[Snort-users] ICMP messages

Neil Sandow rxlist at ...10041...
Mon Sep 8 20:19:33 EDT 2003

On Mon, 8 Sep 2003, Matt Kettler wrote:

> At 10:46 AM 9/8/2003 -0700, Neil Sandow wrote:
> >---------------------------------------------------------------------------
> >Packet 294372
> >TIME:   11:23:21.607182 (0.003618)
> >LINK:   00:01:97:4B:A2:9E -> 00:10:5A:82:D3:69 type=IP
> >   IP: -> hlen=20 TOS=00 dgramlen=48
> >id=D91D
> >         MF/DF=0/1 frag=0 TTL=115 proto=TCP cksum=0D2F
> >  TCP:   port 1105 -> 80 seq=0013134530 ack=0000000000
> >         hlen=28 (data=0) UAPRSF=000010 wnd=8192 cksum=D178 urg=0
> >DATA:   <No data>
> >---------------------------------------------------------------------------
> >
> >indicating that (port 1105) made a request to
> > (port 80) which was then ack'd and so on leading to the
> >firewall ICMP messages.  That's why I refer to as the
> >'server' and as the 'client'.   This is wrong?
> Quite frankly, I don't recognize that dump format, so I was largely
> ignoring it..
> However, now that I've finally managed to figure out the particularly
> strange method use for denoting the flags field as UAPRSF=xxxxxx (I've
> never seen a packet dumper do that before), you are correct.
> I'd venture to guess that they goofed up their firewall rules and are
> blocking any inbound packets with the syn bit set.. As opposed to blocking
> any packet with syn and no ack.
> It hasn't even gotten to the point that a HTTP request was made, so this is
> very low-level packet-filter type behavior. Probably some form of simple
> stateless packet filter in a router somewhere.

Thanks, Matt.  I get quite a lot of these so I'm glad to have at least
some understanding of what's going on here.  These days, it seems,
everybody has a firewall and probably not everybody knows what they're
doing when they set them up.

BTW, the dump format came from tcpshow < dump.file after logging packets
with tcpdump as:

tcpdump -i ethx -s 1518 -w dump.file


More information about the Snort-users mailing list