[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipf icmp types?

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: ipf icmp types?
From: bAud <baud_(_at_)_videotron_(_dot_)_ca>
Date: Thu, 30 Nov 2000 07:59:41 -0500

> Erm... I'm not quite common with how ipf logs this stuff, since I
> mainly monitor it with my IDS, but type 8 really is an echo
> request to me... what does /0 mean in this context...? As far as
> I know, an ICMP packet can have only one type...!?


Icmp packets always have 2 fields. The first numeral would indicate the type 
and the second one would indicate the code. A type 8/0 icmp packet is an echo 
request packet. type 0/0 is an echo reply. These logs show some people 
pinging your box. If you had a whole bunch of icmp 0/0 leaving your machine 
without receiving the matching requests first then we could probably assume 
that someone somewhere was sending out spoofed packets with your ip on them. 
However, this isn't the case. Paranoia when paranoia is due. =)

To answer Jay's question the second field is the CODE field. It is used by 
various types of icmp packets to differentiate in return codes. for example 
an icmp packet with a type of 3 is classified as a destination unreachable 
message. 3/0 is returned for network unreachable. 3/1 is returned for 
destination unreachable. type 3 icmp packets have 16 different codes.

The only types of icmp packets that can hold a non-zero code are

type 3 destination unreachable (16 different codes from 0-15)
type 5 redirect (4 different codes from 0-3)
type 11 time exceeded (2 codes  0 or 1)
type 12 parameter problem (2 codes 0 or 1)

Hope this helped

Matt Sauve-Frankel

References:
- ipf icmp types?
  - From: Seth Arnold

Prev by Date: Cable Modem ate my -current
Next by Date: Re: RADIUS server for OpenBSD
Previous by thread: ipf icmp types?
Next by thread: default shell
Index(es):
- Date
- Thread

Visit your host, monkey.org