On Sun, 30 Dec 2001, Richard Gilman wrote: > I've been seeing ICMP Type 3 Code 13 messages coming from 2 sites and > destine to our name servers. Which is Destination Unreachable, Communication Administratively Prohibited > While doing a tcpdump I see no outbound > packets with a destination directed toward the sites sending the ICMP > unreachable messages. That may be because an intermeidate device is the one sending the ICMP packets, i.e. a router in front of the address you are sending packets to. You might be sending DNS lookups requests to 1.2.3.4., but the router 2.3.4.5 in front of it may be the one blocking the traffic, and the source address of the ICMP packets you will get will be 2.3.4.5. That's one of the thing I really dislike about ICMP. Fortunately, the info you want is actually contained in the body of the ICMP packets. That will give you the source and destination addresses in the packet that was blocked. If you post a hex dump of one of the ICMP packets, someone can decode it for you. (Apologies if you already knew this, and simply failed to indicate in your note.) Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Dec 31 2001 - 09:10:45 PST