We you found the page of doc, right? Linked directly from the flag...
What's there is what I found researching 'em, one at a time.
<h3>(Sent:icmp frag)</h3>
<p><b>ntop</b> has seen one or more fragmented ICMP packets SENT by the
flagged host.
ICMP packets are small and under normal operations should never be
fragmented.
This is either a misconfigured router/device or hostile. Check it out.</p>
<p class="flagcounter">Flag/Counter: icmpFragmentSent</p>
<br />
^^^^^^^^^^^^^^^^
Find the counter and grep for it in the code to see where it's incremented.
pbuf.c:
proto = "ICMP";
memcpy(&icmpPkt, bp+hlen, sizeof(struct icmp));
incrementTrafficCounter(&srcHost->icmpSent, length);
incrementTrafficCounter(&dstHost->icmpRcvd, length);
if(off & 0x3fff) {
char *fmt = "Detected ICMP fragment [%s -> %s] (network attack
attempt?)";
incrementTrafficCounter(&srcHost->icmpFragmentsSent, length),
incrementTrafficCounter(&dstHost->icmpFragmentsRcvd, length);
allocateSecurityHostPkts(srcHost);
allocateSecurityHostPkts(dstHost);
incrementUsageCounter(&srcHost->secHostPkts->icmpFragmentSent,
dstHost, actualDeviceId);
incrementUsageCounter(&dstHost->secHostPkts->icmpFragmentRcvd,
srcHost, actualDeviceId);
incrementTrafficCounter(&myGlobals.device[actualDeviceId].securityPkts.icmpF
ragment, 1);
if(myGlobals.enableSuspiciousPacketDump) {
traceEvent(CONST_TRACE_WARNING, fmt,
srcHost->hostResolvedName, dstHost->hostResolvedName);
dumpSuspiciousPacket(actualDeviceId);
}
}
-----Burton
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
> Michael Handiboe
> Sent: Friday, March 26, 2004 2:44 PM
> To: [EMAIL PROTECTED]
> Subject: [Ntop] New Topic: Yellow Flags
>
>
> Burton -- I think by now I owe you a lunch !
>
> Now we're trying to figger out the yellow flag, "Sent: ICMP FRAG" ...
> got it on three machines, one is the file server. Malicious activity
> is possible and we're quite sure our NICs are configured properly.
> All of our NICs are configured the same, I do know that.
>
> Hmmm... I guess I'll do this: we have a MS Jet (M$ Access) "backend"
> DB and it crashes periodically. The Boss wrote it in VB and
> Access, swears it works the same way at another location (but with
> no crashes) and hence, blames the network for his woes. The "user"
> interface
> is a VB program distributed across the LAN and it stores all the
> data in the "backend" on the file server. Most of the time, anyway.
>
> Now the simple question: any chance a hapless ICMP frag could cause
> the poor Jet DB to die? Yes[ ] or No[ ]
> Thanks, that's all for now.
> (I'm a unix system guy trying to be a M$/linux network guy.)
>
> _______________________________________________
> Ntop mailing list
> [EMAIL PROTECTED]
> http://listgateway.unipi.it/mailman/listinfo/ntop
>
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
