How to Detect and Identify Ping Requests to Your Linux System


3 views

When troubleshooting network connectivity issues, ping is often the first diagnostic tool used. As a Linux system administrator, you might want to monitor incoming ICMP echo requests (pings) for security monitoring or network troubleshooting purposes.

The most effective way to detect ping attempts is using packet capture tools. Here are three practical methods:


# Method 1: Using tcpdump
sudo tcpdump -i eth0 icmp and icmp[icmptype]=icmp-echo

# Method 2: Using tshark (wireshark CLI)
sudo tshark -i eth0 -f "icmp and icmp[0] == 8" -Y "icmp.type==8"

# Method 3: Using iptables logging
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j LOG --log-prefix "PING ATTEMPT: "

For forensic analysis of past ping requests, examine system logs:


# Check kernel messages
dmesg | grep -i icmp

# Check system logs (distribution specific)
journalctl -k --grep="ICMP"  # systemd systems
grep -i icmp /var/log/syslog # Debian/Ubuntu
grep -i icmp /var/log/messages # RHEL/CentOS

For production environments, consider these more robust solutions:


# Set up persistent logging with rsyslog
# Add to /etc/rsyslog.conf
kern.* /var/log/icmp.log

# Create a dedicated monitoring script
#!/bin/bash
while true; do
    tcpdump -ni eth0 -c 10 icmp and icmp[icmptype]=icmp-echo >> /var/log/ping_monitor.log
    sleep 60
done

While monitoring ping requests can be useful, remember that:

  • ICMP requests are often blocked by firewalls in secure environments
  • Excessive logging can impact system performance
  • Ping alone doesn't indicate malicious activity

When someone pings your Linux machine, they're sending ICMP Echo Request packets. Unlike TCP/UDP connections, these don't establish a session, making them harder to track. However, there are several effective monitoring approaches.

The most straightforward method uses tcpdump to capture ICMP traffic:


sudo tcpdump -i eth0 icmp and icmp[icmptype] == icmp-echo -n

This command will show real-time ping attempts with source IP addresses. For continuous monitoring, save to a file:


sudo tcpdump -i eth0 -w ping_log.pcap icmp and icmp[icmptype] == icmp-echo

For long-term tracking, configure iptables to log ICMP requests:


sudo iptables -A INPUT -p icmp --icmp-type echo-request -j LOG --log-prefix "ICMP Ping: "
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

View logs with:


sudo tail -f /var/log/syslog | grep "ICMP Ping"

For deep packet inspection, capture traffic with tcpdump then analyze in Wireshark:


sudo tcpdump -i eth0 -w ping_capture.pcap

In Wireshark, use filter icmp.type == 8 to view all ping requests with detailed timing and source information.

Create a bash script to log and alert on ping activity:


#!/bin/bash
while true; do
    sudo tcpdump -i eth0 -c 1 icmp and icmp[icmptype] == icmp-echo -n | \
    awk '{print "Ping detected from: "$3}' >> /var/log/ping_monitor.log
    # Optional email alert:
    # mail -s "Ping Alert" admin@example.com < /var/log/ping_monitor.log
done

To prevent ping flooding while still maintaining visibility:


sudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

This configuration allows logging while protecting against ICMP-based attacks.