ICMP messages can be of different types, but do not have port assignments. There are ICMP types like ping, ping responce, unreach, etc. There are also different types of ICMP unreach packets. Check out http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/icmp-code.html for a description, and for further information, look up the RFCs that the document references.
Mathew Johnston PS RFCs are the BEST source for this type of information. Use them :) > Thanks. > > I know that there are types of ICMP packets and I know that > they are specified as like port numbers in firewall rules, but > I still don't know...: > > 1) There is a source and destination "port number". Which is > relevant? A packet sure couldn't have to ICMP types? > > 2) What does the one sending the packet want to effect? > The message type must be one of the 2, so > > 3 = destination unreachable > Don't know why I should get that from there > All other d-u's come in from a "real" source. > 13 = timestamp request > What on earth would they want with a timestamp? > And why over ICMP? > > Regards > > Christian > > > -----Original Message----- > > From: Marcelo Couto [mailto:[EMAIL PROTECTED] > > Sent: Thursday, September 14, 2000 8:27 PM > > To: Christian Pernegger; Debian security list; Debian user list > > Subject: RE: Need help analyzing firewall log message > > > > > > > > >From /usr/src/linux/include/linux/icmp.h: > > <snip> > > > -----Original Message----- > > From: Christian Pernegger [mailto:[EMAIL PROTECTED] > > Sent: quinta-feira, 14 de setembro de 2000 14:59 > > To: Debian security list; Debian user list > > Subject: Need help analyzing firewall log message > > Importance: Low > > > > > > Sep 14 19:41:44 jesus kernel: Packet log: \ > > input DENY eth1 PROTO=1 10.34.15.1:3 x.x.x.x:13 L=56 S=0x00 > > I=3405 F=0x0000 > > T=255 (#4) > > > > Happens in bursts of ~7, once a day, maybe more > > > > eth1 is the external interface, connected to a cable modem that is fully > > transparent. > > (That is I block all incoming/outgoing private LAN addresses and it still > > works) > > This is the only thing that I ever see coming in from a private address. > > > > Protocol 1 is ICMP according to /etc/protocols. > > 10.34.15.1 seems to be other end of the cable modem bridge. (I > > made a route > > and checked.) > > The target ip is my box. > > > > How do I read the ports in ICMP logs? > > > > I'm sure it's legit, I just wanna know WTF my ISP is doing... > > > > Thanks > > > > Christian > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
