[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Need help understanding "snoop" output
Hello, The last few days we've been seeing a lot of more-or-less random ping traffic with an apparent source address of 207.88.240.101, as far as the FW-1 firewall log shows. Using "snoop" on Solaris 2.6, I captured a few packets, an example of which is below. I confess confusion. Note that further down in the snoop output in the ICMP header section, an entirely different address is listed, 194.102.91.1, with the above address showing up in the IP header only. The address of 130.135.177.196 is on my LAN and is the target of the probe. So, the question I have: Can we tell from this where the packet originated? If 207.88.240.101, it would appear to be from p10-0.edge1.pal-ca.us.xo.com in a network formerly called CONCENTRIC.NET. If 194.102.91.1, then we're talking about Bucharest, Romania. I'd really like to know which, if possible, but do not know how to interpret the snoop output below. Also, is there any way to discover this info and/or the "extra" ip address from within FW-1 without resorting to snoop? Thanks for any help, Chuck Sterling ETHER: ----- Ether Header ----- ETHER: ETHER: Packet 1 arrived at 12:59:40.27 ETHER: Packet size = 70 bytes ETHER: Destination = 8:0:20:c0:5f:c6, Sun ETHER: Source = 0:10:7b:9e:d3:20, ETHER: Ethertype = 0800 (IP) ETHER: IP: ----- IP Header ----- IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: . .... = 0 (precedence) IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: Total length = 56 bytes IP: Identification = 0 IP: Flags = 0x0 IP: .0.. .... = may fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 248 seconds/hops IP: Protocol = 1 (ICMP) IP: Header checksum = ceba IP: Source address = 207.88.240.101, 207.88.240.101 IP: Destination address = 130.135.177.196, 130.135.177.196 IP: No options IP: ICMP: ----- ICMP Header ----- ICMP: ICMP: Type = 3 (Destination unreachable) ICMP: Code = 1 (Bad host) ICMP: Checksum = bcf5 ICMP: ICMP: [ subject header follows ] ICMP: ICMP:IP: ----- IP Header ----- ICMP:IP: ICMP:IP: Version = 4 ICMP:IP: Header length = 20 bytes ICMP:IP: Type of service = 0x00 ICMP:IP: . .... = 0 (precedence) ICMP:IP: ...0 .... = normal delay ICMP:IP: .... 0... = normal throughput ICMP:IP: .... .0.. = normal reliability ICMP:IP: Total length = 40 bytes ICMP:IP: Identification = 28256 ICMP:IP: Flags = 0x0 ICMP:IP: .0.. .... = may fragment ICMP:IP: ..0. .... = last fragment ICMP:IP: Fragment offset = 0 bytes ICMP:IP: Time to live = 24 seconds/hops ICMP:IP: Protocol = 6 (TCP) ICMP:IP: Header checksum = e2bc ICMP:IP: Source address = 130.135.177.196, 130.135.177.196 ICMP:IP: Destination address = 194.102.91.1, 194.102.91.1 ICMP:IP: No options ICMP:IP: IP: ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|