[Dshield] Is this normal?

Johannes Ullrich jullrich at sans.org
Sat Jun 22 16:44:31 GMT 2002

ICMP Time Exceeded is a fragmentation error.

If you send a very large packet to a site, it will be split up into
different 'fragments'. The receiver will have to reassemble these
fragments. In order to do this, the receiver has to store the fragments
until all of them have arrived. However, sometimes it happens that a
fragment gets lost, or that the connection is just very slow and it
takes very long for all fragments to arrive. In this case, the receiver
has to give up at one point, to free up the memory they set aside to
store the fragments. If this happens, the receiver will send a ICMP
message 'time exceeded' back to the sender to tell the sender that the
sender has to resend the packet.

The maximum time allowed depends on the operating system and is usually
configurable. These messages are sometimes used for 'maximum MTU
discovery'. The 'MTU' (Maximum transmission unit) is the maximum size of
a packet that can be transmitted without fragmentation. This size
depends on the physical transmission medium (dialup, ethernet,
sonet...). Because neither end exactly knows what media are used at
either site or at carriers in between, some test packets are send to
find the largest packet size that can be send without fragmentation.
Using this packet size will provide better performance.

On Sat, 22 Jun 2002 01:22:25 -0400
"Mercy" <Mercymail at mindspring.com> wrote:

> Sorry all, but i really am still learning about all of this stuff.
> I just got home and checked my zone alarm alerts... and this was in
> it:
> The firewall has blocked Internet access to www.microsoft.com
> ( (ICMP Time Exceeded) from your computer.
> Occurred: 4 times between 6/21/02 5:27:16 PM and 6/21/02 5:28:02 PM
> I'm assuming that a microsoft program tried to look for updates?  Why
> did it happen so many times?
> Stupidly yours,
> Mercy

jullrich at sans.org             Collaborative Intrusion Detection
                                    join http://www.dshield.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20020622/0eced5e7/attachment.bin

More information about the list mailing list