[scg-sec] Netflow collection
Wendy Garvin
wgarvin at cisco.com
Fri Aug 13 15:03:51 EDT 2004
Folks,
Here's how you'd identify an ICMP type 8 message - it's not the straight hex
mapping of the type, it's a user readable hack:
PO1/1/0 172.16.156.1 Gi8/0/0 192.168.0.1 01 0000 0800 1
^^
first two digits, type 8 ||^^
second two digits map to code ||
So source quench is type 4, code 0 which is what we might expect to see if
someone is trying to test malware (without knowing that J&C aren't hit):
PO1/1/0 172.16.156.1 Gi8/0/0 192.168.0.1 01 0000 0400 1
I'd also recommend looking for type 3, all codes 'til we get a handle on
this. We know of problems with code 2 and 4, protocol unreachable and pMTU:
PO1/1/0 172.16.156.1 Gi8/0/0 192.168.0.1 01 0000 0302 1
PO1/1/0 172.16.156.1 Gi8/0/0 192.168.0.1 01 0000 0304 1
I'm not sure Juniper handles it in the same way.
-Wendy
--
Wendy Garvin - Cisco PSIRT - 408 525-1888 CCIE# 6526
----------------------------------------------------
http://www.cisco.com/go/psirt
More information about the scg-sec
mailing list