered ports
22/tcp open ssh OpenSSH 6.6.1 (protocol 2.0)
| ssh­hostkey:
| 2048 2a:54:52:bd:be:e3:e5:72:58:61:b3:11:65:c0:9a:c9 (RSA)
|_ 256 6d:25:55:02:ea:81:1d:e9:7b:d4:b0:e2:e5:15:92:48 (ECDSA)
MAC Address: 52:54:00:49:72:FC (QEMU Virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1
closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 ­ 3.10, Linux 3.4 ­ 3.10
Network Distance: 1 hop
1 0.08 ms
OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 6.84 seconds



<< address resolution              tracing routes >>