Security Basics mailing list archives
Re: which process performing ICMP echo request
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 2 May 2006 00:05:59 +0200
On 2006-05-01 gosi.infosec () gmail com wrote:
our IDS detect a huge number of echo requests from one source address to different unknown addresses is there any way to identify the process in the machine performing such activity i tried using NETSTAT -a -o -n but nothing shown regarding these IP Addresses
Neither netstat nor TCPView will show you what process is sending ICMP packets. Assuming you have Windows XP (from the netstat options) you may try PortReporter [1] or some personal firewall software on the box sending the suspicious traffic. Also try to analyze the traffic itself. Run Ethereal [2] or some other protocol analyzer on that box. Better: put a network hub between the suspicious box and the switch and connect a second (clean) box to that hub. Run Ethereal on that second box. [1] http://www.ethereal.com/ [2] http://support.microsoft.com/default.aspx?scid=kb;en-us;837243 Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq ------------------------------------------------------------------------- This List Sponsored by: Webroot Don't leave your confidential company and customer records un-protected. Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no obligation. See why so many companies trust Spy Sweeper Enterprise to eradicate spyware from their networks. FREE 30-Day Trial of Spy Sweeper Enterprise http://www.webroot.com/forms/enterprise_lead.php --------------------------------------------------------------------------
Current thread:
- which process performing ICMP echo request ahmad mubarak (May 01)
- Re: which process performing ICMP echo request Ansgar -59cobalt- Wiechers (May 02)
- <Possible follow-ups>
- Re: which process performing ICMP echo request dgiesema (May 01)