[Snort-users] Can we interpret the ICMP unreachable messages?

Martin Roesch roesch at ...421...
Mon Nov 20 01:23:52 EST 2000


The version 1.7 betas (in CVS) properly decode the embedded IP headers of ICMP
UNREACHABLE packets, so that'd be a good place to look.

FYI, the payload of a ICMP UNREACH packet is supposed to contain the first
32-bytes (at least) of the packet that caused the message to be generated...
:)

    -Marty

Jason Haar wrote:
> 
> I'm seeing ICMP messages like "port unreachable" with Snort and I was
> wondering if I could actually work out what is going on there. I'm seeing
> these harmless (I'm sure) packets between two machines and it (obviously)
> looks like some service is down. Is there anyway I can work out WHAT port is
> unreachable (or what host is unreachable WRT "host unreachable" ICMP packets)?
> 
> Thanks
> 
> --
> Cheers
> 
> Jason Haar
> 
> Unix/Special Projects, Trimble NZ
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list