Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: PROTO=TCP INCOMPLETE

From: Fernando Gont <fernando () gont com ar>
Date: Wed, 31 Dec 2003 17:16:16 -0300
At 15:40 22/12/2003 -0800, David Gillett wrote:


  ICMP type 3 is "Destination Unreachable".  You're being advised
of that by the router at 81.36.93.118.
  Many ICMP packets usually include the first N bytes of the packet
which elicited the ICMP response.  In this case, it was a TCP packet
addressed to 192.168.0.2 (which explains why the destination is
unreachable...); the N bytes returned don't turn out, in this
case, to include as much of the header as the logging process
would be willing to decode, such as the source and destination
port numbers -- hence the "incomplete".
The source and destination port numbers *are* included. Note that the first 8 bytes of the TCP header are included in the ICMP message. Thus, both the source and destination port numbers are available.
I guess the logged expected to have a look at the flags field.... that's why it said "PROTO=TCP INCOMPLETE". 


--
Fernando Gont
e-mail: fernando () gont com ar || fgont () acm org



---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: