This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi all,today in our symmantec siem product we observed botnet log showing destination port as 7000 but strange thing is,it is showing protocol as icmp.as par my knowledge icmp has nothing do with tcp ports?symantec siem products gets this logs from our firewall and in firewall we have only allow icmp eco request and reply service.i am sure it is icmp traffic only but why port is showing,source of traffic is linux machine.

asked 19 Jun '13, 06:22

kishan%20pandey's gravatar image

kishan pandey
221282936
accept rate: 28%


i am sure it is icmp traffic only but why port is showing

some possibilities:

  • a bug in your SIEM product
  • your interpretation of the "port" statement in the SIEM logs is wrong
  • there is really a TCP/UDP port involved (IP tunnel via ICMP) and the firewall detected that (rather unlikely)

Regards
Kurt

permanent link

answered 19 Jun '13, 06:33

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 22 Jun '13, 02:31

Maybe it was an ICMP Destination Unreachable packet and the port number was taken from the original IP packet, which is returned inside the ICMP Destination Unreachable packet.

permanent link

answered 19 Jun '13, 08:54

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×74

question asked: 19 Jun '13, 06:22

question was seen: 2,480 times

last updated: 22 Jun '13, 02:31

p​o​w​e​r​e​d by O​S​Q​A