Security Incidents mailing list archives
Re: Tracking down random ICMP
From: Valdis.Kletnieks () vt edu
Date: Thu, 25 Jan 2007 12:20:02 -0500
On Thu, 25 Jan 2007 13:13:20 +0100, =?ISO-8859-1?Q?Javier_Fern=E1ndez-Sanguino?= said:
Valdis.Kletnieks () vt edu dijo:On Mon, 22 Jan 2007 09:19:31 -0400, Craig Chamberlain said:Is there a tool that can determine which process ID is generating ICMP packets or IRPs in Windows? TDImon seems to be TCP/UDP only. TCPview and netstat apparently can't do it.I'm not aware of any well-known userspace API that generates ICMP, so any userspace would have to be hand-crafting the packets itself. So what you're looking for is a process that has a raw socket open.Maybe you don't know about libdnet? [1] There are quite a number of tools that use it.
Note that libdnet is basically just a set of wrapper functions that help the programmer craft a raw packet with the right bits, as opposed to an actual documented system/kernel API akin to the socket/bind/connect/send/rcvmsg calls in the Unix-y networking API. Of course, Jose Nazario proved me wrong and found that Microsoft did actually provide an API for this. Apparently the concept of userspace-generated ICMP as a layering violation doesn't bother the Microsoft design team much. :)
Attachment:
_bin
Description:
Current thread:
- Tracking down random ICMP Craig Chamberlain (Jan 22)
- Re: Tracking down random ICMP Kyle Maxwell (Jan 23)
- Re: Tracking down random ICMP Valdis . Kletnieks (Jan 23)
- Re: Tracking down random ICMP Jose Nazario (Jan 23)
- Re: Tracking down random ICMP Bojan Zdrnja (Jan 24)
- Re: Tracking down random ICMP Javier Fernández-Sanguino (Jan 25)
- Re: Tracking down random ICMP Valdis . Kletnieks (Jan 25)
- Attempted FTP intrusion David Gillett (Jan 31)
- Re: Attempted FTP intrusion Tillmann Werner (Jan 31)
- Re: Tracking down random ICMP Jose Nazario (Jan 23)