Secrets of Magic Called "Ping"

Many...no, all (yeah, I'm an optimist) administrators know what Ping is. They also know about its usage.Basic usage of the Ping utility is for discovering and reaching devices in network.Let's sum up what we already know about Ping. If it says us "unreachable," we did something wrong or we're derailed thanks to a firewall preventing us from pinging our target. Also, Ping is limits the number of hops and packet sizes we send. This is something all of us know.So, let's make another step forward. There are many types of Ping (as protocols, not tools). We know 3 basic types of Ping protocols: TCP (the default one), ICMP (pretty the same as TCP) and UDP. TCP PingThe basic type of ping. It uses TCP transport for any desired address we give it. Nothing much to talk about. ICMP pingI know, I wrote it's "almost" the same as TCP Ping, but not really. This is very difficult to explain. TCP is IP protocol 6 and ICMP is IP protocol 1. So, yes, it's not the same in basic.However, from the user side, it acts the same way as TCP ping. ICMP is not protocol that knows timeouts or any delivery acknowledgements. It's more designated like UDP, but not meant to transport any data.We talk about simple request and response behavior. So, one can easily get in touch with "icmp echo request" and "icmp echo reply" statements, for example in a firewall configuration.Example (from my firewall configuration):

ACCEPT     icmp --  anywhere             anywhere             icmp echo-request

or: -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

 As you can see, there's "icmp-type 8" defined, which means we want to accept and reply for any echo requests.All codes are available here: http://www.nthelp.com/icmp.htmlBy looking at the names, ICMP protocol is used as a separate "tool?" purposed mainly by active network devices like routers, switches and so on. UDP PingNow, this is interesting and its' the main part I want to focus on. One can ask: "What? UDP Ping? WTH?"Those reactions are normal. UDP transport is something we rarely use in administration. Many users and admins want to know if their transport is successful. UDP is not the best way for this, But, still, there's UDP Ping and is used very often.UDP Ping uses UDP frames to communicate. Most of other Ping types use TCP frames. UDP Ping is here for us when we want to locate an active device through firewalls that other ping types might not discover.UDP Ping is some kind of "hack" in basic; the way it works is pretty simple. UDP Ping sends one UDP frame to the host. After receiving the ICMP answer: "ICMP Port Unreachable, "we won and we know the device is alive.Example:

[192.168.0.5] [192.168.0.3] UDP: D=31338 S=42560  LEN=8

[192.168.0.3] [192.168.0.5] ICMP: Destination unreachable (Port unreachable)

If we get no answer, we can assume the device is really unavailable. The trick lays in the usage. As many UDP applications are made to not send any answer (why should they, right?), if we probe an open UDP port, we can get no answer even if the target is alive.Therefore, we try to UDP Ping a closed port instead. The most simple way is to use any high number port (they're often closed and unused).The main disadvantage of UDP Ping is it relies on ICMP. If ICMP answers from targets are filtered, there will be no answer to our Ping.When should you use UDP ping? Again, simple answer. When you run out of all other options, if TCP ping is blocked or the host is hidden behind a firewall that filters open ports.As it's an advanced and uncommon tool, it also uses really uncommon scenarios. But, it's good to know about this option. Thanks and I hope this was useful to you.