Open
Description
Describe the bug
IGMP packets produce 0 in the 'port' field of Zeek and this is confused to a real port
These packets
2025-07-12 16:55:21.413241 IP 192.168.1.125 > 224.0.0.2: : igmp leave 224.0.0.251
F.. l..........}..............................
2025-07-12 16:55:21.413242 IP 192.168.1.125 > 224.0.0.251: : igmp v2 report 224.0.0.251
F.. g#.........}.......... ...................
Produce these flows (similar)
2025-07-12 15:46:50.030551 UTC+2 conn CeJezI2EdJT4UL9Cm9 OTH 336.898432970047 192.168.1.125 0 224.0.0.2 0 2 True False 0 0 384 72:60:9d:ad:16:cd 12 unknown_transport 0 0 01:00:5e:00:00:02 0
2025-07-12 15:46:50.030553 UTC+2 conn CIY1dh1Kn8xbwBMfif OTH 336.8984320163727 192.168.1.125 0 224.0.0.251 0 2 True False 0 0 384 72:60:9d:ad:16:cd 12 unknown_transport 0 0 01:00:5e:00:00:fb 0
And slips confuses these port as a real port. It is not. It is the igmp type and code
This is similar to ICMP that Slips already does not treat as a port.
2025-07-12T13:46:50.030551+00:00 (TW 1): Src IP 192.168.1.125 . Detected Connection on port 0 from 192.168.1.125:0 to 224.0.0.2:0. threat level: high.
2025-07-12T13:46:50.030553+00:00 (TW 1): Src IP 192.168.1.125 . Detected Connection on port 0 from 192.168.1.125:0 to 224.0.0.251:0. threat level: high.
Branch
Develop
Environment (please complete the following information):
OS: macos
Version 14.6.1
Python version 3.10.12
Are you running slips in docker or locally? docker
Docker version (if running slips in docker)4.43.1 (198352)
Commit hash: 2a54322