Why a layer-4 firewall (a device that can look at all protocol headers up to the transport layer) cannot block all ICMP traffic?
ICMP is a IP layer protocol.Why can't we block all ICMP traffic using layer-4 firewall.Can it not be done by blocking IP adresses and port number?
For blocking it , block the ip protocol 01 which number is for ICMP http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers
Port number is a 4-layer conception, ICMP is at 3-layer.
Related
The Destination of packet No.17, 22, 200, 390, 531, 535 should be broadcast message, but why are they my ip address?
Note that I have released my IP.
There are only specific circumstances where the DHCPOFFER and DHCPACK should be broadcast. In most cases, those should be unicast back to the requesting host.
The server knows the MAC address of the requesting host, so the frame is unicast back to the requesting host unless the requesting host has set the broadcast bit in the DHCPREQUEST.
See RFC 2131, Dynamic Host Configuration Protocol:
Normally, DHCP servers and BOOTP relay agents attempt to deliver
DHCPOFFER, DHCPACK and DHCPNAK messages directly to the client using
unicast delivery. The IP destination address (in the IP header) is
set to the DHCP 'yiaddr' address and the link-layer destination
address is set to the DHCP 'chaddr' address. Unfortunately, some
client implementations are unable to receive such unicast IP datagrams
until the implementation has been configured with a valid IP address
(leading to a deadlock in which the client's IP address cannot be
delivered until the client has been configured with an IP address).
A client that cannot receive unicast IP datagrams until its protocol
software has been configured with an IP address SHOULD set the
BROADCAST bit in the 'flags' field to 1 in any DHCPDISCOVER or
DHCPREQUEST messages that client sends. The BROADCAST bit will
provide a hint to the DHCP server and BOOTP relay agent to broadcast
any messages to the client on the client's subnet. A client that can
receive unicast IP datagrams before its protocol software has been
configured SHOULD clear the BROADCAST bit to 0. The BOOTP
clarifications document discusses the ramifications of the use of the
BROADCAST bit [21].
-and-
In the case of a client using DHCP for initial configuration (before
the client's TCP/IP software has been completely configured), DHCP
requires creative use of the client's TCP/IP software and liberal
interpretation of RFC 1122. The TCP/IP software SHOULD accept and
forward to the IP layer any IP packets delivered to the client's
hardware address before the IP address is configured; DHCP servers and
BOOTP relay agents may not be able to deliver DHCP messages to clients
that cannot accept hardware unicast datagrams before the TCP/IP
software is configured.
To work around some clients that cannot accept IP unicast datagrams
before the TCP/IP software is configured as discussed in the previous
paragraph, DHCP uses the 'flags' field [21]. The leftmost bit is
defined as the BROADCAST (B) flag. The semantics of this flag are
discussed in section 4.1 of this document. The remaining bits of the
flags field are reserved for future use. They MUST be set to zero by
clients and ignored by servers and relay agents. Figure 2 gives the
format of the 'flags' field.
1 1 1 1 1 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|B| MBZ |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
B: BROADCAST flag
MBZ: MUST BE ZERO (reserved for future use)
Figure 2: Format of the 'flags' field
Port number equals to 80 is obviously not a sufficient condition. Is it a necessary condition that Wireshark has found a request message or response message in application layer payload?
I'm not sure this is a full answer, but here is what I know regarding Wireshark's identification of HTTP packets (all items below are dissected as HTTP):
TCP port 80
TCP or UDP ports 8080, 8008, 591
TCP traffic (on all ports) that has line end (CRLF) and the line begins or ends with the string "HTTP/1.1"
SSDP (Simple Service Discovery Protocol) in TCP or UDP port 1900
DAAP (Apple's Digital Audio Access Protocol) in TCP port 3689
IPP (Internet Printing Protocol) in TCP port 631
Are datagrams a protocol or not?
Is "Ping" (protocol ICMP) used in an IP DATAGRAM? Or is it using other protocols, such as TCP or UDP?
How do you know the message "Reply" the way back?
Why the Tel number stays the same?
https://en.wikipedia.org/wiki/IPv4#Protocol
Datagrams are basically the packets that go back an forth over the network at IP level. Each of these packets can specify a protocol. You can have TCP, UDP, ICMP, etc. (see https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers)
So to answer your question, yes the protocol for datagrams is basically IP.
You can have higher level protocols that run over IP such the one above.
See https://en.wikipedia.org/wiki/Internet_protocol_suite
Ping uses the ICMP protocol.
Are datagrams a protocol or no?
'Datagram' is the name of the unit of transmission in the UDP protocol.
Is "Ping" ( protocol ICMP ) used in a IP DATAGRAM?
The question doesn't make sense. It would make more sense to say that the ICMP protocol is transmitted via IP packets.
Or is it using other protocols, such as TCP or UDP ?
ICMP is a protocol: you said so yourself; and it is layered over the IP protocol.
Why the TCP segment only contains the port numbers but no IP addresses? How does the packet know which host it is going to?
Because the TCP segment is encapsulated into an Internet Protocol (IP) datagram, and the IP datagram contains the source and destination IP.
As UDP is a connectionless protocol, once the forwarder gets a packet and sends it to a target ip, and the target ip responds with data, how can the forwarder know what ip to send the packet to?
If you are talking about a standard gateway, it knows where to send it because the packet has a destination IP address and port.
If you are talking about NAT, then the router must remember what it has recently sent out and accept corresponding incoming packets. The router maintains a session internally, which will stay alive for some configured period.