[Snort-users] Can we interpret the ICMP unreachable messages?

Martin Roesch roesch at ...421...
Mon Nov 20 01:23:52 EST 2000

The version 1.7 betas (in CVS) properly decode the embedded IP headers of ICMP
UNREACHABLE packets, so that'd be a good place to look.

FYI, the payload of a ICMP UNREACH packet is supposed to contain the first
32-bytes (at least) of the packet that caused the message to be generated...


Jason Haar wrote:
> I'm seeing ICMP messages like "port unreachable" with Snort and I was
> wondering if I could actually work out what is going on there. I'm seeing
> these harmless (I'm sure) packets between two machines and it (obviously)
> looks like some service is down. Is there anyway I can work out WHAT port is
> unreachable (or what host is unreachable WRT "host unreachable" ICMP packets)?
> Thanks
> --
> Cheers
> Jason Haar
> Unix/Special Projects, Trimble NZ
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

Martin Roesch
roesch at ...421...

More information about the Snort-users mailing list