Snort mailing list archives
RE: ICMP Packets.
From: "larosa, vjay" <larosa_vjay () emc com>
Date: Tue, 27 Aug 2002 14:17:54 -0400
This traffic is ICMP Echo Request, and an ICMP Echo Reply. It appears the ICMP payload is identical in both packets. If this was really an image being transferred does anybody know if it is possible to reconstruct it? Thanks! vjl -----Original Message----- From: larosa, vjay [mailto:larosa_vjay () emc com] Sent: Tuesday, August 27, 2002 8:05 AM To: 'Rich Adamson'; snort-users () lists sourceforge net Subject: RE: [Snort-users] ICMP Packets. That's a good thought. This particular conversation is not between two hosts on my network. I have seen it from several of my IP's talking to hosts some where out on the internet, but it might just be that the user is moving around and getting a new DHCP lease. I will have to try and nbtstat'em so I can track the MAC. vjl -----Original Message----- From: Rich Adamson [mailto:radamson () routers com] Sent: Tuesday, August 27, 2002 4:43 AM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] ICMP Packets.
Anybody recognize this payload? It is part of an ICMP packet. I have searched google and haven't found any reason why I would see this data in an ICMP echo packet. Awfull suspicous.... FF D8 FF FE 00 08 57 41 4E 47 32 02 FF E0 00 10 ......WANG2..... 4A 46 49 46 00 01 01 01 00 60 00 60 00 00 FF DB JFIF.....`.`.... 00 43 00 10 0B 0C 0E 0C 0A 10 0E 0D 0E 12 11 10 .C.............The JFIF is part of the header information in a JPEG image file. If somebody is really tunneling image files through an ICMP connection that is definitely not good (who knows what else is moving that way).
Another possibility is an application that is communicating license data. The old Chameleon IP stack from NetManage.com use to do something like that. They embeded their coded serial number in an icmp packet and sent it to a broadcast address. All other copies of their software listened for the coded icmp, and if the serial number matched, disabled the software since it was an illegal copy. Are the source and destination addresses within your network? ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP Packets. larosa, vjay (Aug 26)
- Re: ICMP Packets. Skip Carter (Aug 26)
- Re: ICMP Packets. Jim Burwell (Aug 26)
- <Possible follow-ups>
- RE: ICMP Packets. larosa, vjay (Aug 26)
- Re: ICMP Packets. Jason Haar (Aug 26)
- RE: ICMP Packets. Rich Adamson (Aug 27)
- RE: ICMP Packets. larosa, vjay (Aug 27)
- RE: ICMP Packets. larosa, vjay (Aug 27)
- Re: ICMP Packets. Vinay A. Mahadik (Aug 27)
- Re: ICMP Packets. Matt Kettler (Aug 29)
- Re: ICMP Packets. Vinay A. Mahadik (Aug 27)
- RE: ICMP Packets. larosa, vjay (Aug 29)