Skip to content
Sundial ICMP timestamp Zmap module and analysis
C Python Makefile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Sundial Zmap module

  1. Background: Sundial is a project to expose properties of Internet devices via ICMP timestamp messages. For full details, or to cite this work, please see: E.C. Rye and R. Beverly "Sundials in the Shade," PAM 2019

  2. Dependencies: Zmap itself requires several dependencies; a handy list of debian packages that are pre-requisites include:

    $ sudo apt-get install build-essential cmake libgmp3-dev gengetopt libpcap-dev flex byacc libjson-c-dev pkg-config libunistring-dev

  3. Building: Follow these steps to build Zmap with Sundial support:

    • Clone Zmap (
    • Copy packet.*, probe_modules.*, and module_sundial.c to zmap/src/probe_modules/
    • Add probe_modules/module_sundial.c to set(EXTRA_PROBE_MODULES) in zmap/src/CMakeLists.txt
    • Copy md5.h to zmap/lib
    • cd zmap && mkdir build && cd build
    • cmake ..
    • make -j4
    • sudo make install
  4. Running:

    $ zmap -M sundial --probe-args=X -I listofips

    where X = 1 (Standard Probe), 2 (Bad Clock), 3 (Bad Checksum), 4 (Duplicate TS)

  5. Analysis:

    • Build analyze from timestampAnalyzer.c using included Makefile
    • Analysis scripts require a pcap capture of the Zmap run (ICMP probes and responses)
    • Analysis scripts assume pcap contains all 4 probe types
    • Assuming the captured pcap zmap_sundial.pcap:
      • analyze zmap_sundial.pcap
      • python -i zmap_sundial.pcap_results.txt
    • Use python -h for a list of analysis options
You can’t perform that action at this time.