Re: weird packet

[Daniel Martin <dtmartin24 () HOME COM>]

JW Oh <mat () IVNTECH COM> writes:

> I run fwlog...
> and got following log:
> 01:47:18 [lo] ICMP 127.0.0.1:3 -> 127.0.0.1:3 ttl=255 ICMP_PORT_UNREACH len=85
> 0000 : E..U.).......... 45 C0 00 55 E7 29 00 00 FF 01 D5 BB 7F 00 00 01
> 0010 : .......5....E..9 7F 00 00 01 03 03 FB 35 00 00 00 00 45 00 00 39
> 0020 : .(..@........... E7 28 00 00 40 11 95 89 7F 00 00 01 7F 00 00 01
> 0030 : .....%..mat@5734 06 18 02 00 00 25 F9 A2 6D 61 74 40 35 37 33 34
> 0040 : 7:/var/spool/mai 37 3A 2F 76 61 72 2F 73 70 6F 6F 6C 2F 6D 61 69
> 0050 : l/mat........... 6C 2F 6D 61 74
>
> What's this?

You've got mail.  (New mail at byte offset 57347 in file
/var/spool/mail/mat)

Specifically, you're probably using procmail and haven't disabled the
COMSAT setting.  Comsat/biff is (was) a system for notifying users
when they got new mail; many mail delivery programs support
comsat-style notification.  Much more information is available via the
procmail, comsat, and biff manpages.  (If nothing else, you can find
the manpages through a web search; for example,
http://www.gsp.com/cgi-bin/man.cgi?section=8&topic=comsat )

The ICMP unreachable message above means that some program tried to
send a UDP message (the byte 0x11 at offset 0x25) to port 512 (the
bytes 02 00 starting at offset 0x32), and that no daemon was listening
on that port.  Note that this was sent over the localhost interface,
so it was from some program on your machine to some other program on
your machine.

Most firewall programs log ICMP Port unreachable messages because it
is usually a sign of something unusual going on when someone attempts
to connect to a service that isn't there.  However, in this case it's
obviously nothing to worry about.  Either start ignoring these reports
manually, or figure out how to stop generating them.

Incidentally, (to the list) has anyone built a good ascii-hex-dump to
detailed packet analysis script?  It occurs to me that many dump
output formats such as the one above, or the result of tcpdump -x, can
be converted (with 'cut' or a similarly simple tool) to a flat format
of just bytes with possible whitespace; for example:
 45 C0 00 55 E7 29 00 00 FF 01 D5 BB 7F 00 00 01
 7F 00 00 01 03 03 FB 35 00 00 00 00 45 00 00 39
 E7 28 00 00 40 11 95 89 7F 00 00 01 7F 00 00 01
 06 18 02 00 00 25 F9 A2 6D 61 74 40 35 37 33 34
 37 3A 2F 76 61 72 2F 73 70 6F 6F 6C 2F 6D 61 69
 6C 2F 6D 61 74

It would be nice to be able to feed the above hex string into
something and get back:
 ICMP Port unreachable (127.0.0.1 -> 127.0.0.1)
  Original packet: IP (127.0.0.1 -> 127.0.0.1),
    subtype UDP (1560 -> 512 (biff))
      Packet contents: "mat@57347:/var/spool/mail/mat"

I've seen such packet analysis built into tools like ethereal; it
would be nice to have such information available when you just have an
ascii file.  (A cgi script that did this would be a nice addition to
any website that offers things like nslookup or whois scripts)