1

I'm trying to understand how log format is organised. My question is why ICMP block goes with some enclosure about another TCP/UDP packet. How am I supposed to read this [include] and how this packet relate to an ICMP packet?

kernel: [172040.205327] [UFW BLOCK] IN=eth0 ... SRC=114.236.141.172 DST=10.128.0.90 ... TTL=51 ID=16875 PROTO=ICMP TYPE=3 CODE=10 [SRC=10.128.0.90 DST=114.236.141.172 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=42243 PROTO=TCP SPT=34363 DPT=9001 WINDOW=0 RES=0x00 SYN URGP=0 ]

Some real examples:

May 25 22:03:55 wserver kernel: [ 3947.677603] [UFW BLOCK] IN=eth0 OUT= MAC=d0:0d:bb:4b:49:33:00:00:5e:00:01:00:08:00 SRC=31.169.86.96 DST=10.128.0.90 LEN=91 TOS=0x00 PREC=0x60 TTL=51 ID=15517 PROTO=ICMP TYPE=3 CODE=3 [SRC=10.128.0.90 DST=31.169.86.96 LEN=63 TOS=0x00 PREC=0x00 TTL=244 ID=57829 PROTO=UDP SPT=80 DPT=53 LEN=43 ] 
May 25 22:05:43 wserver kernel: [ 4055.788663] [UFW BLOCK] IN=eth0 OUT= MAC=d0:0d:bb:4b:49:33:00:00:5e:00:01:00:08:00 SRC=105.188.134.176 DST=10.128.0.90 LEN=91 TOS=0x00 PREC=0x60 TTL=51 ID=43291 PROTO=ICMP TYPE=3 CODE=3 [SRC=10.128.0.90 DST=105.188.134.176 LEN=63 TOS=0x08 PREC=0x20 TTL=246 ID=5800 PROTO=UDP SPT=80 DPT=53 LEN=43 ] 
May 26 20:45:27 wserver kernel: [172040.205327] [UFW BLOCK] IN=eth0 OUT= MAC=d0:0d:bb:4b:49:33:00:00:5e:00:01:00:08:00 SRC=114.236.141.172 DST=10.128.0.90 LEN=68 TOS=0x00 PREC=0x60 TTL=51 ID=16875 PROTO=ICMP TYPE=3 CODE=10 [SRC=10.128.0.90 DST=114.236.141.172 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=42243 PROTO=TCP SPT=34363 DPT=9001 WINDOW=0 RES=0x00 SYN URGP=0 ] 
May 26 22:13:58 wserver kernel: [177351.825395] [UFW BLOCK] IN=eth0 OUT= MAC=d0:0d:bb:4b:49:33:00:00:5e:00:01:00:08:00 SRC=50.97.40.71 DST=10.128.0.90 LEN=576 TOS=0x00 PREC=0x60 TTL=50 ID=23007 PROTO=ICMP TYPE=3 CODE=10 [SRC=10.128.0.90 DST=50.97.40.71 LEN=1500 TOS=0x00 PREC=0x00 TTL=239 ID=64030 PROTO=ESP SPI=0x0 ]
Alexis Wilke
  • 2,210
  • 1
  • 20
  • 37
danilabagroff
  • 113
  • 4

1 Answers1

1

The ICMP error messages include the ip header + 64 bits of original data datagram into itself. It helps to determine, to what packet this error message relate.

In your case:

  • ICMP TYPE=3 means "destination unreachable"
  • ICMP CODE=10 means "host admin prohibited"
  • [ SRC=10.128.0.90 DST=114.236.141.172 ... PROTO=TCP SPT=34363 DPT=9001 ] is the IPv4 header + begin of the original rejected datagram.

See the RFC 792, page #3 for details.

Community
  • 1
Anton Danilov
  • 5,082
  • 2
  • 13
  • 23