Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Need help understanding "snoop" output

To: "'Fw-1-Mailinglist (E-mail)'" <[email protected]>
Subject: [FW1] Need help understanding "snoop" output
From: "Sterling, Chuck" <[email protected]>
Date: Thu, 2 Nov 2000 13:42:10 -0700
Importance: low
Sender: [email protected]

Hello,

The last few days we've been seeing a lot of more-or-less random ping
traffic with an apparent source address of 207.88.240.101, as far as the
FW-1 firewall log shows. Using "snoop" on Solaris 2.6, I captured a few
packets, an example of which is below. I confess confusion. Note that
further down in the snoop output in the ICMP header section, an entirely
different address is listed, 194.102.91.1, with the above address showing up
in the IP header only. The address of 130.135.177.196 is on my LAN and is
the target of the probe.

So, the question I have: Can we tell from this where the packet originated?
If 207.88.240.101, it would appear to be from p10-0.edge1.pal-ca.us.xo.com
in a network formerly called CONCENTRIC.NET. If 194.102.91.1, then we're
talking about Bucharest, Romania. I'd really like to know which, if
possible, but do not know how to interpret the snoop output below.

Also, is there any way to discover this info and/or the "extra" ip address
from within FW-1 without resorting to snoop?

Thanks for any help,
Chuck Sterling

ETHER:  ----- Ether Header -----
ETHER:
ETHER:  Packet 1 arrived at 12:59:40.27
ETHER:  Packet size = 70 bytes
ETHER:  Destination = 8:0:20:c0:5f:c6, Sun
ETHER:  Source      = 0:10:7b:9e:d3:20,
ETHER:  Ethertype = 0800 (IP)
ETHER:
IP:   ----- IP Header -----
IP:
IP:   Version = 4
IP:   Header length = 20 bytes
IP:   Type of service = 0x00
IP:         . .... = 0 (precedence)
IP:         ...0 .... = normal delay
IP:         .... 0... = normal throughput
IP:         .... .0.. = normal reliability
IP:   Total length = 56 bytes
IP:   Identification = 0
IP:   Flags = 0x0
IP:         .0.. .... = may fragment
IP:         ..0. .... = last fragment
IP:   Fragment offset = 0 bytes
IP:   Time to live = 248 seconds/hops
IP:   Protocol = 1 (ICMP)
IP:   Header checksum = ceba
IP:   Source address = 207.88.240.101, 207.88.240.101
IP:   Destination address = 130.135.177.196, 130.135.177.196
IP:   No options
IP:
ICMP:  ----- ICMP Header -----
ICMP:
ICMP:  Type = 3 (Destination unreachable)
ICMP:  Code = 1 (Bad host)
ICMP:  Checksum = bcf5
ICMP:
ICMP:  [ subject header follows ]
ICMP:
ICMP:IP:   ----- IP Header -----
ICMP:IP:
ICMP:IP:   Version = 4
ICMP:IP:   Header length = 20 bytes
ICMP:IP:   Type of service = 0x00
ICMP:IP:         . .... = 0 (precedence)
ICMP:IP:         ...0 .... = normal delay
ICMP:IP:         .... 0... = normal throughput
ICMP:IP:         .... .0.. = normal reliability
ICMP:IP:   Total length = 40 bytes
ICMP:IP:   Identification = 28256
ICMP:IP:   Flags = 0x0
ICMP:IP:         .0.. .... = may fragment
ICMP:IP:         ..0. .... = last fragment
ICMP:IP:   Fragment offset = 0 bytes
ICMP:IP:   Time to live = 24 seconds/hops
ICMP:IP:   Protocol = 6 (TCP)
ICMP:IP:   Header checksum = e2bc
ICMP:IP:   Source address = 130.135.177.196, 130.135.177.196
ICMP:IP:   Destination address = 194.102.91.1, 194.102.91.1
ICMP:IP:   No options
ICMP:IP:
IP:


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] Re: log message queue is full
Next by Date: RE: [FW1] SR over @HOME connection (See Notice Below)
Previous by thread: [FW1] RE: Specifically allowing access services vs. specifically denyin g them
Next by thread: RE: [FW1] Need help understanding "snoop" output
Index(es):
- Date
- Thread