[Snort-users] ICMP Destination Unreachable

Phil Wood cpw at ...440...
Fri Sep 6 13:44:03 EDT 2002


On Fri, Sep 06, 2002 at 04:04:01PM -0400, Ian Macdonald wrote:
> Thanks, So can one make the assumption that a datagram is a normal packet
Yes, my online dict says:
     A self-contained, independent entity of data carrying
     sufficient information to be {route}d from the source to the
     destination computer without reliance on earlier exchanges
     between this source and destination computer and the
     transporting {network}.

So, any IP packet has sufficient information in the IP header to get the
packet to a host on the net, provided there is a "path" made up of "routers"
between the source and destination hosts.

Once the packet arrives as a destination, then it may proceed up through
the systems "kernel" hierachy to an application (or kernel module) that
is interested in it.

ICMP unreachables can indicate to the sender (if he is set up to listen and
make sense of the data included in the message) that the packet/datagram could
not be delivered to the receiver because:

      0 = net unreachable;

      1 = host unreachable;

      2 = protocol unreachable;

      3 = port unreachable;

      4 = fragmentation needed and DF set;

      5 = source route failed.

You should look at the Code field in the icmp header to find out just what
caused the unreachable or other icmp type to be sent back to your system.
If the host is not running TCP, then you would get a code of 2.  If the host
had tcp enabled and was not running a server for port 80, you would get a
code of 3.  And so on.  Also, there is enough information* in the ICMP
Unreachable message (IP Header and 64 bits of original data) to figure out
what datagram caused the unreachable.  Like this:

              RFC791: INTERNET PROTOCOL, September 1981
   0                   1                   2                   3   
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | VER=4 | IHL=5 | ROU | | | | | | Total Length = 44             |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Identification = 0            | |D| | Fragment Offset = 0     |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |    TTL=230      | Protocol = 6  | Header Checksum = 35471       |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Source Address  = 192.168.1.1                              |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Destination Address  = 10.254.1.1
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        RFC793: TRANSMISSION CONTROL PROTOCOL, September 1981
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Source Port = 80              | Destination Port = 2661       |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Sequence Number = 2161657030                                  |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Hope this helps.

> like an http packet and ICMP Destination Unreachable is sent to the sender
> if the http request can not be made? This was my original problem not really
> knowing what it meant by datagram and the rfc isn't that helpful on the
> subject.
> 
> Ian
> 
> ----- Original Message -----
> From: "Phil Wood" <cpw at ...440...>
> To: "Ian Macdonald" <secsnort at ...5528...>
> Cc: <snort-users at lists.sourceforge.net>
> Sent: Friday, September 06, 2002 3:39 PM
> Subject: Re: [Snort-users] ICMP Destination Unreachable
> 
> 
> >
> > http://www.ietf.org/rfc/rfc0792.txt?number=792
> >
> > On Fri, Sep 06, 2002 at 02:52:23PM -0400, Ian Macdonald wrote:
> > > When would I get one of these messages? Only when someone pings another
> > > machine using ICMP or when any packet is sent to network that is
> > > unreachable?
> > >
> > > Thanks
> > >
> > > Ian
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This sf.net email is sponsored by: OSDN - Tired of that same old
> > > cell phone?  Get a new here for FREE!
> > > https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > --
> > Phil Wood, cpw at ...440...
> >

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list