TCP can be used to check the host's presence without using an ICMP ping.
This can be done, using multiple tools,
We will see them one by one.
Hping is a very big tool out which can be used to send custom TCP packets to remote host with desired flags to analyse the reply.
This can be a good testing tool that can be used against your firewall configuration.
So now lets check the host's presence with the help of TCP and hping.
hping -S -p 80 192.168.0.103
result:
HPING 192.168.0.103 (eth0 192.168.0.103): S set, 40 headers + 0 data bytes len=46 ip=192.168.0.103 ttl=64 DF id=0 sport=80 flags=SA seq=0 win=5840 rtt=0.8 ms len=46 ip=192.168.0.103 ttl=64 DF id=0 sport=80 flags=SA seq=1 win=5840 rtt=1.5 ms len=46 ip=192.168.0.103 ttl=64 DF id=0 sport=80 flags=SA seq=2 win=5840 rtt=2.2 ms len=46 ip=192.168.0.103 ttl=64 DF id=0 sport=80 flags=SA seq=3 win=5840 rtt=1.2 ms
Let's have a look at the tcpdump output at the host with PING disabled.
tcpdump -i eth0 -s0 host 192.168.0.102
result:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 03:13:11.708350 IP 192.168.0.102.instantia > 192.168.0.103.http: S 1718487905:1718487905(0) win 512 03:13:11.730329 IP 192.168.0.103.http > 192.168.0.102.instantia: S 1566252172:1566252172(0) ack 1718487906 win 5840 <mss 1460> 03:13:11.708587 IP 192.168.0.102.instantia > 192.168.0.103.http: R 1718487906:1718487906(0) win 0 03:13:12.709646 IP 192.168.0.102.nessus > 192.168.0.103.http: S 1845389890:1845389890(0) win 512 03:13:12.709815 IP 192.168.0.103.http > 192.168.0.102.nessus: S 1576213111:1576213111(0) ack 1845389891 win 5840 <mss 1460> 03:13:12.710429 IP 192.168.0.102.nessus > 192.168.0.103.http: R 1845389891:1845389891(0) win 0
If you observe the TCPDUMP output, you will be able to see that, a SYN request (shown with “S” flag in Tcpdump output) and a Reset request(shown with “R” flag in tcpdump output), both are send by our requesting host(The host from where we send the tcp ping with hping).
Hping is sending a reset packet just after the syn, as it does not need the connection to be fully established.
Another utility that can be used to check the presence of the host, when ping is disabled is tcping.
This utility can be easily installed if you have rpmforge repo enabled.
Lets see its usage.
tcping 192.168.0.103 80
result:
192.168.0.103 port 80 open.
The famous NMAP tool can also be used to check the host aliveness by using TCP. NMAP does this by simply sending a TCP ACK packet to the host(For which a RST packet will be send back by the remote host).
nmap -PT 192.168.0.103
result:
Starting Nmap 4.85BETA5 ( http://nmap.org ) at 2013-01-15 14:18 IST Interesting ports on 192.168.0.103: Not shown: 995 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 111/tcp open rpcbind 443/tcp open https MAC Address: 08:00:27:55:D1:CC (Cadmus Computer Systems) Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
If you want to specify a particular port with -PT option for tcp ping, then you can do that as shown below.
nmap -PT443 192.168.0.103
result:
Starting Nmap 4.85BETA5 ( http://nmap.org ) at 2013-01-15 14:20 IST Interesting ports on 192.168.0.103: Not shown: 995 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 111/tcp open rpcbind 443/tcp open https