Security Incidents mailing list archives

Re: Tracking down random ICMP

From: Valdis.Kletnieks () vt edu
Date: Thu, 25 Jan 2007 12:20:02 -0500

On Thu, 25 Jan 2007 13:13:20 +0100, =?ISO-8859-1?Q?Javier_Fern=E1ndez-Sanguino?= said:

Valdis.Kletnieks () vt edu dijo:

On Mon, 22 Jan 2007 09:19:31 -0400, Craig Chamberlain said:

Is there a tool that can determine which process ID is generating ICMP
packets or IRPs in Windows? TDImon seems to be TCP/UDP only. TCPview and
netstat apparently can't do it.


I'm not aware of any well-known userspace API that generates ICMP, so
any userspace would have to be hand-crafting the packets itself.  So what
you're looking for is a process that has a raw socket open.


Maybe you don't know about libdnet? [1] There are quite a number of 
tools that use it.


Note that libdnet is basically just a set of wrapper functions that help
the programmer craft a raw packet with the right bits, as opposed to an
actual documented system/kernel API akin to the socket/bind/connect/send/rcvmsg
calls in the Unix-y networking API.

Of course, Jose Nazario proved me wrong and found that Microsoft did actually
provide an API for this.  Apparently the concept of userspace-generated ICMP
as a layering violation doesn't bother the Microsoft design team much. :)

Attachment: _bin
Description:

Current thread:

Tracking down random ICMP Craig Chamberlain (Jan 22)
- Re: Tracking down random ICMP Kyle Maxwell (Jan 23)
- Re: Tracking down random ICMP Valdis . Kletnieks (Jan 23)
  - Re: Tracking down random ICMP Jose Nazario (Jan 23)
    - Re: Tracking down random ICMP Bojan Zdrnja (Jan 24)
  - Re: Tracking down random ICMP Javier Fernández-Sanguino (Jan 25)
    - Re: Tracking down random ICMP Valdis . Kletnieks (Jan 25)
    - Attempted FTP intrusion David Gillett (Jan 31)
    - Re: Attempted FTP intrusion Tillmann Werner (Jan 31)