Security Basics mailing list archives
RE: PROTO=TCP INCOMPLETE
From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 22 Dec 2003 15:40:25 -0800
ICMP type 3 is "Destination Unreachable". You're being advised of that by the router at 81.36.93.118. Many ICMP packets usually include the first N bytes of the packet which elicited the ICMP response. In this case, it was a TCP packet addressed to 192.168.0.2 (which explains why the destination is unreachable...); the N bytes returned don't turn out, in this case, to include as much of the header as the logging process would be willing to decode, such as the source and destination port numbers -- hence the "incomplete". In sum: Router 81.36.93.118 believes it received a packet from your network addressed to 192.168.0.2. Its notification to you that it doesn't have a way to deliver that packet (expected per RFC 1918) doesn't happen to include the full TCP header of the bogus packet. David Gillett
-----Original Message----- From: Rodrigo B. Ramos [mailto:rodrigo.ramos () triforsec com br] Sent: December 22, 2003 12:29 To: security-basics () securityfocus com Subject: PROTO=TCP INCOMPLETE Can anyone explain me the log bellow? Dec 22 08:44:31 TFSWEB kernel: INVALID: IN=ppp0 OUT= MAC= SRC=81.36.93.118 DST=xxx.xxx.xxx.xxx LEN=56 TOS=0x00 PREC=0x00 TTL=136 ID=6618 PROTO=ICMP TYPE=3 CODE=1 [SRC=xxx.xxx.xxx.xxx DST=192.168.0.2 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=45750 DF PROTO=TCP INCOMPLETE [8 bytes] ] Best regards, Rodrigo Ramos -------------------------------------------------------------- ------------- -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- PROTO=TCP INCOMPLETE Rodrigo B. Ramos (Dec 22)
- Re: PROTO=TCP INCOMPLETE Nathaniel White (Dec 22)
- RE: PROTO=TCP INCOMPLETE David Gillett (Dec 23)