Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: ICMP Destination Unreachable (Port Unreachable)

From: "Tony Wong" <tony.wong () stanford edu>
Date: Tue, 16 Apr 2002 11:12:12 -0700
This problem has been fixed. Apparently the webserver was syslogging to
a remote host that did not have syslog running.
The clue was in the packet dump port 514

Thanks for your tips

04/16-07:12:44.877225 webserver -> sysloghost
ICMP TTL:128 TOS:0x0 ID:13946 IpLen:20 DgmLen:56
Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
webserver:514 -> sysloghost:514
UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:86 DF
Len: 66
** END OF DUMP
00 00 00 00 45 00 00 56 00 00 40 00 40 11 70 BA  ....E..V..@.@.p.
AB 40 BA 09 AB 40 B9 52 02 02 02 02 00 42 56 79  .@...@.R.....Bvy

------------------------------------------------------------------------
-----------------------------------------------------

On Wed, 10 Apr 2002, Tony Wong wrote:


I dont understand why I keep getting these "ICMP Destination 
Unreachable (Port Unreachable)" in my alerts. the source is from a pc 
to an apache web server. Running


I ran ethereal on the pc when doing an ftp and this is usually when it



happens.

I get an ICMP Destination Unreachable when doing an ftp. I can ftp in 
ok no problems but why these ICMP Destination Unreachable messages?


You'll need to have a look at the decoded packet dumps.  They should
list the packet headers that caused the "other" server to respond with a
ICMP message. What ports does that refer to?  If it's a Win32 based
machine that the original packets are coming from, I'd suspect it's to
do with the broken way in which MS does lookups.  Many times it tries to
do a SMB/WINS querey on the name, IIRC.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: