ICMP has ports?
I thought it kind of strange that a port is show for the source
icmp I 192.168.1.2:0 184.108.40.206:48337 0:0 8616m 10 2019K 118M
icmp O 192.168.1.2:48337 220.127.116.11:0 0:0 8616m 10 2019K 118M
Hmmm where do you see that at? From my understanding port 0 is packets without a L4 header.. Could be just fragmented traffic, could be attack, etc. Is that total traffic 118M?
It's from PFTop. It's a Google IP address that I ping 24/7.
Here's a screenshot. You'll see that the longest state is apinger hitting my gateway, even that has a "port".
I think that just be quirk/method for that info to be shown.. If you do a packet capture and look at the capture (even when loaded wireshark) there are no ports in the capture
I figured it was a "quirk", I was quite sure ICMP had no notion of any kind of "ports". At least some people may be aware of it if they were not already.
Thanks for validating that I'm not going crazy :-)
maybe someone that is really familiar with the ins and outs of pf firewall can validate it.. But yeah just looks like how pf handles showing the info.. but odd is where it comes up with those high source ports? 36724 in your example.
I know there can be some odd stuff done with port 0 in an attack sort of thing. But have never looked/noticed that before myself.
ICMP doesn't have ports, but it does have an ID. That's what that is.