I'm using pure Python ping utility from ftp://ftp.visi.com/disk3/mdc/ping.py to monitor hosts across the network and my ZyWALL USG200 router is complaining like this:
from Any to DMZ, [type=ICMP-Decoder(8911017)] bad-icmp-l4-size ATTACK bad-icmp-l4-size Action: No Action Severity: medium
What could be wrong?
UPD: I'll try to capture actual packets via USG's maintenance menu and compare with Linux ping...
On
According to the warning of your router, looks like the ICMP packet is not well formed. Particularly, the size of the layer 4 (ICMP) of the packet seems to be wrong (bad-icmp-l4-size).
You should use something like tcpdump to get the content of the sent package, using something like:
sudo tcpdump -nnvXS -c1 icmp
In your situation, I'd rather look for another implementation. That code is a mess.
I've copied ping packet contents from WireShark analysis of captured packets - code had it as 192 letters Q, ping had it bit differently:
replace or insert after line 128
data = 192 * 'Q'the correct definition of packet contents
data = 'e283030000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637'.decode("hex")and warnings went away.
But indeed I may want to look for cleaner implementation as José suggests.