From owner-freebsd-net  Fri Jan 24 14:49:23 2003
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C9AE737B401
	for <freebsd-net@freebsd.org>; Fri, 24 Jan 2003 14:49:21 -0800 (PST)
Received: from smtp.hotbox.ru (smtp.hotbox.ru [80.68.244.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2446B43E4A
	for <freebsd-net@freebsd.org>; Fri, 24 Jan 2003 14:49:20 -0800 (PST)
	(envelope-from lexxmail@front.ru)
Received: from duron.lexxhome.net (lexx.korolev-net.ru [212.188.65.77])
	(authenticated bits=0)
	by smtp.hotbox.ru (8.12.6/8.12.6) with ESMTP id h0OMjK31095379;
	Sat, 25 Jan 2003 01:45:21 +0300 (MSK)
	(envelope-from lexxmail@front.ru)
Date: Sat, 25 Jan 2003 01:49:25 +0300
From: "Vadim A. Shklyaev" <lexxmail@front.ru>
X-Mailer: The Bat! (v1.61)
Reply-To: "Vadim A. Shklyaev" <lexxmail@front.ru>
X-Priority: 3 (Normal)
Message-ID: <18174609192.20030125014925@front.ru>
To: Josh Brooks <user@mail.econolodgetulsa.com>
Cc: freebsd-net@freebsd.org
Subject: Re: catching bad ICMP errors - very odd
In-Reply-To: <20030124035318.O64423-100000@mail.econolodgetulsa.com>
References: <20030124035318.O64423-100000@mail.econolodgetulsa.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

Hello, Josh.

You wrote 24 January 2003, 14:56:54:


JB> I have inserted this ipfw rule, based on guidance from the archives:

JB> count icmp from any to any icmptype 4,5,9,10,12,13,14,15,16,17,18

JB> Now, I am watching that count rule, and it keeps growing.  This means that
JB> people are sending me packets other than types 0,3,8,11.

JB> So I wanted to see what they were:

JB> tcpdump -vvv -n | grep -v echo | grep -v unreach | grep -v exceeded

JB> and I let that run for hours and hours and hours - and during that time,
JB> the counter continued to grow and grow, but my screen where I was running
JB> tcpdump stayed blank - I never saw a single packet.

JB> So how is it that the counter for the above rule can grow and grow and
JB> grow, but I never see a single ICMP message that says anything besides
JB> "echo", "unreach" or "exceeded" ?

JB> thanks.

    You should better write this, due to possible buffered output of
    grep.
    
tcpdump -vvvni iface0 'icmp and icmp[icmptype]!=icmp-echo and \
icmp[icmptype]!=icmp-echoreply and icmp[icmptype]!=icmp-unreach \
and icmp[icmptype]!=icmp-timxceed'

-- 
Best regards,
 Vadim                          mailto:lexxmail@front.ru


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message