[Dshield] CVTWIN DShield Logs Not Matching

Johannes Ullrich jullrich at euclidian.com
Wed Sep 10 11:46:36 GMT 2003

> ip>
> Actually, this may be a rather common convention: since ICMP does not
> use source or destination ports in the sense that TCP or UDP does (at
> all, for that matter), it's not uncommon to see the ICMP type (8 for a
> ping) and ICMP code (0 for a ping) represented as "source port" and
> "destination port"
> The meaning here becomes:
> > 2003-09-08 11:17:29 -04:00 96526936 1 8 0 ICMP 
> ICMP type 8, code 0 = ping

Correct. Sorry for not responding earlier. The 'type=source port' and
'code=target port' convention is just for database design convinience. 
In addition, the types/codes are not typically used ports, so it is a
good assumption to say "target port 0 = ping".

We could break things out by protocol in our reports. But this would add
another layer of complexity to the reporting and in most cases wouldn't
make a big difference. Port 135 is probably the only "prominent" port
where UDP and TCP are used frequently. On the other hand: before
blaster, we saw almost exclusively UDP (popup spam), while now we see
almost exclusively TCP from blaster.

Johannes Ullrich                     jullrich at euclidian.com
pgp key: http://johannes.homepc.org/PGPKEYS
   "We regret to inform you that we do not enable any of the 
    security functions within the routers that we install."
         support at covad.net

More information about the list mailing list