Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Contact Us
Online Help
Domain Status
Man Pages

Virtual Servers

Topology Map

Server Agreement
Year 2038

USA Flag



Man Pages

Manual Reference Pages  -  NETLEAK (8)


netleak - Network Leak Finder client




netleak [OPTIONS] <targets>


netleak is a small perl script that tries to detect connectivety between network segments. It is mostly useful for large organizations that have private local area networks physically separated or firewalled from the Internet but who are unsure if any rogue paths or "leaks" still allow network flow.

netleak achieves this simply by sending out spoofed packets into the internal network and if any packet is received on the external network a leak has been detected. Because of this, netleak is an active system consisting of a client ( this ) that spews out packets on one network and a server ( netleakd(8) ) which waits for packet on the other network.


targets is a space-delimited list of ip-addresses or hostnames. Use CIDR-block notation to specify ranges, e.g. "" will leak-test a C-block.
--fast Only send packets to the network & broadcast address. This will speed up the sweep significantly but could result in some leaks not being detected.
--cfile lt;filegt; Use alternate configuration file. netleak will by default look for ~/.netleak /usr/local/etc/netleak.conf and /etc/netleak.conf. Command-line arguments always overrides anything from any configuration file.
--tfile lt;filegt; Read targets from file. The format is one host per line in either hostname-format or CIDR-notation.
--spoof lt;targetgt; Specify the host waiting for packets on the other network, i.e. the Internet.
--protocol lt;ip|icmp|udp|allgt; Use the designated protocol to send packets. all triggers IP ICMP and UDP. Default is currently ICMP.

IP: Will craft raw IP-packets with a malicious IP-header and provoke the target hosts to generate an ICMP Parameter Problem error message. Most routers should let such a packet through depending on their interpretation of RFC1812. The end-host should according to RFC1122 try to validate the packet and generate our desired response. This feature is sort of experimental but should yield the best results. If you encounter a router that doesn’t let this type of packet through please let me know!

It appears that NAT-devices reacts differently to these packets. I’ve tested it on Speedstream and a Cisco 667 where the former would let them through and the latter would drop them.

ICMP: Will send a normal ICMP echo request that may trigger an ICMP echo response message with the datafields intact, thus preserving the signature. This option is the only one my Cisco 667 won’t drop.

UDP: Will send an UDP packet with source & destination port set to 0. This should trigger an ICMP response which hopefully will have the datafield copied to it. Depending on what OS the targeted host is running you might get different results. Linux 2.6.7 copies the datafield nicely but I’ve observed that Windows2000 won’t copy further than the IP-headersize + 8 bytes which therefore only includes the UDP-header.

Since routers react differently (One brand might drop ICMP whereas another only accepts exactly that) I suggest you use the --all option.

--signature lt;stringgt; A string inside each packet used for identifying packets that made it into the external network. By default netleak will use "IP:" as prefix and the internal ip-address as postfix. This way packets recieved by netleakd(8) will contain the internal ip-address of the host that knew a path out.

You probably won’t need to fiddle with this option unless you want to run netleak from several locations and need to differenciate them on the internet.

NOTE!! You *must* use the same signature for both netleak and netleakd(8) or you won’t get any results at all!

--interface lt;ifacegt; Which network interface to send packets on. Defaults to eth0
--policy How fast to send packets. Defaults to "fast" which is as fast as it can. Use a slower policy if you fear the network is being saturated.
--verbose Enable verbose mode
--help Show help information


Test block "" for leaks to the Internet while netleakd is running on

#$ netleak --spoof

Test targets read from file using IP, ICMP & UDP with listening on the internet for packets with signature "MYSIG" in it.

#$ netleak --targets blocks.txt --spoof --protocol all --signature ’MYSIG:’


If you find any please let me know.


Jonas Hansen <>






Search for    or go to Top of page |  Section 8 |  Main Index


Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.