CERT
Software Assurance Secure Systems Organizational Security Coordinating Response Training
Skip to end of metadata
Go to start of metadata

This Tool Tip deals with how to filter on and display specific ICMP Type and
Code combinations, using the following commands:

  rwfilter --icmp-type=8 --icmp-code=0
  rwcut --fields=icmpTypeCode
  rwuniq --fields=icmpTypeCode
  rwsort --fields=icmpTypeCode
  rwstats --icmp

SiLK stores ICMP type and code information in the 16-bit "dport" field in a bit-packed form which is readable as an integer, but not is not intuitive to map to the correct ICMP type and code values. The options shown above were added to allow filtering or display of the ICMP type and code values as their original 8-bit integer values.

rwfilter

rwfilter can select records based on their ICMP Type and Code values.

  rwfilter --icmp-type=8 --icmp-code=0

the analyst can select ICMP ECHO REQUEST traffic.

Warning

rwfilter automatically adds the condition

--proto=1

to the filter when either of the
--icmp-*

options are used.

A chain of these could be used, for example, to filter out the common ICMP types and codes, leaving only anomalous types and codes that may be especially interesting to analyze:

  [INITIAL DATA PULL HERE ] --proto=1 --pass=stdout \
  | rwfilter --icmp-type=8 --icmp-code=0 \
    --input-pipe=stdin --fail=stdout \ # echo request
  | rwfilter --icmp-type=0 --icmp-code=0 \
    --input-pipe=stdin --fail=stdout \ # echo reply
  | rwfilter --icmp-type=11 --icmp-code=0 \
    --input-pipe=stdin --fail=stdout \ # parameter prob
  | rwfilter --icmp-type=3 --icmp-code=0-4 \ # unreachable
    --input-pipe=stdin --fail=unusual-icmp.rwf

rwcut

  $ rwcut --fields=proto,sport,dport,icmpTypeCode file.rwf
  pro|sPort|dPort|iTy|iCo|
    6|52336| 9200|   |   |
    1|    0|  781|  3| 13|
   50|56698|41556|   |   |
   50|16582| 5231|   |   |
    1|    0|  781|  3| 13|

Note

When using rwcut the type and code values are only displayed when the protocol is ICMP.

rwuniq

The situation is similar, but more subtle, for rwuniq---it will decode every dport field into icmp Type and Code, unless the "protocol" field is also included in its list of keys. The reason for this is that unless "protocol" is one of the key fields, then any particular row of the output could be a mixture of different protocols (both ICMP and non-ICMP).

  $ rwuniq --fields=dport,icmpTypeCode file.rwf | head -5
  dPort|iTy|iCo|   Records|
  33442|130|162|         1|
  53795|210| 35|         1|
    781|  3| 13|         7|
    500|  1|244|         2|
  $ rwuniq --fields=proto,dport,icmpTypeCode file.rwf | head -5
  pro|dPort|iTy|iCo|   Records|
    6| 9200|   |   |        32|
    6| 9201|   |   |         3|
   50| 6860|   |   |         1|
    1|  771|  3|  3|         1|

rwsort

What rwsort actually does when passed

--fields=icmpTypeCode

is to sort on dport, which amounts to roughly the same thing as sorting on ICMP type, and then code. When more than one protocol is present, then the ICMP may not be listed contiguously:

  $ rwsort --fields=icmpTypeCode file.rwf |rwcut --fields=proto,dport,icmpTypeCode
  pro|dPort|iTy|iCo|
    1|    0|  0|  0|
   17|  500|   |   |
    1|  781|  3| 13|
    1|  781|  3| 13|
    1| 2048|  8|  0|
   50| 4630|   |   |

so the best way to use rwsort is to either filter on ICMP traffic only, or sort on protocol first.

  $ rwsort --fields=proto,icmpTypeCode file.rwf | rwcut --fields=proto,dport,icmpTypeCode
  pro|dPort|iTy|iCo|
    1|    0|  0|  0|
    1|  781|  3| 13|
    1|  781|  3| 13|
    1| 2048|  8|  0|
    6|16800|   |   |
    6|16800|   |   |
   17|  500|   |   |
   17|16800|   |   |

rwstats

For rwstats, the option

--icmp

may not be paired with any other key field option, and it assumes that all input is ICMP. Therefore, you need to filter down to ICMP traffic only first.

Warning

You must filter for --proto=1 before passing data to rwstats --icmp!

  $ rwfilter --proto=1 --pass=stdout file.rwf | rwstats --icmp --top --count=20
  INPUT SIZE: 456 records for 10 unique keys
  ICMP TYPE/CODE Key: Top 20 flow counts
       icmpType|       icmpCode|             Records|%_of_total|   cumul_%|
              8|              0|                 266| 58.333333| 58.333333|
              3|              3|                 106| 23.245614| 81.578947|
              3|             13|                  52| 11.403509| 92.982456|
              0|              0|                  20|  4.385965| 97.368421|
              3|              0|                   3|  0.657895| 98.026316|
             11|              0|                   3|  0.657895| 98.684211|
             12|              0|                   2|  0.438596| 99.122807|
              3|             10|                   2|  0.438596| 99.561404|
              3|              4|                   1|  0.219298| 99.780702|
              3|              1|                   1|  0.219298|100.000000|
  • No labels