Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Subject: Re: ICMP and BlackICE (fwd)
From: James Robbins (robbins.7OSU.EDU)
Date: Fri Sep 08 2000 - 10:42:16 CDT
- Next message: Iván Arce: "Re: Format Bugs in Windows Code?"
- Previous message: Crispin Cowan: "Re: stackguard-like embedded protection"
- Maybe reply: James Robbins: "Re: ICMP and BlackICE (fwd)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
At 08:53 AM 9/8/00, Jim Wildman wrote:
>I've found that out as well. For instance, aggressive icmp blocking
>But which ones?
OK, here is the long answer. This is from a web page I'm trying
to set up which will show the packet formats in graphical format.
Sorry for the incompleteness of the information or for any errors.
If you see any corrections that need to be made please let me
know. I put this together just to try to get all the info of interest
to me in one spot.
Also, I should point out that blocking Echo doesn't do much good
when someone can use one of several other methods to see if
there is a machine active on a given address.
Anyway, here is the info with the graphics cut out:
ICMP DATAGRAM FORMAT:
(this is the data field in the IP datagram)
The contents of the Type Field is given in the following table:
Type Field ICMP Datagram Type
0 Echo Reply
3 Destination Unreachable
4 Source Quench
5 Redirect (change a route)
8 Echo Request
11 Time Exceeded for a Datagram
12 Parameter Problem on a Datagram
13 Timestamp Request
14 Timestamp Reply
15 Information Request
16 Information Reply
17 Address Mask Request
18 Address Mask Reply
Following are the specific ICMP Datagram formats for each type:
ECHO REQUEST / ECHO REPLY (Ping)
For Echo Request or Echo Reply the Code field is always 0. The Identifier
and Sequence Number fields are used to match up requests and replies. The
contents of the Optional Data field are returned to the sender unchanged by
This message is sent when a datagram cannot be delivered.
The Code field is given in the following table:
0 Network Unreachable
1 Host Unreachable
2 Protocol Unreachable
3 Port Unreachable
4 Fragmentation needed and "Don't Fragment Bit" is set
5 Source Route Failed
The message also returns the header and first 64 bits of the datagram for
identification and error analysis.
SOURCE QUENCH (Datagram Flow Control)
If machine cannot keep up with the rate that a source is sending datagrams,
it sends a Source Quench message to the sender to ask the sender to slow
down. Usually one Source Quench message is sent for every datagram that
must be discarded.
REDIRECT (Route Change Requests From Gateways)
This message is used to change routing tables in various machines.
The value of the Code field can be:
0 Redirect datagrams for the Net
1 Redirect datagrams for the Host
2 Redirect datagrams for the Type of Service and the Net
3 Redirect datagrams for the Type of Service and the Host
TIME EXCEEDED for a DATAGRAM
Sent when the Time To Live count of a datagram reaches zero and the machine
that is handling it discards it.
The Code field is set to:
0 for a time to live count exceeded error and
1 for a fragment reassembly time exceeded error.
This message is sent if a problem is encountered with an illegal value in a
The Pointer field points to the octet of the datagram header that caused
TIMESTAMP REQUEST / REPLY
The Identifier and Sequence Fields are used to associate specific replies
with the request that prompted them.
The Originator Timestamp field is filled in by the originator of the request.
The Receiver Timestamp is filled in immediately upon receipt of the request
at the destination.
The Transmitter Timestamp is filled in immediately before the destination
machine returns the reply.
INFORMATION REQUEST / REPLY (Obtaining a Network Address)
This message is somehow used to obtain the IP address of another machine on
the network. It is used as an alternative to RARP.
The Identifier and Sequence fields are used to associate specific requests
with their replies.
ADDRESS MASK REQUEST / REPLY
This message is used to obtain a subnet mask for the network. It may be
sent directly to the gateway or sent as a broadcast.
-- James A. Robbins Senior Design Engineer, Network Engineer The Ohio State University Chemistry Department