[Dshield] CVTWIN DShield Logs Not Matching

John Sage jsage at finchhaven.com
Wed Sep 10 09:22:58 GMT 2003


Greg:

On Mon, Sep 08, 2003 at 10:53:54PM -0400, Greg Parrott wrote:
> Wayne,
> 
> I think I have discovered why my logs aren't getting converted.  I told
> CVTWIN to e-mail me a copy.  Looks like the destination "port" address for
> ICMP inbound is getting converted to 0 not 8.  I know it is not a "port",
> but the ICMP type.  See the CVTWIN excerpt:
> 
> 2003-09-08 11:17:29 -04:00 96526936 1 66.57.223.157 8 10.57.81.134 0 ICMP
> 2003-09-08 11:17:30 -04:00 96526936 1 64.232.123.10 500 10.57.81.134 500 UDP
> 2003-09-08 11:17:33 -04:00 96526936 1 66.57.2.227 8 10.57.81.134 0 ICMP
<snip>

Actually, this may be a rather common convention: since ICMP does not
use source or destination ports in the sense that TCP or UDP does (at
all, for that matter), it's not uncommon to see the ICMP type (8 for a
ping) and ICMP code (0 for a ping) represented as "source port" and
"destination port"

The meaning here becomes:

> 2003-09-08 11:17:29 -04:00 96526936 1 66.57.223.157 8 10.57.81.134 0 ICMP 

ICMP type 8, code 0 = ping

Other ICMP type:code pairs can be found at:

http://www.faqs.org/rfcs/rfc792.html



- John
-- 
"Warning: time of day goes back, taking countermeasures."




More information about the list mailing list