liarsping 0.1.0

A ping server which attempts to manipulate the ping times seen by the client
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103

# liarsping

A small Rust tool that listens for ICMP echo requests on a raw socket and replies with forged echo replies designed to make ping RTTs look shorter than they really are. 

## Strategies

**Timestamp tampering.** Linux-style `ping` embeds the send time in the payload (`u64` seconds little-endian at offset 0, `u32` microseconds at offset 8) and computes RTT as `now - embedded`. `liarsping` shifts the embedded timestamp by `--shave-timestamp` (a signed duration) so the sender's RTT calculation comes out smaller (positive shave) or larger (negative shave). `--shave-timestamp-percent` scales the shave to a fraction of the observed `now - embedded` difference instead of using a fixed magnitude.

**Sequence prediction.** Windows-style `ping` keeps time locally and only trusts the `(identifier, sequence)` echoed back. For positive `--shave-sequence`, `liarsping` replies with `sequence + N` *delayed* so that, by the time the sender transmits the real `sequence + N`, our reply is already waiting and matches against its local send time. The result is a small (or negative) RTT. For negative `--shave-sequence`, `liarsping` replies with the same sequence but delayed by `|shave|`, so the sender sees the configured amount *added* to the real RTT.

`--strategy auto` (default) picks per packet by inspecting the payload; `--strategy timestamp` or `--strategy sequence` forces one mode.

## Build

```
cargo build --release
```

## Run

Raw ICMP sockets need `CAP_NET_RAW`:

```
sudo ./target/release/liarsping
# or, once:
sudo setcap cap_net_raw+ep ./target/release/liarsping
./target/release/liarsping
```

### Important: stop the kernel from also replying

By default the Linux kernel will reply to every echo request itself, so the sender sees two replies (`ping` reports `DUP!`). Disable kernel auto-replies for the duration of your test:

```
sudo sysctl -w net.ipv4.icmp_echo_ignore_all=1
```

`liarsping` warns at startup if this isn't set.

## Options

```
--bind <ADDR>                       IPv4 address to bind                    (default: 0.0.0.0)
--strategy <auto|timestamp|sequence>                                        (default: auto)
--shave <SIGNED_DURATION>           lie magnitude for both modes            (no default)
--shave-timestamp <SIGNED_DURATION> lie magnitude for timestamp mode        (default: 10ms)
--shave-sequence  <SIGNED_DURATION> lie magnitude for sequence mode         (default: 10ms)
--shave-timestamp-percent <NUMBER>  % of (now - embedded) to shave (timestamp mode only, no default)
--assumed-interval <DURATION>       assumed sender ping interval            (default: 1s)
--first-packet <honest|drop>        sequence-mode first-packet policy       (default: honest)
-v, --verbose                       log every received/sent packet
-h, --help                          show help
```

`SIGNED_DURATION` is an optional leading `-` followed by `humantime` syntax: `20ms`, `-1s`, `500us`, `-2m`. Negative values make reported RTTs *larger* than reality. `NUMBER` for `--shave-timestamp-percent` is a plain `f64`; it may be negative (inflate RTT by that percent) or greater than 100 (push the embedded timestamp past `now`). `--shave-timestamp` and `--shave-timestamp-percent` are mutually exclusive. When both a specific flag and `--shave` are given, the specific flag wins for its mode.

## Examples

**Lie to a Linux pinger by 50ms:**

```
liarsping --strategy timestamp --shave-timestamp 50ms
```

From another host: `ping <victim>` — RTTs should appear ~50ms shorter than reality.

**Lie to a Windows pinger by 200ms:**

```
liarsping --strategy sequence --shave-sequence 200ms --assumed-interval 1s
```

The first reply will be honest (or dropped, depending on `--first-packet`); subsequent replies will appear ~200ms faster than the round trip.

**Make ping RTTs look larger (pretend the network is slow):**

```
liarsping --shave -100ms
```

Negative shave works for both timestamp and sequence senders. Linux pingers get a rewritten embedded timestamp; Windows pingers get the same-sequence reply delayed by 100 ms.

**Shave 80% of each Linux-ping RTT:**
```
liarsping --strategy timestamp --shave-timestamp-percent 80
```

Reported RTTs appear as roughly one-fifth of reality. Use `--shave-timestamp-percent -100` to double them instead.

**Add 200 ms to every Windows-ping RTT:**

```
liarsping --strategy sequence --shave-sequence -200ms
```

From a Windows host, `ping <victim>` will report RTTs ~200 ms larger than reality. Negative sequence shave delays the same-sequence reply by `|shave|` rather than predicting ahead.

## Caveats

- IPv4 only.
- Timestamp mode assumes Linux `ping`'s payload layout. Other senders fall back to sequence mode under `--strategy auto`.
- Sequence mode assumes the sender ticks at `--assumed-interval` (default 1 s — Linux/Windows `ping` defaults).
- Run only against hosts you own or are explicitly authorised to test.