[Snort-users] Can we interpret the ICMP unreachable messages?

Guy Bruneau bruneau at ...126...
Mon Nov 20 19:44:11 EST 2000


Jason,

It is possible to read the original packet in the ICMP port unreachable message.
What you have to do is play it back with either asctcpdump or have a packet dump
(HEX) from Snort and read it back. Here is an example with a udp port unreachable:

04:35:12.112862 10.160.169.131 > 192.168.30.1: icmp: 167.160.169.131 udp port 53
unreachable (ttl 114, id 229)

4500 0038 00e5 0000 7201 5959 yyyy yyyy         E..8....r.YY....
xxxx xxxx 0303 f09c 0000 0000 4500 0044       .p..........E..D
d911 0000 3211 c110 xxxx xxxx yyyy yyyy      ....2....p......
0035 0035 0030 0bc6                                             .5.5.0..

This part of the packet is the original message. If you look at 3211 (11 is UDP),
we know the original message was a UDP sent by 192.168.30.1 to 10.160.169.131 with
a source and destination port of 53 (0035 0035).

                                                         4500 0044
.p..........E..D
d911 0000 3211 c110 xxxx xxxx yyyy yyyy      ....2....p......
0035 0035 0030 0bc6                                             .5.5.0..

Hope this help,

Guy

--
Guy Bruneau
Ma page est a/My page at: http://www.penguinpowered.com/~bruneau





Martin Roesch wrote:

> The version 1.7 betas (in CVS) properly decode the embedded IP headers of ICMP
> UNREACHABLE packets, so that'd be a good place to look.
>
> FYI, the payload of a ICMP UNREACH packet is supposed to contain the first
> 32-bytes (at least) of the packet that caused the message to be generated...
> :)
>
>     -Marty
>
> Jason Haar wrote:
> >
> > I'm seeing ICMP messages like "port unreachable" with Snort and I was
> > wondering if I could actually work out what is going on there. I'm seeing
> > these harmless (I'm sure) packets between two machines and it (obviously)
> > looks like some service is down. Is there anyway I can work out WHAT port is
> > unreachable (or what host is unreachable WRT "host unreachable" ICMP packets)?
> >
> > Thanks
> >
> > --
> > Cheers
> >
> > Jason Haar
> >
> > Unix/Special Projects, Trimble NZ
> > Phone: +64 3 9635 377 Fax: +64 3 9635 417
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
>
> --
> Martin Roesch
> roesch at ...421...
> http://www.snort.org
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20001120/a0a729bc/attachment.html>


More information about the Snort-users mailing list