Ask Your Question

Revision history [back]

Do ICMP packets have ports?

I noticed that wireshark includes source and destination ports for some ICMP packets which is weird for ICMP to contain ports. Digging deeper with a custom decoder/parser that I built, I understand where this is coming from but this is not correct. Sharing my parsed message: {"PatternID": "ICMP100", "TIMESTAMP": "2024-01-08T23:01:21.010651", "SMAC": "xx", "DMAC": "xx", "ETHERNET_TYPE": "ethertype IPv4 (0x0800)", "FRAME_LENGTH": "70", "TTL": "64", "FLAGS": "none", "PROTOCOL": "ICMP", "IPv4_LENGTH": "56", "SIP": "192.168.8.108", "DIP": "192.168.8.1", "ICM_DETAILS": "ICMP 192.168.8.108 udp port 15939 unreachable, length 36, (tos 0x0, ttl 64, id 13346, offset 0, flags [DF], proto UDP (17), length 123), 192.168.8.1.53 > 192.168.8.108.15939: [no cksum] [|domain]"}

#Note: Wireshark has 53 and 15939 under srcport and dstport columns respectively

click to hide/show revision 2
None

updated 2024-03-18 01:20:23 +0000

Chuckc gravatar image

Do ICMP packets have ports?

I noticed that wireshark includes source and destination ports for some ICMP packets which is weird for ICMP to contain ports. Digging deeper with a custom decoder/parser that I built, I understand where this is coming from but this is not correct. Sharing my parsed message: message:

{"PatternID": "ICMP100", "TIMESTAMP": "2024-01-08T23:01:21.010651", "SMAC": "xx", "DMAC": "xx", "ETHERNET_TYPE": "ethertype IPv4 (0x0800)", "FRAME_LENGTH": "70", "TTL": "64", "FLAGS": "none", "PROTOCOL": "ICMP", "IPv4_LENGTH": "56", "SIP": "192.168.8.108", "DIP": "192.168.8.1", "ICM_DETAILS": "ICMP **"ICMP 192.168.8.108 udp port 15939 unreachable, length 36, (tos 0x0, ttl 64, id 13346, offset 0, flags [DF], proto UDP (17), length 123), 192.168.8.1.53 > 192.168.8.108.15939: [no cksum] [|domain]"}
[|domain]"**}

#Note: Wireshark has 53 and 15939 under srcport and dstport columns respectively