On 2/3/07, Jon Hart <jhart314@users.sourceforge.net> wrote:
Update of /cvsroot/secureideas/base-php4
In directory sc8-pr-cvs8.sourceforge.net:/tmp/cvs-serv15377

Modified Files:
        base_payload.php
Log Message:

fix ICMP appendage to pcap.

only ICMP (echo|timestamp|info) (req|rep) use ICMP id and seq


Index: base_payload.php
===================================================================
RCS file: /cvsroot/secureideas/base-php4/base_payload.php,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -d -r1.6 -r1.7
--- base_payload.php    3 Feb 2007 06:51:15 -0000       1.6
+++ base_payload.php    3 Feb 2007 07:19:11 -0000       1.7
@@ -302,8 +302,11 @@
          $data_header.= sprintf("%02s", dechex((float) $l4[0])); // type
          $data_header.= sprintf("%02s", dechex((float) $l4[1])); // code
          $data_header.= sprintf("%04s", dechex((float) $l4[2])); // sum
-         $data_header.= sprintf("%04s", dechex((float) $l4[3])); // id
-         $data_header.= sprintf("%04s", dechex((float) $l4[4])); // seq
+         // only echo req/rep, timestamp, info req/rep have id/seq
+         if ($l4[0] == 0 || $l4[0] == 8 || ($l4[0] >= 13 && $l4[0] <= 16)) {
+            $data_header.= sprintf("%04s", dechex((float) $l4[3])); // id
+            $data_header.= sprintf("%04s", dechex((float) $l4[4])); // seq
+         }
       } elseif ($ip[7] == 6) {
          $data_header.= sprintf("%04s", dechex((float) $l4[0])); // source port
          $data_header.= sprintf("%04s", dechex((float) $l4[1])); // dest port


It seems it would make more sense to not do this.  This adds complexity to the code where it is not necessary.  There are other type/code combinations that those this code consider, see http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/icmp-code.html .  Even so, the packets logged by snort may not be of valid type/code combinations, in which case you would want to show the results.  Kind of a garbage in, garbage out approach.

Axton Grams