ICMP Traffic is Reported With Port Numbers That Don't Exist
search cancel

ICMP Traffic is Reported With Port Numbers That Don't Exist

book

Article ID: 378302

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Windows sensors are reporting ICMP traffic to the console with port numbers of 135 and 136 for IPv6 or 0 and 8 for IPv4 traffic. 

For example:

  • IPv4 Types
    Type 0 Echo Reply
    Type 8 Echo
  • IPv6 Types
    Type 135 Neighbor Solicitation
    Type 136 Neighbor Advertisement

Environment

  • Carbon Black EDR Console: 7.8.0
  • Carbon Black Sensor: 7.4.1
  • Windows: All Supported Versions

Cause

Windows reports ICMP traffic as a "type" and the sensor reports this data as the port seen. 

Resolution

The value can be ignored as ICMP does not have a port, however the sensor should report that ICMP traffic. 

Additional Information

Future enhancement tracking:

  • CB-44750
  • CB-44749
Powered by Wolken Software