[unisog] Port 0

Christensen, Eric CHRISTENSENE at MAIL.ECU.EDU
Thu Oct 27 19:04:13 GMT 2005


This is interesting...

It actually is showing source port 0, destination port 0,
type:8/subtype:0...

So as you said it was a response to a PING.  Is a PING on a specific port?
 
-----Original Message-----
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
On Behalf Of Valdis.Kletnieks at vt.edu
Sent: Thursday, October 27, 2005 12:56 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Port 0

On Thu, 27 Oct 2005 09:59:04 EDT, "Christensen, Eric" said:

> I was reviewing my firewall logs this morning and found a few packets 
> going to and from port 0.  Apparently they were ICMP packets.

You have a borked/confused firewall that doesn't understand that ICMP
doesn't have ports.  What has happened is that it has looked at the place in
a UDP packet where the port would be (first 16 bits are source port, next 16
dest), and misinterpreted the first 16 bits of ICMP header (8 bits of type,
8 bits of sub-code).  So if it's showing a "source port" of zero, that means
it's really ICMP type 0, code 0.  Type 0 is "echo reply" - you're looking at
the response packet for an ICMP type 8 (Echo).  Somebody at your site pinged
the source of the packet, and it's responding.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3116 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20051027/c153eecd/smime.bin


More information about the unisog mailing list