ICMP requests are often used to find out whether a server is currently online. Checking the availability of a node is carried out with the ping command specifying the IP address.
ping xx.123.xx.123
Exchange of packets from xx.123.xx.123 to 32 bytes of data:
Response from xx.123.xx.123: number of bytes=32 time=3ms TTL=64
Response from xx.123.xx.123: number of bytes=32 time=3ms TTL=64
At the same time, the remote server sends responses at this moment and from the command output it is clear that it is available.
In this case, on the remote server to which we send requests, there will be no event data in the log. Sometimes you need to find out who is currently sending icmp requests, for this we will use the tcpdump utility
#1. Install tcpdump
apt update
apt install tcpdump
2. Define the network interface
apt install net-tools
ifconfig
The command will show all network interfaces and we need to select the one on which we will listen for packets, in our case enp3s0
tcpdump -i enp3s0 icmp and icmp[icmptype]=icmp-echo -n
listening on enp3s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
21:52:20.352600 IP xx.234.xx.234 > xx.123.xx.123: ICMP echo request, id 1, seq 57, length 40
21:52:21.360715 IP xx.234.xx.234 > xx.123.xx.123: ICMP echo request, id 1, seq 58, length 40
To write to a file, use the command:
tcpdump -i enp3s0 icmp and icmp[icmptype]=icmp-echo -n >> /var/log/ping.log
This command will write to a file all IP addresses that have ever accessed this host using the icmp protocol.
We do not recommend leaving this command enabled permanently, as it wastes hardware resources. This example is intended to be used for debugging purposes.