[Snort-sigs] Sid 456 and 385 documentation change

Steven Alexander alexander.s at ...1565...
Mon Jun 9 12:11:12 EDT 2003


Earlier I wrote,

"Detailed Information:

Traceroute works by sending an ICMP Echo Request packet to a destination
host with a TTL value of 1.  If the host is more than one hop away, the
first route that receives the back will send back an ICMP packet
indicating that the TTL was exceeded.  The address of this router is
then listed as the first hop.  The packet is then sent out again with a
TTL of 2.  This continues until the destination host is able to reply or
some maximum TTL value is reached.  Unix implementations generally use
UDP packets sent to an ephemeral port rather than an ICMP Echo Request.
The TTL on the packet is decreased by 1 as it passes each router and
should have a TTL of 1 when it reaches the destination network."

This should be corrected to:

Detailed Information:

There are at least three different implementations of traceroute.  In
one implementation traceroute works by sending an ICMP Echo Request
packet to a destination host with a TTL value of 1.  If the host is more
than one hop away, the first route that receives the back will send back
an ICMP packet indicating that the TTL was exceeded.  The address of
this router is then listed as the first hop.  The packet is then sent
out again with a TTL of 2.  This continues until the destination host is
able to reply or some maximum TTL value is reached.  

The other two implementations use the same TTL-based concept with an
ICMP type of 30(traceroute) or with an UDP packet destined for an
ephemeral port.




My earlier description was not adequate to describe the variations that
exist in traceroute.  Sorry.

-steven alexander





More information about the Snort-sigs mailing list