vancetech has asked for the wisdom of the Perl Monks concerning the following question:

I'm writing a small UDP port scanner that just relys on an ICMP response to detect non-filtered/closed ports.

For some reason my code is returning an ICMP type 69 Code 1 which is not a valid type that I can see. I'd expect a type 3 ( Destination Unreachable ) not an undefined type.

Am I deciphering the ICMP packet I'm receiving wrong? Here is the code I am using: 
#!/usr/bin/perl

use IO::Socket;

#
#    Scan UDP ports
#
$|++;
my @ports = ( 53, 514, 15555 );
scan_udp_ports( 'localhost', \@ports );


sub scan_udp_ports {
    my $host = shift;
    my $ports = shift;

    my($closed, $open, $filtered);

    #    Setup ICMP listen
    my $icmp = IO::Socket::INET->new(
                        Proto        =>    'icmp',
                        Blocking    =>    0
                        ) or die("No ICMP listen");

    foreach my $port ( @$ports ) {

        print "Scanning $port\n";

        #    Setup UDP send connection
        $client = IO::Socket::INET->new(
                        PeerPort    =>    $port,
                        PeerAddr    =>    $host,
                        Proto        =>    'udp',
                        Blocking    =>    0
                        ) or die("No server $!");

        #    Send UDP packet
        $client->send( undef );
        sleep( 5 );
        my $icmpbuffer = icmp_recv( $icmp );

        #    Check for response
        my $flags;
        if( $client->recv( $dgram, 10, $flags ) ) {
            print "This udp port $port at host $host responded!\n";
        }
    }
}

sub icmp_recv {
    my $icmp = shift;

    #    Listen for ICMP response
    my $icmpbuffer;
    if( my $icmpr = $icmp->recv( $icmpbuffer, 1024, 0 ) ) {
        print "ICMP Type: " . unpack("%8C", $icmpbuffer) . "\n";
        print "ICMP Code: " . unpack("%8c", substr($icmpbuffer, 9)) . 
+"\n";
        print "ICMP Checksum: " . unpack("%8c", substr($icmpbuffer, 33
+)) . "\n";
    }
    return $icmpbuffer;
}

[download]

Replies are listed 'Best First'.
Re: Invalid ICMP type 69
by RMGir (Prior) on Nov 03, 2006 at 19:12 UTC
    I'm far from a pack/unpack expert, but isn't the ICMP type only one byte?

    Yup, it is.

    I'd suggest taking another look at your unpack templates, perhaps.


    Mike
[reply]
      After looking at Net::Ping I can see that the received ICMP packet type data starts 20 bytes into the packet. The following code sucessfully unpacks the ICMP Type and Sub-Code. 
      my($fromtype, $fromsubcode) = unpack("C2", substr($icmpbuffer, 20, 2) 
+);

      [download]
      Likewise, the NetPacket::ICMP->decode() function requires the same section of the packet and not the full packet that is returned. I wonder what the first portion of the packet is.
[reply]
[d/l]
[reply]
[d/l]
Re: Invalid ICMP type 69
by NetWallah (Canon) on Nov 03, 2006 at 18:37 UTC
    You may be unpacking the packet incorrectly - this will be difficult to diagnose. I suggest using NetPacket::ICMP and related Netpacket/pcap modules to make your code more readable/reliabe/standard.

         "A closed mouth gathers no feet." --Unknown

[reply]
      I installed NetPacket and used it to decode in icmp_recv like this: 
      sub icmp_recv {
    my $icmp = shift;

    #    Listen for ICMP response
    my $icmpbuffer;
    if( my $icmpr = $icmp->recv( $icmpbuffer, 1024, 0 ) ) {
        my $obj = NetPacket::ICMP->decode( $icmpbuffer );
        print Dumper( $obj );
    }
    return $icmpbuffer;
}

      [download]
      which returns this: 
      $VAR1 = bless( {
                 '_parent' => undef,
                 'data' => 'r@
¿ßEr@
Ìäà',
                 'cksum' => 9216,
                 'type' => 69,
                 '_frame' => 'E$r@
¿ßEr@
Ìäà',
                 'code' => 0
               }, 'NetPacket::ICMP' );

      [download]
[reply]
[d/l]
[select]

Back to Seekers of Perl Wisdom