how to find proces which is pinging localhost

The command sudo lsof -n |grep "st=07" seem to work.

To test it, I ran ping as shown below on one terminal to generate ICMP packets

arul@cheetah:~$ ping localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.048 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.049 ms

On another terminal, I ran lsof as shown below. You can see the output shows the process and the pid that is the source of ICMP packets.

arul@cheetah:~$ sudo lsof -n |grep "st=07"
ping       3344                   arul    3u      raw                         0t0     602086 00000000:0001->00000000:0000 st=07

source: https://stackoverflow.com/questions/23327689/identify-the-pid-of-process-which-is-transmitting-icmp-packets

You can do it with systemtap, which can monitor all the subsystems, so you don't need to check system state for specific moment - you can log events:

https://sourceware.org/systemtap/SystemTap_Beginners_Guide/useful-systemtap-scripts.html

Sending ICMP Echo Request packets needs root privileges. So you have 2 options:

• check the process table for processes run on root account, or with SUID bit
• check for "ping" process

Example commands:

ps aux |grep ping
ps aux |grep root |grep -v \\[

Then check all results of the second command, if the particular binary has SUID bit:

ls -l `which dhclient`
ls -l `which getty`
ls -l `which passwd`
ls -l `which ping`

As you can see from permissions list, 3rd and 4th programs have SUID bit, while 1st and 2nd don't.