Wireshark mailing list archives
Re: ICMP packets with two pairs of source and destination ip addresses?
From: Christopher Maynard <Christopher.Maynard () gtech com>
Date: Wed, 6 Jun 2012 16:08:12 +0000 (UTC)
nangergong <nangergong@...> writes:
if a packet is with a src ip A and a dst ip B while with a src ip B and a dst
ip A, what is the real direction? from A to B or from B to A?I get confused.
Direction is always from src to dst.
Is this is an ICMP destination unreachable packet, by any chance? Assuming so,
consider the following example:
----------------------------------------------------------------------
Frame 1: 48 bytes on wire (384 bits), 48 bytes captured (384 bits)
Ethernet II, Src: 00:26:b9:b3:ce:7a, Dst: 00:90:27:85:cf:01
Internet Protocol Version 4, Src: 192.168.1.103, Dst: 192.168.1.204
User Datagram Protocol, Src Port: 12345, Dst Port: 54321
Data (6 bytes)
----------------------------------------------------------------------
Frame 2: 76 bytes on wire (608 bits), 76 bytes captured (608 bits)
Ethernet II, Src: 00:90:27:85:cf:01, Dst: 00:26:b9:b3:ce:7a
Internet Protocol Version 4, Src: 192.168.1.204, Dst: 192.168.1.103
Internet Control Message Protocol
Type: 3 (Destination unreachable)
Code: 3 (Port unreachable)
Checksum: 0x7480 [correct]
Internet Protocol Version 4, Src: 192.168.1.103, Dst: 192.168.1.204
User Datagram Protocol, Src Port: 12345, Dst Port: 54321
Data (6 bytes)
----------------------------------------------------------------------
In frame 1, host 192.168.1.103 sends a UDP packet to host 192.168.1.204.
In frame 2, host 192.168.1.204 informs host 192.168.1.103 that the packet is
undeliverable because the port is unreachable and returns the original IP header
from frame 1 and up to 8 bytes of payload per RFC792 (in this case, there's only
6 bytes of payload so the entire payload is returned) back to host
192.168.1.103.
So ...
Frame 1: 192.168.1.103 -> 192.168.1.204
Frame 2: 192.168.1.204 -> 192.168.1.103
Hope it helps.
- Chris
See also:
http://tools.ietf.org/html/rfc792
http://en.wikipedia.org/wiki/ICMP_Destination_Unreachable
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- ICMP packets with two pairs of source and destination ip addresses? nangergong (Jun 06)
- Re: ICMP packets with two pairs of source and destination ip addresses? ronnie sahlberg (Jun 06)
- Re: ICMP packets with two pairs of source and destination ip addresses? nangergong (Jun 06)
- Re: ICMP packets with two pairs of source and destination ip addresses? Christopher Maynard (Jun 06)
- Re: ICMP packets with two pairs of source and destination ip addresses? nangergong (Jun 06)
- Re: ICMP packets with two pairs of source and destination ip addresses? ronnie sahlberg (Jun 06)