Tuesday, October 6, 2009

Windows 7 - ICMP message type 12, code 0

Send a tcp packet to any port with the IP "more fragments" bit set to a Windows 7 host. The packet can be sent with no application payload, and arbitrary tcp flags.

Windows 7 will send back an ICMP message type 12, code 0 reply indicating a "parameter problem".

Now repeat the experiment, only increase the payload to 92 bytes. Anything greater than 91 will not result in the ICMP return packet.

Hmmm....

17:24:10.268903 IP (tos 0x0, ttl 64, id 2468, offset 0, flags [+], proto: TCP (6), length: 40) 192.168.100.1.445 > 192.168.100.129.445: S, cksum 0x3984 (correct), 950565187:950565187(0) win 512

0x0000: 4500 0028 09a4 2000 4006 0759 c0a8 6401 E..(....@..Y..d.

0x0010: c0a8 6481 01bd 01bd 38a8 7943 2ede 4647 ..d.....8.yC..FG
0x0020: 5002 0200 3984 0000 P...9...


17:24:10.269784 IP (tos 0x0, ttl 128, id 20600, offset 0, flags [none], proto: ICMP (1), length: 68) 192.168.100.129 > 192.168.100.1: ICMP parameter problem - octet 0, length 48

IP (tos 0x0, ttl 64, id 2468, offset 0, flags [+], proto: TCP (6), length: 40) 192.168.100.1.445 > 192.168.100.129.445: S, cksum 0x3984 (correct), 950565187:950565187(0) win 512

0x0000: 4500 0044 5078 0000 8001 a06d c0a8 6481 E..DPx.....m..d.
0x0010: c0a8 6401 0c00 3dec 0000 0002 4500 0028 ..d...=.....E..(
0x0020: 09a4 2000 4006 0759 c0a8 6401 c0a8 6481 ....@..Y..d...d.
0x0030: 01bd 01bd 38a8 7943 2ede 4647 5002 0200 ....8.yC..FGP...
0x0040: 3984 0000 9...