Ask Your Question
0

Do ICMP packets have ports?

asked 2024-03-18 00:02:36 +0000

updated 2024-03-18 01:20:23 +0000

Chuckc gravatar image

I noticed that wireshark includes source and destination ports for some ICMP packets which is weird for ICMP to contain ports. Digging deeper with a custom decoder/parser that I built, I understand where this is coming from but this is not correct. Sharing my parsed message:

{"PatternID": "ICMP100", "TIMESTAMP": "2024-01-08T23:01:21.010651", "SMAC": "xx", "DMAC": "xx", "ETHERNET_TYPE": "ethertype IPv4 (0x0800)", "FRAME_LENGTH": "70", "TTL": "64", "FLAGS": "none", "PROTOCOL": "ICMP", "IPv4_LENGTH": "56", "SIP": "192.168.8.108", "DIP": "192.168.8.1", "ICM_DETAILS": **"ICMP 192.168.8.108 udp port 15939 unreachable, length 36, (tos 0x0, ttl 64, id 13346, offset 0, flags [DF], proto UDP (17), length 123), 192.168.8.1.53 > 192.168.8.108.15939: [no cksum] [|domain]"**}

#Note: Wireshark has 53 and 15939 under srcport and dstport columns respectively

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-03-18 01:30:48 +0000

Chuckc gravatar image

updated 2024-03-18 01:31:51 +0000

rfc792 - INTERNET CONTROL MESSAGE PROTOCOL

Destination Unreachable Message

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Type      |     Code      |          Checksum             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                             unused                            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |      Internet Header + 64 bits of Original Data Datagram      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Those are coming from the Internet Header of the original UDP message that caused udp port 15939 unreachable.

edit flag offensive delete link more

Comments

True, but the way those values are displayed is a bit misleading as they are not corresponding to this specific packet communication. That's my POV, am I right?

ammartosson gravatar imageammartosson ( 2024-03-18 02:01:06 +0000 )edit

As the IP addresses are not overwritten by the inner included IP header, I can see benefit in not overwriting/filling the port columns (when built-in columns are used, when using custom columns, one can use layers and or occurrences to adjust what is displayed).

So if you would like to have this changed, you could add an Issue at our Gitlab repository and mark it either as bug or as enhancement request (I would opt for the enhancement request).

SYN-bit gravatar imageSYN-bit ( 2024-03-18 06:44:50 +0000 )edit
Chuckc gravatar imageChuckc ( 2024-03-18 09:54:53 +0000 )edit

SYN-bit, the IP addresses are indeed not overwritten, however if you take a closer look you would find the src and dst ports are flipped. For instance, the Internet Header part shows: 192.168.8.1.53 > 192.168.8.108.15939 However, the ICMP packet itself has src IP 192.168.8.108 and dst IP 192.168.8.1. So, in my point of view the whole thing of adding ports to the packet itself is a little misleading and misinterpreted. 19713: ICMP ports display, is a ticket I opened but my point was not clearly delivered I guess since it is closed. Will try again tho

ammartosson gravatar imageammartosson ( 2024-03-18 10:43:47 +0000 )edit

This is not unique to ICMP. Some protocol layers set addresses, some set ports. The ones that set addresses do not, as a rule, clear the ports and set them to the NONE type. This can also happen if, for example, someone has 802.11 traffic encapsulated in TCP or UDP, or MPLS traffic, or M3UA and other telco protocols over SCTP (which has ports.)

The port columns indicate the last set ports in the frame. The address columns indicate the last set addresses. It is inaccurate to assume that they must be related. There's more types of addresses than just IP addresses, and it would lose useful data to clear the ports columns. (Yes, there are some issues with tunneling and Follow Stream, for instance.)

I think that most people disagree with your opinion, but you always can remove the columns that display the "last set address" and ...(more)

johnthacker gravatar imagejohnthacker ( 2024-03-18 15:35:15 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2024-03-18 00:02:36 +0000

Seen: 676 times

Last updated: Mar 18