[unisog] Port 0
CHRISTENSENE at MAIL.ECU.EDU
Thu Oct 27 19:04:13 GMT 2005
This is interesting...
It actually is showing source port 0, destination port 0,
So as you said it was a response to a PING. Is a PING on a specific port?
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
On Behalf Of Valdis.Kletnieks at vt.edu
Sent: Thursday, October 27, 2005 12:56 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Port 0
On Thu, 27 Oct 2005 09:59:04 EDT, "Christensen, Eric" said:
> I was reviewing my firewall logs this morning and found a few packets
> going to and from port 0. Apparently they were ICMP packets.
You have a borked/confused firewall that doesn't understand that ICMP
doesn't have ports. What has happened is that it has looked at the place in
a UDP packet where the port would be (first 16 bits are source port, next 16
dest), and misinterpreted the first 16 bits of ICMP header (8 bits of type,
8 bits of sub-code). So if it's showing a "source port" of zero, that means
it's really ICMP type 0, code 0. Type 0 is "echo reply" - you're looking at
the response packet for an ICMP type 8 (Echo). Somebody at your site pinged
the source of the packet, and it's responding.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3116 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20051027/c153eecd/smime.bin
More information about the unisog