From d694fe69a65052c2039518aa29678c70b737e050 Mon Sep 17 00:00:00 2001 From: Eric Date: Mon, 2 Sep 2013 17:58:20 -0400 Subject: [PATCH] UDP probe module updates saddr fieldset ICMP responses (e.g. DEST_UNREACH) to UDP probes (generally) contain the IP/UDP packet that ellicited the response, though they do not have to come from the host we sent them to (e.g. NETWORK_UNREACH). We will "correct" this by switching the saddr fieldset to be the host we WOULD have received a response from --- src/probe_modules/module_udp.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/probe_modules/module_udp.c b/src/probe_modules/module_udp.c index 3f78819..19ab6dd 100644 --- a/src/probe_modules/module_udp.c +++ b/src/probe_modules/module_udp.c @@ -207,6 +207,10 @@ void udp_process_packet(const u_char *packet, UNUSED uint32_t len, fieldset_t *f fs_add_binary(fs, "data", (ntohs(udp->len) - sizeof(struct udphdr)), (void*) &udp[1], 0); } else if (ip_hdr->protocol == IPPROTO_ICMP) { struct icmphdr *icmp = (struct icmphdr *)((char *)ip_hdr + ip_hdr->ihl * 4); + struct iphdr *ip_inner = (struct iphdr*)&icmp[1]; + // ICMP unreach comes from another server (not the one we sent a probe to); + // But we will fix up saddr to be who we sent the probe to, in case you care. + fs_modify_string(fs, "saddr", make_ip_str(ip_inner->daddr), 1); fs_add_string(fs, "classification", (char*) "icmp-unreach", 0); fs_add_uint64(fs, "success", 0); fs_add_null(fs, "sport");