Packet Filtering: Catching the Cool Packets

There are two filters that are my absolute favorites - the ICMP filter and the broadcast filter. The broadcast filter can be made using the address filter techniques covered in the previous chapter. The ICMP filter, however, can be made with a simple protocol selection in most analyzer products.

Why do I care sooooo much about the ICMP filter. Well, first of all, get the "TCP/IP Analysis and Troubleshooting" book and start reading around page 60. Wow! When I go onsite, I usually capture all the packets (no filters applied) and then look specifically for the ICMP traffic crossing the wire. Here are some examples of what I can learn using an ICMP filter:

• If there are a lot of ICMP echo requests/replies on the network, I look at the source to determine whether some automated process is splitting out all these packets (pinging) or perhaps there is some really lame application using ICMP as a 'keepalive' process. I also look at where these packets are coming from - if they are coming from an outside system (outside the firewall), I will be really curious about the sender and their intentions.

• If there are a lot of ICMP redirects, I check out who is being redirected to where… maybe a set of hosts are using the least efficient default gateway setting. Maybe a redirection attack is underway.

• If there are a lot of ICMP destination unreachable packets, I look into who is sending/receiving them and what each destination unreachable packet is saying. For example, perhaps the host was unreachable or the destination port number was unreachable. Either way, I need to figure out why these packets are crossing the wire.

ICMP is one of my favorite protocols in the TCP/IP protocol suite. I highly recommend you spend some time with RFC 792 and RFC 1256.