Strange states for custom ICMP packets

Carter Bullard carter at qosient.com
Mon Dec 1 08:00:36 EST 2014


Hey /Elof,
So many tools .... so little time ;O)  
I usually generate custom packets by hand ... so ... I don't do it that often.   Just was intersted in whether hping was making mistakes or if it thought it was doing the right thing, or wasn't trying that hard.

Good to see that its useful.
Carter

> On Dec 1, 2014, at 10:59 AM, elof2 at sentor.se wrote:
> 
> 
> Hi Carter!
> 
> Wow, now I'm *truly* baffled!
> 
> You, a person who's been into network analysis for many++ years don't know hping?!? :)
> 
> Hping is a tool where you can easily craft your own custom packets.
> 
> -1 = generate packets if type ICMP
> -c 10 = send 10 packets
> -i 3 = ...three seconds apart
> -n = no name lookup
> -C 0 = ICMP type 0
> -K 0 = ICMP code 0
> -d 11 = data size 11 bytes
> -E = packet payload
> 
> So in this case I craft 10 echo reply packets, with the string "Hello,World" in them.
> Their sequence numbers are probably wonky, so I guess that's why 'ra' don't display them as 10 similar flows but 10 more or less random flows.
> 
> As I said, not important. No need to do any changes in argus/ra.
> 
> 
> 
> 
> I use it in penetration testing.
> I use it to trigger snort-alerts on purpose, to verify functionality.
> I use it to debug network problems, like if you have an openvpn (based on UDP packets), and some ISP between the two vpn-nodes is throttling the UDP bandwidth. Then you can easily generate UDP packets with hping and see how many are received on the other end.
> 
> You can also use it as a ping tool to see if you get a response, but my main use of it is custom packet creation (payload, ports, addresses...).
> 
> 
> 
> I always install tcpdump, tshark, hping, netcat, wget, ngrep and mtr on my machines.
> 
> /Elof
> 
> 
>> On Fri, 28 Nov 2014, Carter Bullard wrote:
>> 
>> Hey /Elof,
>> Argus uses a 6-tuple flow key for ICMP traffic.  We do that so we can get RTT's (round trip times) for the pings, and other req/resp ICMP flows.  For ICMP traffic, the 4th and 5th tuples are the ICMP type and code fields, and the 6th tuple is a sequence number for some ICMP types. Its pretty clear that hping is not forming conformant packets, as the type and code fields are different and I suspect that particular type and code payload formats aren't to speck.
>> 
>> What is hping anyway ???
>> 
>> Carter
>> 
>> 
>>> On Nov 28, 2014, at 12:03 PM, elof2 at sentor.se wrote:
>>> 
>>> Hi Carter!
>>> 
>>> This is just a report of a minor strangeness.
>>> 
>>> If I run this hping command:
>>> echo -n "Hello,World" > /tmp/hello_world.txt
>>> hping3 -1 -c 10 -i 3 -n -C 0 -K 0 -d 11 -E /tmp/hello_world.txt 111.111.111.111
>>> 
>>> ...I get this output from ra:
>>> 
>>>     StartTime      Flgs  Proto            SrcAddr  Sport Dir DstAddr  Dport  SrcPkts  DstPkts     SrcBytes     DstBytes         State
>>> 14:47:22.269359  e          icmp    111.111.111.111.0x2600 <- 10.244.159.37.0x0dbb        0        1            0           60 ECR
>>> 14:47:25.265160  e          icmp      10.244.159.37.0x031f  -> 111.111.111.111.0x0dbb        1        0           60            0 DCE
>>> 14:47:28.265469  e          icmp      10.244.159.37.0x0307  -> 111.111.111.111.0x0dbb        1        0           60            0
>>> 14:47:31.265819  e          icmp      10.244.159.37.0x0304  -> 111.111.111.111.0x0dbb        1        0           60            0 SRC
>>> 14:47:34.266148  e          icmp      10.244.159.37.0x0304  -> 111.111.111.111.0x0dbb        1        0           60            0 SRC
>>> 14:47:37.266547  e          icmp      10.244.159.37.0x0008  -> 111.111.111.111.0x0dbb        1        0           60            0 ECO
>>> 14:47:40.266854  e          icmp      10.244.159.37.0x820f  -> 111.111.111.111.0x0dbb        1        0           60            0 IRQ
>>> 14:47:43.267169  e          icmp      10.244.159.37.0x201f  -> 111.111.111.111.0x0dbb        1        0           60            0 DCE
