Full Disclosure mailing list archives
Re: Re: ICMP Destination Unreachable Port Unreachable
From: Scott Renna <srenna () lcssecuritygroup com>
Date: Tue, 15 Aug 2006 19:33:10 -0400
common mistake On Aug 15, 2006, at 7:24 PM, Darren Bounds wrote:
I'm confused about a couple things:1) You say you knew the nature of the packet yet in your original message you stated "Neither the source IP or the target IP have any ports associated with them in this event. Any ideas would be appreciated.".- The packet you dumped was an ICMP port unreachable. There will never be a port associated with an ICMP packet. - ICMP unreachable messages contain a payload with the IP header of the packet generating the error and at least 64 bits (8 bytes) of original data datagram. There are ports associated with UDP and therefore inspection of the embedded UDP packet tells you quite a bit. i.e. It was using ports 16229 and 2597 as source and destination.2) You * out the first 3 octets of the destination IP address in the event but leave the IP address in the ICMP payload (70.91.131.49). Why?-- Thanks, Darren Bounds On 8/15/06, Adriel T. Desautels <simon () snosoft com> wrote: Darren, I did notice what type of packet it was and I also know what the packet signifies. The issue that I am having is that there has never been any outbound UDP activity to the host that is replying to this network. The payloads of the ICMP packets are a bit weird too, containing either X'es or |'s or encoded strings. What I am trying to figure out is if anyone here recognizes these types of payloads and knows what could be generating them? so just to be clear... I want info about the payload not about ICMP! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: ICMP Destination Unreachable Port Unreachable, (continued)
- Re: ICMP Destination Unreachable Port Unreachable Julio Cesar Fort (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Dude VanWinkle (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Adriel T. Desautels (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Robert Kim Wireless Internet Advisor (Aug 16)
- Re: Re: ICMP Destination Unreachable Port Unreachable Darren Bounds (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Adriel T. Desautels (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Darren Bounds (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Adriel T. Desautels (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Dude VanWinkle (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Dude VanWinkle (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Darren Bounds (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Scott Renna (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Adriel T. Desautels (Aug 15)
- Re: ICMP Destination Unreachable Port Unreachable Julio Cesar Fort (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Valdis . Kletnieks (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Adriel T. Desautels (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Valdis . Kletnieks (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Barrie Dempster (Aug 16)
- Re: Re: ICMP Destination Unreachable Port Unreachable Valdis . Kletnieks (Aug 16)
- Re: Re: ICMP Destination Unreachable Port Unreachable Adriel T. Desautels (Aug 16)
- Re: Re: ICMP Destination Unreachable Port Unreachable Adriel T. Desautels (Aug 16)