void handle_icmp(struct Output *out, const unsigned char *px, unsigned length, struct PreprocessedInfo *parsed)
{
unsigned type = parsed->port_src;
unsigned code = parsed->port_dst;
unsigned seqno_me;
//unsigned ip_me;
unsigned ip_them;
/*ip_me = parsed->ip_dst[0]<<24 | parsed->ip_dst[1]<<16
| parsed->ip_dst[2]<< 8 | parsed->ip_dst[3]<<0;*/
ip_them = parsed->ip_src[0]<<24 | parsed->ip_src[1]<<16
| parsed->ip_src[2]<< 8 | parsed->ip_src[3]<<0;
seqno_me = px[parsed->transport_offset+4]<<24
| px[parsed->transport_offset+5]<<16
| px[parsed->transport_offset+6]<<8
| px[parsed->transport_offset+7]<<0;
switch (type) {
case 0: /* ICMP echo reply */
if (syn_hash(ip_them, Templ_ICMP_echo) != seqno_me)
return; /* not my response */
/*
* Report "open" or "existence" of host
*/
output_report_status(
out,
Port_IcmpEchoResponse,
ip_them,
0,
0,
0);
break;
case 3: /* destination unreachable */
switch (code) {
case 0: /* net unreachable */
case 1: /* host unreachable */
case 2: /* protocol unreachable */
break;
case 3: /* port unreachable */
if (length - parsed->transport_offset > 8) {
unsigned ip_me2, ip_them2, port_me2, port_them2;
int err;
err = parse_port_unreachable(
px + parsed->transport_offset + 8,
length - parsed->transport_offset + 8,
&ip_me2, &ip_them2, &port_me2, &port_them2);
if (err)
return;
if (!matches_me(out, ip_me2, port_me2))
return;
output_report_status(
out,
Port_UdpClosed,
ip_them2,
port_them2,
0,
px[parsed->ip_offset + 8]);
}
}
break;
default:
;
}
}
/***************************************************************************
* This is where we handle all incoming ICMP packets. Some of these packets
* will be due to scans we are doing, like pings (echoes). Some will
* be inadvertent, such as "destination unreachable" messages.
***************************************************************************/
void
handle_icmp(struct Output *out, time_t timestamp,
const unsigned char *px, unsigned length,
struct PreprocessedInfo *parsed)
{
unsigned type = parsed->port_src;
unsigned code = parsed->port_dst;
unsigned seqno_me;
unsigned ip_me;
unsigned ip_them;
unsigned cookie;
ip_me = parsed->ip_dst[0]<<24 | parsed->ip_dst[1]<<16
| parsed->ip_dst[2]<< 8 | parsed->ip_dst[3]<<0;
ip_them = parsed->ip_src[0]<<24 | parsed->ip_src[1]<<16
| parsed->ip_src[2]<< 8 | parsed->ip_src[3]<<0;
seqno_me = px[parsed->transport_offset+4]<<24
| px[parsed->transport_offset+5]<<16
| px[parsed->transport_offset+6]<<8
| px[parsed->transport_offset+7]<<0;
switch (type) {
case 0: /* ICMP echo reply */
cookie = (unsigned)syn_cookie(ip_them, Templ_ICMP_echo, ip_me, 0);
if ((cookie & 0xFFFFFFFF) != seqno_me)
return; /* not my response */
//if (syn_hash(ip_them, Templ_ICMP_echo) != seqno_me)
// return; /* not my response */
/*
* Report "open" or "existence" of host
*/
output_report_status(
out,
timestamp,
PortStatus_Open,
ip_them,
1, /* ip proto */
0,
0,
0);
break;
case 3: /* destination unreachable */
switch (code) {
case 0: /* net unreachable */
/* We get these a lot while port scanning, often a flood coming
* back from broken/misconfigured networks */
break;
case 1: /* host unreachable */
/* This means the router doesn't exist */
break;
case 2: /* protocol unreachable */
/* The host exists, but it doesn't support SCTP */
break;
case 3: /* port unreachable */
if (length - parsed->transport_offset > 8) {
unsigned ip_me2, ip_them2, port_me2, port_them2;
unsigned ip_proto;
int err;
err = parse_port_unreachable(
px + parsed->transport_offset + 8,
length - parsed->transport_offset + 8,
&ip_me2, &ip_them2, &port_me2, &port_them2,
&ip_proto);
if (err)
return;
if (!matches_me(out, ip_me2, port_me2))
return;
switch (ip_proto) {
case 6:
output_report_status(
out,
timestamp,
PortStatus_Closed,
ip_them2,
ip_proto,
port_them2,
0,
px[parsed->ip_offset + 8]);
break;
case 17:
output_report_status(
out,
timestamp,
PortStatus_Closed,
ip_them2,
ip_proto,
port_them2,
0,
px[parsed->ip_offset + 8]);
break;
case 132:
output_report_status(
out,
timestamp,
PortStatus_Closed,
ip_them2,
ip_proto,
port_them2,
0,
px[parsed->ip_offset + 8]);
break;
}
}
}
break;
default:
;
}
}
