Host discovery with ICMP

Attack tree

1 Try to send some ICMP packets (AND)
2 Ping sweep


  • The easiest and fastest way to discover if a host is up or not is by trying to send some ICMP packets.

  • Send an echo request using a simple ping or fping (for ranges).

  • If pinging a single host works, try a ping-sweep: Send out ICMP echo requests to every system on a particular network or subset of a network to determine which hosts are up.

  • ICMP error messages can be used to mask the source of a Distributed Denial of Service attack, and with such attacks being common, ICMP error rate limiting is often applied. To avoid filters to common ICMP echo request-response, use nmap to send other types of ICMP packets. If scans still take incredibly long, try discovering hosts with a SYN scan or UDP scan instead.


Send a single echo request

# ping -c 1

Send echo requests to ranges:

# fping -g

Using nmap, send echo, timestamp requests and subnet mask requests:

# nmap -PEPM -sP -n