ICMP has ports?

  • I thought it kind of strange that a port is show for the source

    icmp  I  0:0  8616m    10 2019K  118M
    icmp  O      0:0  8616m    10 2019K  118M

  • LAYER 8 Global Moderator

    Hmmm where do you see that at?  From my understanding port 0 is packets without a L4 header..  Could be just fragmented traffic, could be attack, etc.  Is that total traffic 118M?

  • It's from PFTop. It's a Google IP address that I ping 24/7.

    Here's a screenshot. You'll see that the longest state is apinger hitting my gateway, even that has a "port".

  • LAYER 8 Global Moderator

    I think that just be quirk/method for that info to be shown.. If you do a packet capture and look at the capture (even when loaded wireshark) there are no ports in the capture

  • I figured it was a "quirk", I was quite sure ICMP had no notion of any kind of "ports". At least some people may be aware of it if they were not already.

    Thanks for validating that I'm not going crazy  :-)

  • LAYER 8 Global Moderator

    maybe someone that is really familiar with the ins and outs of pf firewall can validate it.. But yeah just looks like how pf handles showing the info.. but odd is where it comes up with those high source ports?  36724 in your example.

    I know there can be some odd stuff done with port 0 in an attack sort of thing.  But have never looked/noticed that before myself.

  • ICMP doesn't have ports, but it does have an ID. That's what that is.

Log in to reply