void handle_icmp(struct Output *out, const unsigned char *px, unsigned length, struct PreprocessedInfo *parsed) { unsigned type = parsed->port_src; unsigned code = parsed->port_dst; unsigned seqno_me; //unsigned ip_me; unsigned ip_them; /*ip_me = parsed->ip_dst[0]<<24 | parsed->ip_dst[1]<<16 | parsed->ip_dst[2]<< 8 | parsed->ip_dst[3]<<0;*/ ip_them = parsed->ip_src[0]<<24 | parsed->ip_src[1]<<16 | parsed->ip_src[2]<< 8 | parsed->ip_src[3]<<0; seqno_me = px[parsed->transport_offset+4]<<24 | px[parsed->transport_offset+5]<<16 | px[parsed->transport_offset+6]<<8 | px[parsed->transport_offset+7]<<0; switch (type) { case 0: /* ICMP echo reply */ if (syn_hash(ip_them, Templ_ICMP_echo) != seqno_me) return; /* not my response */ /* * Report "open" or "existence" of host */ output_report_status( out, Port_IcmpEchoResponse, ip_them, 0, 0, 0); break; case 3: /* destination unreachable */ switch (code) { case 0: /* net unreachable */ case 1: /* host unreachable */ case 2: /* protocol unreachable */ break; case 3: /* port unreachable */ if (length - parsed->transport_offset > 8) { unsigned ip_me2, ip_them2, port_me2, port_them2; int err; err = parse_port_unreachable( px + parsed->transport_offset + 8, length - parsed->transport_offset + 8, &ip_me2, &ip_them2, &port_me2, &port_them2); if (err) return; if (!matches_me(out, ip_me2, port_me2)) return; output_report_status( out, Port_UdpClosed, ip_them2, port_them2, 0, px[parsed->ip_offset + 8]); } } break; default: ; } }
/*************************************************************************** * This is where we handle all incoming ICMP packets. Some of these packets * will be due to scans we are doing, like pings (echoes). Some will * be inadvertent, such as "destination unreachable" messages. ***************************************************************************/ void handle_icmp(struct Output *out, time_t timestamp, const unsigned char *px, unsigned length, struct PreprocessedInfo *parsed) { unsigned type = parsed->port_src; unsigned code = parsed->port_dst; unsigned seqno_me; unsigned ip_me; unsigned ip_them; unsigned cookie; ip_me = parsed->ip_dst[0]<<24 | parsed->ip_dst[1]<<16 | parsed->ip_dst[2]<< 8 | parsed->ip_dst[3]<<0; ip_them = parsed->ip_src[0]<<24 | parsed->ip_src[1]<<16 | parsed->ip_src[2]<< 8 | parsed->ip_src[3]<<0; seqno_me = px[parsed->transport_offset+4]<<24 | px[parsed->transport_offset+5]<<16 | px[parsed->transport_offset+6]<<8 | px[parsed->transport_offset+7]<<0; switch (type) { case 0: /* ICMP echo reply */ cookie = (unsigned)syn_cookie(ip_them, Templ_ICMP_echo, ip_me, 0); if ((cookie & 0xFFFFFFFF) != seqno_me) return; /* not my response */ //if (syn_hash(ip_them, Templ_ICMP_echo) != seqno_me) // return; /* not my response */ /* * Report "open" or "existence" of host */ output_report_status( out, timestamp, PortStatus_Open, ip_them, 1, /* ip proto */ 0, 0, 0); break; case 3: /* destination unreachable */ switch (code) { case 0: /* net unreachable */ /* We get these a lot while port scanning, often a flood coming * back from broken/misconfigured networks */ break; case 1: /* host unreachable */ /* This means the router doesn't exist */ break; case 2: /* protocol unreachable */ /* The host exists, but it doesn't support SCTP */ break; case 3: /* port unreachable */ if (length - parsed->transport_offset > 8) { unsigned ip_me2, ip_them2, port_me2, port_them2; unsigned ip_proto; int err; err = parse_port_unreachable( px + parsed->transport_offset + 8, length - parsed->transport_offset + 8, &ip_me2, &ip_them2, &port_me2, &port_them2, &ip_proto); if (err) return; if (!matches_me(out, ip_me2, port_me2)) return; switch (ip_proto) { case 6: output_report_status( out, timestamp, PortStatus_Closed, ip_them2, ip_proto, port_them2, 0, px[parsed->ip_offset + 8]); break; case 17: output_report_status( out, timestamp, PortStatus_Closed, ip_them2, ip_proto, port_them2, 0, px[parsed->ip_offset + 8]); break; case 132: output_report_status( out, timestamp, PortStatus_Closed, ip_them2, ip_proto, port_them2, 0, px[parsed->ip_offset + 8]); break; } } } break; default: ; } }