ICMP Messages: Original Datagram Field, (Sat, Mar 12th)

I received a couple of private messages regarding my diary entry “TShark & Multiple IP Addresses” and video “Video: TShark & Multiple IP Addresses“.

That the ICMP packets do not actually contain an IP packet, but just a part of it.

RFC 792 states that the destination unreachable message only contains the IP header and 8 bytes of the TCP header (that would be the source and destination port, and the sequence number):

That is not the case in my example:

The full TCP packet is included, 32 bytes long.

RFC 792 is more than 40 years old, and has been updated several times since.

For example, in RFC 4884, you can find this:

In a nutshell: include as many bytes from the original datagram as possible, without risking fragmentation.

And for a TCP SYN packet, like in my example, that is no problem at all.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

CyberSafe-WP-Admin