Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: ICMP Messages: Original Datagram Field - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ICMP Messages: Original Datagram Field

I received a couple of private messages regarding my diary entry "TShark & Multiple IP Addresses" and video "Video: TShark & Multiple IP Addresses".

That the ICMP packets do not actually contain an IP packet, but just a part of it.

RFC 792 states that the destination unreachable message only contains the IP header and 8 bytes of the TCP header (that would be the source and destination port, and the sequence number):

That is not the case in my example:

The full TCP packet is included, 32 bytes long.

RFC 792 is more than 40 years old, and has been updated several times since.

For example, in RFC 4884, you can find this:

In a nutshell: include as many bytes from the original datagram as possible, without risking fragmentation.

And for a TCP SYN packet, like in my example, that is no problem at all.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

DidierStevens

638 Posts
ISC Handler
Mar 12th 2022

Sign Up for Free or Log In to start participating in the conversation!