0

I am trying to debug a connection that has been appearing in my environment from an unknown server.

I want to find a PID if it is associated with one. Tried "netstat -anp" but it doesn't find anything. But the connection is sporadic, so I tried ngrep

The output is strange and I couldn't find documentation to describe it.

Example:

$ ngrep host 12.34.56.78
interface: eth0 (10.128.100.0/255.255.252.0)
filter: (ip or ip6) and ( host 12.34.56.78 )
#

I 12.34.56.78 -> 10.128.100.101 3:13
  ....E..L.G@.......fi.ro..{.{.8..#......2...........&..z .h...8.6.h..
#

10.128.100.101 is the host I'm running this on.

I want to know what "3:13" is. I can't find any example ngrep output anywhere that has a thing like this.

I know the "I" at the front is "ICMP" -- and this matches the Snort alerts that tipped me off to this problem.

JDS
  • 2,598
  • 4
  • 30
  • 49

1 Answers1

1

I think I figured it out. Browsed the ngrep source.

Found this:

switch (proto) {
    case IPPROTO_ICMP:
    case IPPROTO_ICMPV6:
    case IPPROTO_IGMP:
        printf(" %u:%u", sport, dport);
}

"sport" and "dport"

Which in the case of ICMP, probably means "Type" not "port".

Pretty sure this is ICMP Type "3" which means "Destination unreachable". However I'm not sure if the 13 is "Timestamp" or "Communication administratively prohibited" -- although I suspect it is the latter.

Now to figure out what to actually do about this anomaly.

JDS
  • 2,598
  • 4
  • 30
  • 49