From owner-freebsd-net  Fri Jan 24 10: 7:21 2003
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A03B137B401
	for <freebsd-net@FreeBSD.ORG>; Fri, 24 Jan 2003 10:07:20 -0800 (PST)
Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 20EAC43F3F
	for <freebsd-net@FreeBSD.ORG>; Fri, 24 Jan 2003 10:07:20 -0800 (PST)
	(envelope-from rizzo@xorpc.icir.org)
Received: from xorpc.icir.org (localhost [127.0.0.1])
	by xorpc.icir.org (8.12.3/8.12.3) with ESMTP id h0OI7ENU014991;
	Fri, 24 Jan 2003 10:07:14 -0800 (PST)
	(envelope-from rizzo@xorpc.icir.org)
Received: (from rizzo@localhost)
	by xorpc.icir.org (8.12.3/8.12.3/Submit) id h0OI7ET9014990;
	Fri, 24 Jan 2003 10:07:14 -0800 (PST)
	(envelope-from rizzo)
Date: Fri, 24 Jan 2003 10:07:14 -0800
From: Luigi Rizzo <rizzo@icir.org>
To: Josh Brooks <user@mail.econolodgetulsa.com>
Cc: freebsd-net@FreeBSD.ORG
Subject: Re: catching bad ICMP errors - very odd
Message-ID: <20030124100714.B14895@xorpc.icir.org>
References: <20030124035318.O64423-100000@mail.econolodgetulsa.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <20030124035318.O64423-100000@mail.econolodgetulsa.com>; from user@mail.econolodgetulsa.com on Fri, Jan 24, 2003 at 03:56:54AM -0800
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

is this with ipfw1 or ipfw2 or both ?

	cheers
	luigi

On Fri, Jan 24, 2003 at 03:56:54AM -0800, Josh Brooks wrote:
> 
> I have inserted this ipfw rule, based on guidance from the archives:
> 
> count icmp from any to any icmptype 4,5,9,10,12,13,14,15,16,17,18
> 
> Now, I am watching that count rule, and it keeps growing.  This means that
> people are sending me packets other than types 0,3,8,11.
> 
> So I wanted to see what they were:
> 
> tcpdump -vvv -n | grep -v echo | grep -v unreach | grep -v exceeded
> 
> and I let that run for hours and hours and hours - and during that time,
> the counter continued to grow and grow, but my screen where I was running
> tcpdump stayed blank - I never saw a single packet.
> 
> So how is it that the counter for the above rule can grow and grow and
> grow, but I never see a single ICMP message that says anything besides
> "echo", "unreach" or "exceeded" ?
> 
> thanks.
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message