[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <26563eca0608151624wc3a99cdy219c8d2bca92226e@mail.gmail.com>
Date: Tue, 15 Aug 2006 19:24:02 -0400
From: "Darren Bounds" <dbounds@...il.com>
To: "Adriel T. Desautels" <simon@...soft.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Re: ICMP Destination Unreachable Port
Unreachable
I'm confused about a couple things:
1) You say you knew the nature of the packet yet in your original message
you stated "Neither the source IP or the target IP have any ports associated
with them in this event. Any ideas would be appreciated.".
- The packet you dumped was an ICMP port unreachable. There will never be a
port associated with an ICMP packet.
- ICMP unreachable messages contain a payload with the IP header of the
packet generating the error and at least 64 bits (8 bytes) of original data
datagram. There are ports associated with UDP and therefore inspection of
the embedded UDP packet tells you quite a bit. i.e. It was using ports 16229
and 2597 as source and destination.
2) You * out the first 3 octets of the destination IP address in the event
but leave the IP address in the ICMP payload (70.91.131.49). Why?
--
Thanks,
Darren Bounds
On 8/15/06, Adriel T. Desautels <simon@...soft.com> wrote:
>
> Darren,
> I did notice what type of packet it was and I also know what the
> packet signifies. The issue that I am having is that there has never
> been any outbound UDP activity to the host that is replying to this
> network. The payloads of the ICMP packets are a bit weird too,
> containing either X'es or |'s or encoded strings. What I am trying to
> figure out is if anyone here recognizes these types of payloads and
> knows what could be generating them?
>
> so just to be clear...
>
> I want info about the payload not about ICMP!
>
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists