This is our old Q&A Site. Please post any new questions and answers at

Hi all,today in our symmantec siem product we observed botnet log showing destination port as 7000 but strange thing is,it is showing protocol as par my knowledge icmp has nothing do with tcp ports?symantec siem products gets this logs from our firewall and in firewall we have only allow icmp eco request and reply service.i am sure it is icmp traffic only but why port is showing,source of traffic is linux machine.

asked 19 Jun '13, 06:22

kishan%20pandey's gravatar image

kishan pandey
accept rate: 28%

i am sure it is icmp traffic only but why port is showing

some possibilities:

  • a bug in your SIEM product
  • your interpretation of the "port" statement in the SIEM logs is wrong
  • there is really a TCP/UDP port involved (IP tunnel via ICMP) and the firewall detected that (rather unlikely)


permanent link

answered 19 Jun '13, 06:33

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

edited 22 Jun '13, 02:31

Maybe it was an ICMP Destination Unreachable packet and the port number was taken from the original IP packet, which is returned inside the ICMP Destination Unreachable packet.

permanent link

answered 19 Jun '13, 08:54

Jim%20Aragon's gravatar image

Jim Aragon
accept rate: 24%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 19 Jun '13, 06:22

question was seen: 2,480 times

last updated: 22 Jun '13, 02:31

p​o​w​e​r​e​d by O​S​Q​A