Results 1 to 4 of 4

Thread: Router Logs

  1. February 2nd, 2004, 09:27 PM #1
    gypsygeek
    gypsygeek is offline
    Banned
    Join Date
    Jul 2002
    Posts
    44

    Router Logs

    Hi there,

    I have a newbie question I was hoping to maybe find an answer here.

    I have alot of ICMP traffic in my routers logs and was hoping someone could tell me more about it : )

    Drop ICMP packet from WAN src:207.188.7.175:3 dst:216.xxx.xxx.xxx:3

    This is the one of the orginating IP...I assume coming in from PORT 3 and trying to come into PORTs 3, 10 13 on my router.


    *Edit*
    I am receiving alot of this traffic...that is why I have posted??
    I have never have seen this before.

    Can someone enlighten me ???

    GG
    Reply With Quote Reply With Quote
  2. February 2nd, 2004, 09:49 PM #2
    Tiger Shark
    Tiger Shark is offline
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Gypsy:

    ICMP does not have ports but rather types. The type indicates the message and the messages pertaining to each type can be found here.

    So type 3 is "Destination unreachable" and would therefore be a reply to an ICMP message your system sent out, (or someone is spoofing your IP address).

    Type 10 is a router solicitation = a system looking for a router to use IIRC.

    Type 13 id a Timestamp. I don;t recall ever seeing on of these so something may be a little awry.... anyone help me out here?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
    Reply With Quote Reply With Quote
  3. February 2nd, 2004, 10:07 PM #3
    tabich
    tabich is offline
    Member
    Join Date
    Dec 2003
    Posts
    43
    EDIT

    DOH, you beat me to it while I was looking up links for him..

    AFAIK, the "port" number listed in those firewall logs is not really the port number with ICMP as it would be with TCP or UDP. that "port" number is really the type of ICMP message recieved.

    ICMP type 3 == destination unreachable
    http://www.networksorcery.com/enp/pr.../icmp/msg3.htm

    ICMP type 10 == router solicitation
    http://www.networksorcery.com/enp/pr...icmp/msg10.htm

    ICMP type 13 == timestamp request
    http://www.networksorcery.com/enp/pr...icmp/msg13.htm

    The destination unreachables are not unusual at all, unless you happen to know for a fact that your machine/network is not sending any traffic to the ip which is unreachable, in which case it is probably a secondary affect of someone spoofing your IP for something or other. Or I suppose they could have been trying to find out how your machine would respond to unsolicited destination unreachables, I dont know really.

    The timestamp one seems a bit odd, but it might be normal traffic, I dont know.

    The router solicitation seems very odd, as from my brief look at info about it that is usually traffic meant for the local network, no idea why it would arrive at your machine over the internet.
    Reply With Quote Reply With Quote
  4. February 2nd, 2004, 10:44 PM #4
    gypsygeek
    gypsygeek is offline
    Banned
    Join Date
    Jul 2002
    Posts
    44
    Thank you so much for your responses.

    I am concerned as I am receiving ALOT of this in my logs from various IPs.

    Am continuing to investigate and appreciate your links....

    GG
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules