[unisog] Port 0

Valdis.Kletnieks@vt.edu Valdis.Kletnieks at vt.edu
Thu Oct 27 16:56:19 GMT 2005


On Thu, 27 Oct 2005 09:59:04 EDT, "Christensen, Eric" said:

> I was reviewing my firewall logs this morning and found a few packets going
> to and from port 0.  Apparently they were ICMP packets.

You have a borked/confused firewall that doesn't understand that ICMP doesn't
have ports.  What has happened is that it has looked at the place in a UDP
packet where the port would be (first 16 bits are source port, next 16 dest),
and misinterpreted the first 16 bits of ICMP header (8 bits of type, 8 bits
of sub-code).  So if it's showing a "source port" of zero, that means it's
really ICMP type 0, code 0.  Type 0 is "echo reply" - you're looking at the
response packet for an ICMP type 8 (Echo).  Somebody at your site pinged the
source of the packet, and it's responding.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20051027/5b3a4aa6/attachment.bin


More information about the unisog mailing list