>>> 14:47:46.267479  e          icmp      10.244.159.37.0x001f  -> 111.111.111.111.0x0dbb        1        0           60            0 DCE
>>> 14:47:49.267786  e          icmp      10.244.159.37.0x0008  -> 111.111.111.111.0x0dbb        1        0           60            0 ECO
>>> 
>>> ...or this:
>>> 
>>>     StartTime      Flgs  Proto            SrcAddr  Sport Dir DstAddr  Dport  SrcPkts  DstPkts     SrcBytes     DstBytes         State
>>> 11:34:38.786492  e          icmp        10.200.0.52.0x001f  -> 111.111.111.111.0x5cac        1        0           60            0 DCE
>>> 11:34:41.782536  e          icmp        10.200.0.52.0x0007  -> 111.111.111.111.0x5cac        1        0           60            0
>>> 11:34:44.782427  e          icmp        10.200.0.52.0x001f  -> 111.111.111.111.0x5cac        1        0           60            0 DCE
>>> 11:34:47.782421  e          icmp        10.200.0.52.0x0007  -> 111.111.111.111.0x5cac        1        0           60            0
>>> 11:34:50.791829  e          icmp        10.200.0.52.0x0101  -> 111.111.111.111.0x5cac        1        0           60            0
>>> 11:34:53.806536  e          icmp        10.200.0.52.0x0107  -> 111.111.111.111.0x5cac        1        0           60            0
>>> 11:34:56.781956  e          icmp        10.200.0.52.0x0005  -> 111.111.111.111.0x5cac        1        0           60            0 RED
>>> 11:34:59.781889  e          icmp    111.111.111.111.0x1c00 <- 10.200.0.52.0x5cac        0        1            0           60 ECR
>>> 11:35:02.781718  e          icmp        10.200.0.52.0x0107  -> 111.111.111.111.0x5cac        1        0           60            0
>>> 11:35:05.791089  e          icmp        10.200.0.52.0x0207  -> 111.111.111.111.0x5cac        1        0           60            0
>>> 
>>> ...or this:
>>> 
>>>     StartTime      Flgs  Proto            SrcAddr  Sport Dir DstAddr  Dport  SrcPkts  DstPkts     SrcBytes     DstBytes         State
>>> 11:37:06.535637  e          icmp        10.200.0.52.0x0101  -> 111.111.111.111.0x5cad        1        0           60            0
>>> 11:37:09.539314  e          icmp        10.200.0.52.0x0107  -> 111.111.111.111.0x5cad        1        0           60            0
>>> 11:37:12.555582  e          icmp        10.200.0.52.0x0107  -> 111.111.111.111.0x5cad        1        0           60            0
>>> 11:37:15.558824  e          icmp        10.200.0.52.0x0207  -> 111.111.111.111.0x5cad        1        0           60            0
>>> 11:37:18.535193  e          icmp        10.200.0.52.0x0207  -> 111.111.111.111.0x5cad        1        0           60            0
>>> 11:37:21.536809  e          icmp        10.200.0.52.0x0207  -> 111.111.111.111.0x5cad        1        0           60            0
>>> 11:37:24.534740  e          icmp        10.200.0.52.0x0007  -> 111.111.111.111.0x5cad        1        0           60            0
>>> 11:37:27.534754  e          icmp        10.200.0.52.0x0007  -> 111.111.111.111.0x5cad        1        0           60            0
>>> 11:37:30.535038  e          icmp        10.200.0.52.0x0207  -> 111.111.111.111.0x5cad        1        0           60            0
>>> 11:37:33.535025  e          icmp        10.200.0.52.0x0101  -> 111.111.111.111.0x5cad        1        0           60            0
>>> 
>>> 
>>> So, we get all kinds of different states... ECR, DCE, blank, SRC, ECO, IRQ, and so on.
>>> This is strange, since all we do is to send the same icmp packet 10 times.
>>> 
>>> Even more strange is that the 10 flows look different from time to time.
>>> 
>>> Sometimes, the IPs and direction are even reversed. This is probably because the flow is treated as a response (ECR) even though it is not.
>>> 
>>> I don't know what to make out of this. :)
>>> Perhaps is is a bug, or perhaps this is just what happens when crafting your own ICMP-packets like this...
>>> 
>>> Oh well, just thought I'd let you know in case it's a bug. :)
>>> 
>>> /Elof
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2443 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20141201/e0b5c52b/attachment.bin>


More information about the argus mailing list