That's ICMP traffic...PROTO=1
--- Description
The data received (a timestamp) in the message is returned in the
reply together with an additional timestamp. The timestamp is 32
bits of milliseconds since midnight UT. One use of these
timestamps is described by Mills [5].
The Originate Timestamp is the time the sender last touched the
message before sending it, the Receive Timestamp is the time the
echoer first touched it on receipt, and the Transmit Timestamp is
the time the echoer last touched the message on sending it.
If the time is not available in miliseconds or cannot be provided
with respect to midnight UT then any time can be inserted in a
timestamp provided the high order bit of the timestamp is also set
to indicate this non-standard value.
The identifier and sequence number may be used by the echo sender
to aid in matching the replies with the requests. For example,
the identifier might be used like a port in TCP or UDP to identify
a session, and the sequence number might be incremented on each
request sent. The destination returns these same values in the
reply.
Code 0 may be received from a gateway or a host.
---
Taken from
http://www.cis.ohio-state.edu/htbin/rfc/rfc792.html
Be sure to check us out at http://infosec.20m.com
_________________________________________________
On Wed, 12 July 2000, geoffrey wrote:
>
> I have some odd traffic coming off a fellow admins firewall. It is going
> from port 8 of the firewall to port 0 on another of his machines. I know 0
> is an old unix broadcast port, but what is on 8? Here is a log snippet:
>
> Jul 12 06:26:29 polk kernel: Packet log: input DENY eth0 PROTO=1
> +111.222.111.2:8 111.222.111.5:0 L=60 S=0x00 I=8960 F=0x0000 T=31 (#21)
>
> Can anyone enlighten me? I know the packets are getting denied, but I
> would like to know what is going on here. I really need to better learn
> how to read syslog. It appears that his network has been compromised, but
> I don't know how, or for what purpose. Oh, the firewall is a Linux box
> using ipchains. Thanks.
>
> geoffrey
> +++++++++++++++++++++++++++++++++++
> Santa Claus,
> the Tooth Fairy,
> Windows 2000 ...
> Some things you just outgrow.
> ++++++++++++++++++++++++++++++++++
>
> Key fingerprint ===> E8E2 1EC4 6640 1F9A 5A09 0DB6 FC5E BDAA D9CB 6F04
> Public key available upon request.
-------------------------------------------------
Join a North Sky Community Today!
http://communities.northsky.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
