Re: icmpinfo (old thread)
I am responding to a request which was posted about a month ago... I can read the first 3 lines of each output, they represent two ip headers, (icmp errors reflect the ip header which caused the error back, as part of their reply). I do not know what the bytes after the first 3 lines represent, theoretically, these bytes are supposed to be the begining of the original data send with the original ip datagram (represend original udp headers) which caused the icmp error. That's theoretically, but I am only sure about the first three line. The first icmp port unreachable error are in responce to a udp(0x11) datagram send by localhost to localhost (7F00 0001 7F00 0001 ). The rest of the information shows, among others: id of undemultipled ip was 06FD id of ip of this icmp was 06FC (again, they were generated from the SAME host) The rest of the icmp port unrechable requests also are from localhost and for the same reason. [EMAIL PROTECTED] Tue Dec 17 20:06:09 1996: I'm in need of a TCP/IP expert here to tell me if someone is trying to spoof/ping flood me... I know someone has tried to 'big ping' me several times due to the couldn't get a free page message on my console. I've been running icmpinfo -vvv /tmp/icmplog, and I'm getting alot of ICMP_Dest_Unreachable messages. Is this normal? They're comming mostly from localhost but also from other sites. Could someone please advise me on what to do, or where to get some more info on how to find out where these are comming from? Here are several of the 'pings' I've gotten. Nov 25 18:31:42 ICMP_Dest_Unreachable[Port] 127.0.0.1 [localhost] 127.0.0.1 [localhost] sp=25861 dp=53 seq=0x0033adea sz=79(+20) : 4506 0063 06FD 4001 7595 7F00 0001[EMAIL PROTECTED] 0010 : 7F00 0001 0303 FB43 4500 0047...CE..G 0020 : 06FC 4011 75A8 7F00 0001 7F00 0001[EMAIL PROTECTED] 0030 : 0565 0035 0033 ADEA 001A 0100 0001 .e.5.3.. 0040 : 0136 0236 3103 3130 3203 32 .6.61.102.2 Nov 25 18:18:43 ICMP_Dest_Unreachable[Port] 127.0.0.1 [localhost] 127.0.0.1 [localhost] sp=17669 dp=53 seq=0x00360a1f sz=82(+20) : 4506 0066 069F 4001 75F0 7F00 0001[EMAIL PROTECTED] 0010 : 7F00 0001 0303 FB46 4500 004A...FE..J 0020 : 069E 4011 7603 7F00 0001 7F00 0001[EMAIL PROTECTED] 0030 : 0545 0035 0036 0A1F 000A 0100 0001 .E.5.6.. 0040 : 0332 3332 0331 3432 0331 3931.232.142.191 0050 : 0332 .2 Nov 25 18:38:28 ICMP_Dest_Unreachable[Port] 127.0.0.1 [localhost] 127.0.0.1 [localhost] sp=33285 dp=53 seq=0x0034380d sz=80(+20) There was no data in the last entry to the file. The data of the ping almost always seems to have an IP address in it. What can I do, or am I being paranoid? TIA, mike... Ioannis Tambouras [EMAIL PROTECTED] PGP 512/D042DD45, West Palm Beach, Florida -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED]
icmpinfo
I'm in need of a TCP/IP expert here to tell me if someone is trying to spoof/ping flood me... I know someone has tried to 'big ping' me several times due to the couldn't get a free page message on my console. I've been running icmpinfo -vvv /tmp/icmplog, and I'm getting alot of ICMP_Dest_Unreachable messages. Is this normal? They're comming mostly from localhost but also from other sites. Could someone please advise me on what to do, or where to get some more info on how to find out where these are comming from? Here are several of the 'pings' I've gotten. Nov 25 18:31:42 ICMP_Dest_Unreachable[Port] 127.0.0.1 [localhost] 127.0.0.1 [localhost] sp=25861 dp=53 seq=0x0033adea sz=79(+20) : 4506 0063 06FD 4001 7595 7F00 0001[EMAIL PROTECTED] 0010 : 7F00 0001 0303 FB43 4500 0047...CE..G 0020 : 06FC 4011 75A8 7F00 0001 7F00 0001[EMAIL PROTECTED] 0030 : 0565 0035 0033 ADEA 001A 0100 0001 .e.5.3.. 