I have some Netflow records from a bunch of routers. The records contain IPv6 flows and there are entries with protocol as ipv6-icmp and their destination port values as 0, 1025 and 257. I know from this link that the value of 0 for ipv6-icmp in netflow indicates an echo reply. Is there any resource to find the meaning of the ipv6-icmp-1025 and ipv6-icmp-257?
Asked
Active
Viewed 194 times
0
-
[RFC 4443](https://datatracker.ietf.org/doc/html/rfc4443) explains ICMPv6 Types and Codes, but 0, 1025 and 257 are not ICMPv6 Types. Also, ICMP does not use ports, so I am not sure what you mean by port numbers. – Ron Maupin Nov 18 '21 at 21:34
-
I know that ICMPv6 does not use (TCP/UDP) port numbers and ICMPv6 has its own types. However, in my Netflow dataset, it seems that Netflow is overloading the destination port number field, which is normally used for TCP/UDP flows, to indicate the ICMPv6 message type. At first, I also thought that those values are the ICMPv6 message types, as indicated in the RFC, but no. Please have a look at the link that I've posted in the question. – Said Jawad Nov 19 '21 at 10:07
2 Answers
1
ICMP and ICMPv6 do not have port numbers. Possibly netflow is using 0 to indicate this is not a UDP or TCP flow.
Standard types and codes are in IANA registries. In v6, type 0 actually is reserved, and would be invalid on the wire. And as these are 8 bit fields, they only go up to 256.
These do not map obviously to ICMP. Possibly some other logging or packet capture would be better at analyzing it.
John Mahowald
- 32,050
- 2
- 19
- 34
0
I think Netflow is overloading the destination port to represent ICMP type and code, and the format is
dPort = icmp_type << 8 + icmp_code
Here's an article that supports this fact: Detecting Worms and Abnormal Activities with NetFlow, Part 2. However, 1025 (type:4, code:1) and 257 (type:1, code:1) doesn't seem to map to valid ICMP messages, so maybe there's other encoding logic behind.
davidhcefx
- 1
- 2