CERT
Software Assurance Secure Systems Organizational Security Coordinating Response Training
Skip to end of metadata
Go to start of metadata

Prefix maps (pmaps) are very useful for associating arbitrary values with address ranges, but they can also be used to associate values with IP protocols and ports. An ideal candidate for port-based prefix maps is for decoding ICMP types and codes.

Although most commands support a form of ICMP type and code options, these are all based on the actual number values. However, a prefix map may be useful to decode the noun-name of the ICMP types and codes. The following prefix map can be used for that purpose.

# Identify this as a protocol-port prefix map, rather than an IP-range map
mode proto-port

# Set a default value for all records
0 255 Other

# Set the default value for all ICMP records
1 1 ICMP/Undefined

# ICMP specific entries
1/0 1/255 ICMP/Echo Reply
1/768 1/768 ICMP/Destination Unreachable/Net Unreachable
1/769 1/769 ICMP/Destination Unreachable/Host Unreachable
1/770 1/770 ICMP/Destination Unreachable/Protocol Unreachable
1/771 1/771 ICMP/Destination Unreachable/Port Unreachable
1/772 1/772 ICMP/Destination Unreachable/Fragmentation Needed and Don't Fragment was Set
1/773 1/773 ICMP/Destination Unreachable/Source Route Failed
1/774 1/774 ICMP/Destination Unreachable/Destination Network Unknown
1/775 1/775 ICMP/Destination Unreachable/Destination Host Unknown
1/776 1/776 ICMP/Destination Unreachable/Source Host Isolated
1/777 1/777 ICMP/Destination Unreachable/Communication with Destination Network is Administratively Prohibited
1/778 1/778 ICMP/Administratively Prohibited/Communication with Destination Host is Administratively Prohibited
1/779 1/779 ICMP/Administratively Prohibited/Destination Network Unreachable for Type of Service
1/780 1/780 ICMP/Administratively Prohibited/Destination Host Unreachable for Type of Service
1/781 1/781 ICMP/Administratively Prohibited/Communication Administratively Prohibited
1/782 1/782 ICMP/Administratively Prohibited/Host Precedence Violation
1/783 1/783 ICMP/Administratively Prohibited/Precedence cutoff in effect
1/1024 1/1279 ICMP/Source Quench
1/1280 1/1280 ICMP/Redirect/Redirect Datagram for the Network (or subnet)
1/1281 1/1281 ICMP/Redirect/Redirect Datagram for the Host
1/1282 1/1282 ICMP/Redirect/Redirect Datagram for the Type of Service and Network
1/1283 1/1283 ICMP/Redirect/Redirect Datagram for the Type of Service and Host
1/1536 1/1536 ICMP/Alternate Host Address/Alternate Address for Host
1/2048 1/2303 ICMP/Echo
1/2304 1/2304 ICMP/Router Advertisement/Normal router advertisement
1/2320 1/2320 ICMP/Router Advertisement/Does not route common traffic
1/2560 1/2815 ICMP/Router Selection
1/2816 1/2816 ICMP/Time Exceeded/Time to Live exceeded in Transit
1/2817 1/2817 ICMP/Time Exceeded/Fragment Reassembly Time Exceeded
1/3072 1/3072 ICMP/Parameter Problem/Pointer indicates the error
1/3073 1/3073 ICMP/Parameter Problem/Missing a Required Option
1/3074 1/3074 ICMP/Parameter Problem/Bad Length
1/3328 1/3583 ICMP/Timestamp
1/3584 1/3839 ICMP/Timestamp Reply
1/3840 1/4095 ICMP/Information Request
1/4096 1/4351 ICMP/Information Reply
1/4352 1/4607 ICMP/Address Mask Request
1/4608 1/4863 ICMP/Address Mask Reply
1/7680 1/7935 ICMP/Traceroute
1/7936 1/8191 ICMP/Datagram Conversion Error
1/8192 1/8447 ICMP/Mobile Host Redirect
1/8448 1/8703 ICMP/IPv6 Where-Are-You
1/8704 1/8959 ICMP/IPv6 I-Am-Here
1/8960 1/9215 ICMP/Mobile Registration Request
1/9216 1/9471 ICMP/Mobile Registration Reply
1/9984 1/10239 ICMP/SKIP
1/10240 1/10240 ICMP/Photuris/Bad SPI
1/10241 1/10241 ICMP/Photuris/Authentication Failed
1/10242 1/10242 ICMP/Photuris/Decompression Failed
1/10243 1/10243 ICMP/Photuris/Decryption Failed
1/10244 1/10244 ICMP/Photuris/Need Authentication
1/10245 1/10245 ICMP/Photuris/Need Authorization

# A few other well-known protocols
6 6 TCP
17 17 UDP
50 50 ESP
51 51 AH

Rather than providing a precompiled version of this pmap, I'd encourage you to start with this text version, modify it to suit your needs, and create your own version. Here's an example of how the pmap can be used to identify different types of traffic volume (note that ICMP type and code is always in the destination port field, regardless of the traffic direction).

  $rwpmapbuild --in=icmp.pmap.txt --out=icmp.pmap
  $rwfilter --start=2007/07/30:00 --type=in --proto=0-255 --pass=stdout \
    | rwuniq --pmap-file=icmp.pmap --fields=dval --bytes

                                              dval|               Bytes|
                               ICMP/IPv6 I-Am-Here|                  80|
  ...me Exceeded/Fragment Reassembly Time Exceeded|                6732|
                                   ICMP/Traceroute|                2120|
                                                AH|            20628771|
                                         ICMP/Echo|            19991803|
                                    ICMP/Undefined|              107053|
                            ICMP/Information Reply|                 152|
                              ICMP/Timestamp Reply|                 240|
      ICMP/Destination Unreachable/Net Unreachable|                2528|
  ...ely Prohibited/Communication with Destination|                1926|
                  ICMP/Mobile Registration Request|                  40|
                                               UDP|          9144098728|
      ICMP/Redirect/Redirect Datagram for the Host|             4420464|
  ...ely Prohibited/Communication Administratively|              121072|
                                               ESP|          2016797148|
                                    ICMP/Timestamp|               23184|
                                             Other|            45378570|
  ...nreachable/Communication with Destination Net|                 684|
  ...Redirect Datagram for the Network (or subnet)|               46368|
                           ICMP/Address Mask Reply|                 200|
                         ICMP/Address Mask Request|                 752|
                                ICMP/Source Quench|              723452|
                             ICMP/Router Selection|                  20|
                          ICMP/Information Request|                 280|
     ICMP/Destination Unreachable/Host Unreachable|               83596|
  ...ime Exceeded/Time to Live exceeded in Transit|            72994488|
                    ICMP/Mobile Registration Reply|                 168|
                                               TCP|         41529153399|
     ICMP/Destination Unreachable/Port Unreachable|              544784|
                         ICMP/Mobile Host Redirect|                  56|
                                   ICMP/Echo Reply|            24861813|

   $rwfilter --start=2007/07/30:00 --type=in --proto=0-255 --pass=stdout \
    --pmap-file=icmp.pmap --pmap-dport="ICMP/Echo" \
    | rwuniq --pmap-file=icmp.pmap --fields=dval --bytes --delim=" "

  dval      Bytes
  ICMP/Echo 19991803

etc.
  • No labels