0040 : 0136 0236 3103 3130 3203 32 .6.61.102.2 Nov 25 18:18:43 ICMP_Dest_Unreachable[Port] 127.0.0.1 [localhost] 127.0.0.1 [localhost] sp=17669 dp=53 seq=0x00360a1f sz=82(+20) : 4506 0066 069F 4001 75F0 7F00 0001[EMAIL PROTECTED] 0010 : 7F00 0001 0303 FB46 4500 004A...FE..J 0020 : 069E 4011 7603 7F00 0001 7F00 0001[EMAIL PROTECTED] 0030 : 0545 0035 0036 0A1F 000A 0100 0001 .E.5.6.. 0040 : 0332 3332 0331 3432 0331 3931.232.142.191 0050 : 0332 .2 Nov 25 18:38:28 ICMP_Dest_Unreachable[Port] 127.0.0.1 [localhost] 127.0.0.1 [localhost] sp=33285 dp=53 seq=0x0034380d sz=80(+20) There was no data in the last entry to the file. The data of the ping almost always seems to have an IP address in it. What can I do, or am I being paranoid? TIA, mike... -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED]
Re: icmpinfo
Hello, looks like you are sending UDP:53 (nameserver queries) to 127.0.0.1 and there is no process to answer those, therefore you get Port Unreachable errors. look in /etc/resolv.conf for an invalid 127.0.0.1, or start a nameserver. Greetings Bernd -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED]
Re: icmpinfo
tcpdump always dump this message to screen. It seems that it is a kind of error messages. the ppp channel seems *hang* for a while because of this error. Anyone know how to fix it? 10:59:08.535381 x.xx..xxx.xx yy.yy..yyy.yy: icmp: x.xx..xxx.xx udp port route unreachable (frag 22923:[EMAIL PROTECTED]) [tos 0xc0] lawrence, -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED]
Re: icmpinfo
Hi, 10:59:08.535381 x.xx..xxx.xx yy.yy..yyy.yy: icmp: x.xx..xxx.xx udp port route unreachable (frag 22923:[EMAIL PROTECTED]) [tos 0xc0] same problem, you are using an non-functionalnameserver. Greetings Bernd -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED]
Re: icmpinfo
Bernd Eckenfels wrote: Hi, 10:59:08.535381 x.xx..xxx.xx yy.yy..yyy.yy: icmp: x.xx..xxx.xx udp port route unreachable (frag 22923:[EMAIL PROTECTED]) [tos 0xc0] same problem, you are using an non-functionalnameserver. Greetings Bernd How to fix it? I checked the resolv.conf and there is already a line nameserver 127.0.0.1 lawrence, -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED]
Re: icmpinfo
Hello, How to fix it? I checked the resolv.conf and there is already a line nameserver 127.0.0.1 for every nameserver line in resolv.conf you have to check if there is a nameserver running on that host (dig soa . @127.0.0.1). Remove all lines which don't have an nameserver running. Hmm.. if dst and source port are exchanged the problem can be created by other hosts querying your name server. You nameserver is too slow to anser, and the other host stoped alread waiting for your answer, then it will send a similiar icmp error. Greetings Bernd -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED]
Re: icmpinfo
Bernd Eckenfels wrote: Hello, How to fix it? I checked the resolv.conf and there is already a line nameserver 127.0.0.1 for every nameserver line in resolv.conf you have to check if there is a nameserver running on that host (dig soa . @127.0.0.1). Remove all lines which don't have an nameserver running. Hmm.. if dst and source port are exchanged the problem can be created by other hosts querying your name server. You nameserver is too slow to anser, and the other host stoped alread waiting for your answer, then it will send a similiar icmp error. Do you know where to get more info. about these kind of message, like faq? lawrence, -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED]
