Snort mailing list archives

Re: ICMP Destination Unreachable

From: Phil Wood <cpw () lanl gov>
Date: Fri, 6 Sep 2002 14:43:33 -0600

On Fri, Sep 06, 2002 at 04:04:01PM -0400, Ian Macdonald wrote:

Thanks, So can one make the assumption that a datagram is a normal packet

Yes, my online dict says:
     A self-contained, independent entity of data carrying
     sufficient information to be {route}d from the source to the
     destination computer without reliance on earlier exchanges
     between this source and destination computer and the
     transporting {network}.

So, any IP packet has sufficient information in the IP header to get the
packet to a host on the net, provided there is a "path" made up of "routers"
between the source and destination hosts.

Once the packet arrives as a destination, then it may proceed up through
the systems "kernel" hierachy to an application (or kernel module) that
is interested in it.

ICMP unreachables can indicate to the sender (if he is set up to listen and
make sense of the data included in the message) that the packet/datagram could
not be delivered to the receiver because:

      0 = net unreachable;

      1 = host unreachable;

      2 = protocol unreachable;

      3 = port unreachable;

      4 = fragmentation needed and DF set;

      5 = source route failed.

You should look at the Code field in the icmp header to find out just what
caused the unreachable or other icmp type to be sent back to your system.
If the host is not running TCP, then you would get a code of 2.  If the host
had tcp enabled and was not running a server for port 80, you would get a
code of 3.  And so on.  Also, there is enough information* in the ICMP
Unreachable message (IP Header and 64 bits of original data) to figure out
what datagram caused the unreachable.  Like this:

              RFC791: INTERNET PROTOCOL, September 1981
   0                   1                   2                   3   
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | VER=4 | IHL=5 | ROU | | | | | | Total Length = 44             |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Identification = 0            | |D| | Fragment Offset = 0     |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |    TTL=230      | Protocol = 6  | Header Checksum = 35471       |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Source Address  = 192.168.1.1                              |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Destination Address  = 10.254.1.1
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        RFC793: TRANSMISSION CONTROL PROTOCOL, September 1981
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Source Port = 80              | Destination Port = 2661       |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Sequence Number = 2161657030                                  |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Hope this helps.

like an http packet and ICMP Destination Unreachable is sent to the sender
if the http request can not be made? This was my original problem not really
knowing what it meant by datagram and the rfc isn't that helpful on the
subject.

Ian

----- Original Message -----
From: "Phil Wood" <cpw () lanl gov>
To: "Ian Macdonald" <secsnort () dirk demon co uk>
Cc: <snort-users () lists sourceforge net>
Sent: Friday, September 06, 2002 3:39 PM
Subject: Re: [Snort-users] ICMP Destination Unreachable


http://www.ietf.org/rfc/rfc0792.txt?number=792

On Fri, Sep 06, 2002 at 02:52:23PM -0400, Ian Macdonald wrote:

When would I get one of these messages? Only when someone pings another
machine using ICMP or when any packet is sent to network that is
unreachable?

Thanks

Ian



-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
Phil Wood, cpw () lanl gov


-- 
Phil Wood, cpw () lanl gov



-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

ICMP Destination Unreachable Francesca Milanini (Jul 17)
- <Possible follow-ups>
- RE: ICMP Destination Unreachable McCammon, Keith (Jul 17)
- ICMP Destination Unreachable Ian Macdonald (Sep 06)
  - Re: ICMP Destination Unreachable Phil Wood (Sep 06)
    - Re: ICMP Destination Unreachable Ian Macdonald (Sep 06)
    - Re: ICMP Destination Unreachable Phil Wood (Sep 06)