scapy学习icmp报文

　 icmp(Internet Control Message Protocol)报文真的是一个数据结构特别简单的报文，虽然它使用到了ip头部，协议位于网络层。说它数据结构简单主要是因为icmp报文最主要出于网络诊断的目的，比如检测某个主机或者路由器是否正确到达，不像tcp，udp或者更上层协议的报文会携带很多额外的信息。

1.icmp报文类型
　　在icmp报文中最重要的只有type和code字段，其中code相当与是对type更进一步的状态解释。

Type	Code	Status	Description
0 – Echo Reply	0		Echo reply (used to ping)
1 and 2		unassigned	Reserved
3 – Destination Unreachable	0		Destination network unreachable
	1		Destination host unreachable
	2		Destination protocol unreachable
	3		Destination port unreachable
	4		Fragmentation required, and DF flag set
	5		Source route failed
	6		Destination network unknown
	7		Destination host unknown
	8		Source host isolated
	9		Network administratively prohibited
	10		Host administratively prohibited
	11		Network unreachable for ToS
	12		Host unreachable for ToS
	13		Communication administratively prohibited
	14		Host Precedence Violation
	15		Precedence cutoff in effect
4 – Source Quench	0	deprecated	Source quench (congestion control)
5 – Redirect Message	0		Redirect Datagram for the Network
	1		Redirect Datagram for the Host
	2		Redirect Datagram for the ToS & network
	3		Redirect Datagram for the ToS & host
6		deprecated	Alternate Host Address
7		unassigned	Reserved
8 – Echo Request	0		Echo request (used to ping)
9 – Router Advertisement	0		Router Advertisement
10 – Router Solicitation	0		Router discovery/selection/solicitation
11 – Time Exceeded	0		TTL expired in transit
	1		Fragment reassembly time exceeded
12 – Parameter Problem: Bad IP header	0		Pointer indicates the error
	1		Missing a required option
	2		Bad length
13 – Timestamp	0		Timestamp
14 – Timestamp Reply	0		Timestamp reply
15 – Information Request	0	deprecated	Information Request
16 – Information Reply	0	deprecated	Information Reply
17 – Address Mask Request	0	deprecated	Address Mask Request
18 – Address Mask Reply	0	deprecated	Address Mask Reply
19		reserved	Reserved for security
20 through 29		reserved	Reserved for robustness experiment
30 – Traceroute	0	deprecated	Information Request
31		deprecated	Datagram Conversion Error
32		deprecated	Mobile Host Redirect
33		deprecated	Where-Are-You (originally meant for IPv6)
34		deprecated	Here-I-Am (originally meant for IPv6)
35		deprecated	Mobile Registration Request
36		deprecated	Mobile Registration Reply
37		deprecated	Domain Name Request
38		deprecated	Domain Name Reply
39		deprecated	SKIP Algorithm Discovery Protocol, Simple Key-Management for Internet Protocol
40			Photuris, Security failures
41		experimental	ICMP for experimental mobility protocols such as Seamoby
42 through 252		unassigned	Reserved
253		experimental	RFC3692-style Experiment 1
254		experimental	RFC3692-style Experiment 2
255		reserved	Reserved

　
2.scapy发送icmp包与woreshark抓包
　　发送icmp包 sr1(IP(dst="192.168.1.102")/ICMP()/"zhou") 此时type为8

　　“zhou”属于最后的padding字段，不要也罢。

　　sr1同样会接收来自102主机的回复包

In [20]: result.display()
###[ IP ]### 
  version   = 4L
  ihl       = 5L
  tos       = 0x0
  len       = 32
  id        = 593
  flags     = 
  frag      = 0L
  ttl       = 64
  proto     = icmp
  chksum    = 0xf46b
  src       = 192.168.1.102
  dst       = 192.168.1.106
  \options   \
###[ ICMP ]### 
     type      = echo-reply
     code      = 0
     chksum    = 0x1622
     id        = 0x0
     seq       = 0x0
###[ Raw ]### 
        load      = 'zhou'

　
3.防ping策略
　　我们通常使用的ping和traceroute命令都在悄悄的使用icmp报文去检测主机的存活状态。当然从网络安全的角度来说，检测主机是否存活是渗透的第一步，所以从win7开始就已经默认开启了防ping规则，在linux中如果要过滤icmp包只需要在/etc/rc.local文件中添加一句echo "echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all" >>/etc/rc.d/rc.local 但是如果使用这种方法的话，连自己都不能ping别人了。所以高级一点的还是使用防火墙规则吧。 iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -j DROP.
　　当然如果真要较真网络安全中检测对方存活主机，不仅仅有icmp协议，还可以通过syn，udp等手段，当然这是后话了，不属于本篇文章。