Re: Is There A Free Program That Logs Internet Transactions?

On 11 Jan 2006, in the Usenet newsgroup comp.security.firewalls, in article
<1137026184.572090.78480@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, SyNko wrote:

[use of windoze 'netstat' command]

>But ICMP protocol it's not traked in this way. isn't true?

http://www.iana.org/assignments/icmp-parameters

0792 Internet Control Message Protocol. J. Postel. Sep-01-1981.
(Format: TXT=30404 bytes) (Obsoletes RFC0777) (Updated by RFC0950)
(Also STD0005) (Status: STANDARD)

http://www.ietf.org/rfc/rfc0792.txt
http://www.faqs.org/rfcs/rfc0792.html
http://www.rfc-editor.org/rfc/rfc0792.txt
http://www.ccd.bnl.gov/network/general/rfc0792.html
http://www.cis.ohio-state.edu/htbin/rfc/rfc0792.html

There's nothing to "track". ICMP has a number of possibilities, but it
boils down to "ping" (ICMP type 8 requests, type 0 reply), and "error"
messages (ICMP type 3 - "Destination Unreachable" and ICMP type 11 -
"Time Exceeded" used by TRACERT.EXE or the original "traceroute"). The
ICMP type 5 (Redirect) is so easily abused as a "Denial Of Service" ploy
that nearly all operating systems ignore it.

ICMP does not use port numbers (the numbers your toy firewall shows as
source and destination port numbers are actually the "ICMP type" and
"ICMP code" values).

If you see an ICMP error packet, it has enough information inside the
packet for your computer to understand. You try to connect to some idiot's
web page and mis-type the hostname - and this other host isn't running a
web server. It will send back an ICMP packet that says "you said 'connect
to the web server here' but there is no web server". Or maybe there is
no host - a router will send back a similar "you said 'connect to the web
server at MUMBLE.FUMBLE.FOO' but I can't find that host".

ICMP has no conversations. It has only answers.

Old guy
.

Relevant Pages

  • Re: Removing ping/icmp from a network
    ... respond to ping from the Internet for example. ... It is very critical that your web server responds to ICMP on the ... Without ICMP, it is very difficult for us to determine where a problem ...
    (Security-Basics)
  • Re: traceroute problem
    ... |there's no guarantee they will be open all along the way. ... |rather more likely that the necessary ICMP packets will be permitted, ... |it's always useful to have an ICMP capable traceroute around. ... |for instance you're trying to trace to a web server you should be able to ...
    (alt.os.linux.suse)
  • Re: unexpected ICMP host unreachable - no worries?
    ... an attack?". ... You observed ICMP backscatter traffic. ... I'm guessing this packet is remote controlling command to distributed ... easily relate that outgoing scan or outbound flood packets after detect ...
    (comp.os.linux.security)
  • Re: Why some hosts in Internet not prefer to be traceroute-d ?
    ... i.e. not to send a TTL exceeded ICMP packet back to the host. ... This block may be not generating ICMP type 11 (most ... exceeded" reply associated with a UDP packet, ...
    (comp.os.linux.networking)
  • Re: Interesting fw log: "ICMP type 3 not embeddable"
    ... I've seen ICMP type 3 embedded TCP or UDP datagram but never seen ICMP ... REJECT incoming ICMP 3 packet) or is using ICMP mis-implementation OS ... is running BSD code based some router. ...
    (comp.os.linux.security)
Quantcast