liarsping 0.1.0

A ping server which attempts to manipulate the ping times seen by the client
Documentation

liarsping

A small Rust tool that listens for ICMP echo requests on a raw socket and replies with forged echo replies designed to make ping RTTs look shorter than they really are.

Strategies

Timestamp tampering. Linux-style ping embeds the send time in the payload (u64 seconds little-endian at offset 0, u32 microseconds at offset 8) and computes RTT as now - embedded. liarsping shifts the embedded timestamp by --shave-timestamp (a signed duration) so the sender's RTT calculation comes out smaller (positive shave) or larger (negative shave). --shave-timestamp-percent scales the shave to a fraction of the observed now - embedded difference instead of using a fixed magnitude.

Sequence prediction. Windows-style ping keeps time locally and only trusts the (identifier, sequence) echoed back. For positive --shave-sequence, liarsping replies with sequence + N delayed so that, by the time the sender transmits the real sequence + N, our reply is already waiting and matches against its local send time. The result is a small (or negative) RTT. For negative --shave-sequence, liarsping replies with the same sequence but delayed by |shave|, so the sender sees the configured amount added to the real RTT.

--strategy auto (default) picks per packet by inspecting the payload; --strategy timestamp or --strategy sequence forces one mode.

Build

cargo build --release

Run

Raw ICMP sockets need CAP_NET_RAW:

sudo ./target/release/liarsping
# or, once:
sudo setcap cap_net_raw+ep ./target/release/liarsping
./target/release/liarsping

Important: stop the kernel from also replying

By default the Linux kernel will reply to every echo request itself, so the sender sees two replies (ping reports DUP!). Disable kernel auto-replies for the duration of your test:

sudo sysctl -w net.ipv4.icmp_echo_ignore_all=1

liarsping warns at startup if this isn't set.

Options

--bind <ADDR>                       IPv4 address to bind                    (default: 0.0.0.0)
--strategy <auto|timestamp|sequence>                                        (default: auto)
--shave <SIGNED_DURATION>           lie magnitude for both modes            (no default)
--shave-timestamp <SIGNED_DURATION> lie magnitude for timestamp mode        (default: 10ms)
--shave-sequence  <SIGNED_DURATION> lie magnitude for sequence mode         (default: 10ms)
--shave-timestamp-percent <NUMBER>  % of (now - embedded) to shave (timestamp mode only, no default)
--assumed-interval <DURATION>       assumed sender ping interval            (default: 1s)
--first-packet <honest|drop>        sequence-mode first-packet policy       (default: honest)
-v, --verbose                       log every received/sent packet
-h, --help                          show help

SIGNED_DURATION is an optional leading - followed by humantime syntax: 20ms, -1s, 500us, -2m. Negative values make reported RTTs larger than reality. NUMBER for --shave-timestamp-percent is a plain f64; it may be negative (inflate RTT by that percent) or greater than 100 (push the embedded timestamp past now). --shave-timestamp and --shave-timestamp-percent are mutually exclusive. When both a specific flag and --shave are given, the specific flag wins for its mode.

Examples

Lie to a Linux pinger by 50ms:

liarsping --strategy timestamp --shave-timestamp 50ms

From another host: ping <victim> — RTTs should appear ~50ms shorter than reality.

Lie to a Windows pinger by 200ms:

liarsping --strategy sequence --shave-sequence 200ms --assumed-interval 1s

The first reply will be honest (or dropped, depending on --first-packet); subsequent replies will appear ~200ms faster than the round trip.

Make ping RTTs look larger (pretend the network is slow):

liarsping --shave -100ms

Negative shave works for both timestamp and sequence senders. Linux pingers get a rewritten embedded timestamp; Windows pingers get the same-sequence reply delayed by 100 ms.

Shave 80% of each Linux-ping RTT:

liarsping --strategy timestamp --shave-timestamp-percent 80

Reported RTTs appear as roughly one-fifth of reality. Use --shave-timestamp-percent -100 to double them instead.

Add 200 ms to every Windows-ping RTT:

liarsping --strategy sequence --shave-sequence -200ms

From a Windows host, ping <victim> will report RTTs ~200 ms larger than reality. Negative sequence shave delays the same-sequence reply by |shave| rather than predicting ahead.

Caveats

  • IPv4 only.
  • Timestamp mode assumes Linux ping's payload layout. Other senders fall back to sequence mode under --strategy auto.
  • Sequence mode assumes the sender ticks at --assumed-interval (default 1 s — Linux/Windows ping defaults).
  • Run only against hosts you own or are explicitly authorised to test.