netleak − Network Leak Finder client


netleak [OPTIONS] <targets>


netleak is a small perl script that tries to detect connectivety between network segments. It is mostly useful for large organizations that have private local area networks physically separated or firewalled from the Internet but who are unsure if any rogue paths or "leaks" still allow network flow.

netleak achieves this simply by sending out spoofed packets into the internal network and if any packet is received on the external network a leak has been detected. Because of this, netleak is an active system consisting of a client ( this ) that spews out packets on one network and a server ( netleakd(8) ) which waits for packet on the other network.


targets is a space-delimited list of ip-addresses or hostnames. Use CIDR-block notation to specify ranges, e.g. "" will leak-test a C-block.


Only send packets to the network & broadcast address. This will speed up the sweep significantly but could result in some leaks not being detected.

--cfile <file>

Use alternate configuration file. netleak will by default look for ~/.netleak /usr/local/etc/netleak.conf and /etc/netleak.conf. Command-line arguments always overrides anything from any configuration file.

--tfile <file>

Read targets from file. The format is one host per line in either hostname-format or CIDR-notation.

--spoof <target>

Specify the host waiting for packets on the other network, i.e. the Internet.

--protocol <ip|icmp|udp|all>

Use the designated protocol to send packets. all triggers IP ICMP and UDP. Default is currently ICMP.

IP: Will craft raw IP-packets with a malicious IP-header and provoke the target hosts to generate an ICMP Parameter Problem error message. Most routers should let such a packet through depending on their interpretation of RFC1812. The end-host should according to RFC1122 try to validate the packet and generate our desired response. This feature is sort of experimental but should yield the best results. If you encounter a router that doesn’t let this type of packet through please let me know!

It appears that NAT-devices reacts differently to these packets. I’ve tested it on Speedstream and a Cisco 667 where the former would let them through and the latter would drop them.

ICMP: Will send a normal ICMP echo request that may trigger an ICMP echo response message with the datafields intact, thus preserving the signature. This option is the only one my Cisco 667 won’t drop.

UDP: Will send an UDP packet with source & destination port set to 0. This should trigger an ICMP response which hopefully will have the datafield copied to it. Depending on what OS the targeted host is running you might get different results. Linux 2.6.7 copies the datafield nicely but I’ve observed that Windows2000 won’t copy further than the IP-headersize + 8 bytes which therefore only includes the UDP-header.

Since routers react differently (One brand might drop ICMP whereas another only accepts exactly that) I suggest you use the --all option.

--signature <string>

A string inside each packet used for identifying packets that made it into the external network. By default netleak will use "IP:" as prefix and the internal ip-address as postfix. This way packets recieved by netleakd(8) will contain the internal ip-address of the host that knew a path out.

You probably won’t need to fiddle with this option unless you want to run netleak from several locations and need to differenciate them on the internet.

NOTE!! You *must* use the same signature for both netleak and netleakd(8) or you won’t get any results at all!

--interface <iface>

Which network interface to send packets on. Defaults to eth0


How fast to send packets. Defaults to "fast" which is as fast as it can. Use a slower policy if you fear the network is being saturated.


Enable verbose mode


Show help information


Test block "" for leaks to the Internet while netleakd is running on

#$ netleak --spoof

Test targets read from file using IP, ICMP & UDP with listening on the internet for packets with signature "MYSIG" in it.

#$ netleak --targets blocks.txt --spoof --protocol all --signature ’MYSIG:’


If you find any please let me know.


Jonas Hansen <>