Someone asked me yesterday why Juniper NSM shows ports for ICMP traffic
(mostly destination 'port' 512), while ICMP is a portless protocol. Good
question!
Did some Googling today, and it looks like this isn't really NSM related but generally a method of matching ICMP sessions. The 'source port' is actually the ICMP sequence number, while the 'destination port' is the ICMP identifier.
Googling on a bit, I found you can even identify which operating system is used to send the ICMP traffic. If the ICMP identifier is either 256, 512 or 768, the querying machine has a Microsoft operating system:
Microsoft Windows NT - 256
Microsoft Windows 98/98SE - 512
Microsoft Windows 2000 - 512
Microsoft Windows ME - 768
Microsoft Windows 2000 Family with SP1 - 768
Did some Googling today, and it looks like this isn't really NSM related but generally a method of matching ICMP sessions. The 'source port' is actually the ICMP sequence number, while the 'destination port' is the ICMP identifier.
Googling on a bit, I found you can even identify which operating system is used to send the ICMP traffic. If the ICMP identifier is either 256, 512 or 768, the querying machine has a Microsoft operating system:
Microsoft Windows NT - 256
Microsoft Windows 98/98SE - 512
Microsoft Windows 2000 - 512
Microsoft Windows ME - 768
Microsoft Windows 2000 Family with SP1 - 768
