Is UDP listening on SEQ side , implemented in newest CVS, working for anyone?

I'm sending UDP packet and constantly getting: ICMP port Unreachable. That is ICMP response from linux box, meaning no UDP listening port with that number exist. When I intentionally send packet to nonexistant IP address, I simply does not receive any response.

I tried setting ports in /root/showeq/conf/seqdef.xml with KeyPort= several different values (10000, 13254,5555 ...). I also tried entering ports thru Decoder/Key port menu. In all cases it appears that SEQ does not establish listening UDP port. I verified that with netstat -u -l. I tried zoning out/in in EQ , in case SEQ establish port only upon zone change, but no luck either.

Maybe I should be posting this question in Developer forum and not here, since it is related to SEQ side and not Windows Keysniffer side, but anyway:

Does anyone have some suggestion regarding this 'SEQ not listening' issue?

The simple fact that it IS a UDP port means you dont need a confirmed receipient on the other end....You can fire off UDP packets into outer space for all it cares. Sounds like you have a connect/opening port issue. seq sniffs the assigned port just fine. keyword in that last sentence. "sniff" not "listen"

Hehe..that is good poing Logic_dingo, SEQ does not need to have active listening port if it sniff packet. But as it is now, I'm sending packets to linuxbox IP address, to specified port that I entered in xml and Decoder/Key Port. And packet is generated and sent on network, I checked with network analyzer.

Is there some condition on IP address? Like it should be some other than linux box IP addr? I didnt see any IP addr option in seqdef.xml, only port.

What exactly does ICMP have to do with UDP? Does the sender ping the SEQ system before sending the UDP packet? If so, why? The only reason I could imagine would be that you where using a blocking call and wanted to make sure the destination system was available first..... But this is a UDP packet that we are talking about.

Edit:

Reread above post... my bad. The ICMP is a response from the SEQ system not an ICMP echo response.

Ok, I found what was problem, or actually, changed two things and it started working, so maybe only one was problem, but here it is:

- make IP address to which packet is sent as outside address. Meaning, if it is existing local network IP address, you will get ICMP port unreachable. If it is nonexisting local network IP address, sometimes when ARP does not return MAC address, Windows wont send packet at all.

- make packet exactly 8 bytes long. I believe this was real reason for problem. While files longer that 8 bytes works perfectly, and making variable packet length was nice security measure, it seems like SEQ detect only 8-byte packets.

You get an ICMP Unreachable because showeq hasn't opened a port... I think I explained showeq wouldn't open a port in the announcment. Just ignore the returned ICMP it won't affect anything. If you don't like seeing the ICMP then create an iptables rule to not send an ICMP unreachable.

fee

Thanks Lostinspace!!!

That little trick did it for my udp updates as well. I am using UncleBen's sux program and just had to set the key to be sent outside my local network to a bad address. Being udp it doesn't matter where it is sent to. Even 1.1.1.1 works.

-TGF