[Snort-users] Can we interpret the ICMP unreachable messages?

Joe McAlerney joey at ...155...
Mon Nov 20 20:00:46 EST 2000


Jason Haar wrote:
> 
> I'm seeing ICMP messages like "port unreachable" with Snort and I was
> wondering if I could actually work out what is going on there. I'm seeing
> these harmless (I'm sure) packets between two machines and it (obviously)
> looks like some service is down. Is there anyway I can work out WHAT port is
> unreachable (or what host is unreachable WRT "host unreachable" ICMP packets)?
> 
> Thanks
> 
> --
> Cheers
> 
> Jason Haar
> 
> Unix/Special Projects, Trimble NZ
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

You need to log the packet payload with the -d option to determine what
happened (unless you use the CVS version like Marty said).  On the last
line, the first four bytes are the source ip, the next four are the
destination IP, the next two are the source port, and the next two are
the destination port.

[**] PING-ICMP Destination Unreachable [**]
07/05-13:09:36.829716 x:xx:xx:xx:x:xx -> x:xx:xx:xx:xx:xx type:0x800
len:0x46
xx.xx.xx.xx -> yy.yy.yy.yy ICMP TTL:114 TOS:0x0 ID:46383
DESTINATION UNREACHABLE: PORT UNREACHABLE
00 00 00 00 45 00 00 48 71 A8 00 00 70 11 92 54  ....E..Hg...p..T
A1 B2 C3 D4 A2 B3 C4 D5 FA 80 69 87 00 34 02 BD  ..........i..6..
^        ^  ^        ^  ^  ^  ^  ^
+--------+  +--------+  +--+  +--+
 Source IP   Dest IP    S pt  D pt

Source IP = A1 B2 C3 D4 = 161.178.195.212
Dest IP =   A2 B3 C4 D5 = 162.179.196.213
Source Port = FA 80 = 64128
Dest Port =   69 87 = 27015

-Joe M.
-- 
+--                            --+
| Joe McAlerney, Silicon Defense |
| http://www.silicondefense.com/ |
+--                            --+



More information about the Snort-users mailing list