Re: browser behind firewall causing me to receive ICMP messages?

From: RainbowHat (nHiATlE_at_blSackholeP.mAit.edMu.invalid)
Date: 09/07/03


Date: Sun, 7 Sep 2003 17:43:43 +0000 (UTC)


< Neil Sandow

128.252.140.114---128.252.1.229---129.250.146.18---local IP web server
              3hops 10hops 1hop

>** ORIGINAL DATAGRAM DUMP:
>129.250.146.18:0 -> 128.252.140.114:0

Looks like 129.250.146.18 sent source port 0 to destination port 0/TCP
(or a bug of snort 2.0.0?) and 128.252.1.229 admin prohibit filtered.

>TIME: 11:23:21.607182 (0.003618)
128.252.140.114:1105 -> 129.250.146.18:80 SYN (TCP opt 8bytes)
>TIME: 11:23:21.607497 (0.000315)
128.252.140.114:1105 <- 129.250.146.18:80 SYN|ACK (TCP opt 4bytes)

Detail of above TCP options?

>TIME: 11:23:21.663391 (0.006901)
128.252.1.229 -> 129.250.146.18 ICMP admin prohibit filtered
>DATA: ....E..,#j..4.A........r.P.QnE..

Ascii dump is useful for application level debugging. In this case,
hex dump or to parse ICMP original packet is helpful. Especially
src/dst ports is 0 or not.

-- 
Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7