RE: PROTO=TCP INCOMPLETE

["David Gillett" <gillettdavid () fhda edu>]

  ICMP type 3 is "Destination Unreachable".  You're being advised
of that by the router at 81.36.93.118.
  Many ICMP packets usually include the first N bytes of the packet 
which elicited the ICMP response.  In this case, it was a TCP packet 
addressed to 192.168.0.2 (which explains why the destination is
unreachable...); the N bytes returned don't turn out, in this
case, to include as much of the header as the logging process
would be willing to decode, such as the source and destination
port numbers -- hence the "incomplete".

  In sum:  Router 81.36.93.118 believes it received a packet from
your network addressed to 192.168.0.2.  Its notification to you 
that it doesn't have a way to deliver that packet (expected per
RFC 1918) doesn't happen to include the full TCP header of the 
bogus packet.

David Gillett


> -----Original Message-----
> From: Rodrigo B. Ramos [mailto:rodrigo.ramos () triforsec com br]
> Sent: December 22, 2003 12:29
> To: security-basics () securityfocus com
> Subject: PROTO=TCP INCOMPLETE
>
>
> Can anyone explain me the log bellow?
>
>
>
> Dec 22 08:44:31 TFSWEB kernel: INVALID: IN=ppp0 OUT= MAC=
> SRC=81.36.93.118 DST=xxx.xxx.xxx.xxx LEN=56 TOS=0x00 PREC=0x00 TTL=136
> ID=6618 PROTO=ICMP TYPE=3 CODE=1 [SRC=xxx.xxx.xxx.xxx DST=192.168.0.2
> LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=45750 DF PROTO=TCP INCOMPLETE [8
> bytes] ]
>
>
> Best regards,
> Rodrigo Ramos
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> --------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------