Darren, my apologies. ;] Darren Bounds wrote: > Adriel, > > I was replying to Dude VanWinkle, who's been chasing down the src/dst > port 0 > unnecessarily. > > On 8/15/06, Adriel T. Desautels <[EMAIL PROTECTED]> wrote: >> >> Darren, >> I did notice what type of packet it was and I also know what the >> packet signifies. The issue that I am having is that there has never >> been any outbound UDP activity to the host that is replying to this >> network. The payloads of the ICMP packets are a bit weird too, >> containing either X'es or |'s or encoded strings. What I am trying to >> figure out is if anyone here recognizes these types of payloads and >> knows what could be generating them? >> >> so just to be clear... >> >> I want info about the payload not about ICMP! >> >> Darren Bounds wrote: >> > Dude, >> > >> > In case you've failed to notice, this is an ICMP port unreachable >> > message. >> > It's sent in response to a UDP packet destined for an unavailable UDP >> > port. >> > The port '0' referenced in the event source/destination is meaningless >> as >> > ICMP doesn't use source and destination ports (it is always '0'). >> > >> > The payload of the ICMP unreachable message contains original IP >> > header (of >> > the initial UDP packet) and at least 64 bits (8 bytes) of original >> data >> > datagram. The size of data echoed will vary depending on the >> > implementation. >> > >> > >> > >> > >> > On 8/15/06, Dude VanWinkle <[EMAIL PROTECTED]> wrote: >> >> >> >> On 8/15/06, Julio Cesar Fort <[EMAIL PROTECTED]> wrote: >> >> > Dude VanWinkle, >> >> > >> >> > > <snip> >> >> > > ----------------------------- >> >> > > Looks to me like they are using port 0. >> >> > > http://www.grc.com/port_0.htm >> >> > > -JP >> >> > >> >> > *NEVER TRUST* Steve Gibson. I bet he smokes crack. See >> >> > http://attrition.org/errata/charlatan.html#gibson for more details. >> >> >> >> >> >> thanks for the tip! >> >> >> >> Still, I cant seem to help but think there is something to this >> port 0 >> >> thingy >> >> >> >> http://www.networkpenetration.com/port0.html >> >> >> >> <snip> >> >> >> >> 3. Port 0 OS Fingerprinting >> >> --------------------------- >> >> As port 0 is reserverd for special use as stated in RFC 1700. Coupled >> >> with the fact that this port number is reassigned by the OS, no >> >> traffic should flow over the internet using this port. As the >> >> specifics are not clear different OS's have differnet ways of >> handling >> >> traffic using port 0 thus they can be fingerprinted. >> >> >> >> -------------------------------------------- >> >> >> >> I guess that is just a reaction to traffic and not actual traffic via >> >> port 0, but still nifty info >> >> >> >> -JP >> >> >> >> _______________________________________________ >> >> Full-Disclosure - We believe in it. >> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> > >> > >> > >> > >> ------------------------------------------------------------------------ >> > >> > _______________________________________________ >> > Full-Disclosure - We believe in it. >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> > Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> -- >> >> Regards, >> Adriel T. Desautels >> SNOsoft Research Team >> Office: 617-924-4510 || Mobile : 857-636-8882 >> >> ---------------------------------------------- >> Vulnerability Research and Exploit Development >> >> >> >> >> >> BullGuard Anti-virus has scanned this e-mail and found it clean. >> Try BullGuard for free: www.bullguard.com >> >> >> > >
-- Regards, Adriel T. Desautels SNOsoft Research Team Office: 617-924-4510 || Mobile : 857-636-8882 ---------------------------------------------- Vulnerability Research and Exploit Development BullGuard Anti-virus has scanned this e-mail and found it clean. Try BullGuard for free: www.bullguard.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/