0

I'm using pure Python ping utility from ftp://ftp.visi.com/disk3/mdc/ping.py to monitor hosts across the network and my ZyWALL USG200 router is complaining like this:

from Any to DMZ, [type=ICMP-Decoder(8911017)] bad-icmp-l4-size ATTACK bad-icmp-l4-size Action: No Action Severity: medium

What could be wrong?

UPD: I'll try to capture actual packets via USG's maintenance menu and compare with Linux ping...

kuz8
  • 369
  • 2
  • 10
  • it involves pure ping programming of the mentioned python implementation, the evidence is how it breaks router monitoring. Answer contains software fix for the mentioned implementation of ping which is also about programming. – kuz8 Dec 21 '13 at 19:06

2 Answers2

2

According to the warning of your router, looks like the ICMP packet is not well formed. Particularly, the size of the layer 4 (ICMP) of the packet seems to be wrong (bad-icmp-l4-size).

You should use something like tcpdump to get the content of the sent package, using something like: 

sudo tcpdump -nnvXS -c1 icmp

In your situation, I'd rather look for another implementation. That code is a mess.

José Tomás Tocino
  • 9,873
  • 5
  • 44
  • 78
  • Thank you very much for the tip and command example! I've compared packets, after mocking "ping" it seemed to go away - will write in answer. – kuz8 Dec 18 '13 at 15:41
1

I've copied ping packet contents from WireShark analysis of captured packets - code had it as 192 letters Q, ping had it bit differently:

replace or insert after line 128

data = 192 * 'Q'

the correct definition of packet contents

data = 'e283030000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637'.decode("hex")

and warnings went away.

But indeed I may want to look for cleaner implementation as José suggests.

kuz8
  • 369
  • 2
  • 10