Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Fwd: ICMP L3retriever Ping?]

From: Chris Keladis <Chris.Keladis () cmc cwo net au>
Date: Fri, 31 Aug 2001 21:35:32 +1000
Hi all,

Apologies.. After reading Ofir's paper it became apparent it was HP/UX
doing PMTU-D not HPOV or NNM as i originally thought.




Regards,

Chris.


Chris Keladis wrote:


Monitoring a slightly less verbose trace session it became obvious NNM
sends an 84 byte ICMP echo request packet (64 bytes + IP_H) and then a
1500 byte ICMP echo request packet (1480 + IP_H) immediately after.

It confused me seeing a request and a reply from two seperate ping
sessions.

If i get around to it, i might look at some network dumps in Ethereal
and see if there is any way to improve the signatures to differentiate
requests/replys generated by HPOV/NNM to other 1500-byte packets. (If it
really matters, anyway).

..Need sleep.. :)

NB: I also noticed it sending Address Mask requests as well.. Seems like
it's a pandoras box of probes in there...

Cheers,

Chris.

Chris Keladis wrote:


John Berkers wrote:


Comment from Joshua Wright is that this is generated by Win2K boxes.  I have
noticed the same.


[**] MISC Large ICMP Packet [**]
08/15/01-16:54:40.265443 219.171.139.23 -> <other external ip>
ICMP TTL:255 TOS:0x0 ID:35085 IpLen:20 DgmLen:1500
Type:0  Code:0  ID:0  Seq:0  ECHO REPLY
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
<snip>


1500 Byte ICMP packets come from HP-UX systems performing some sort of load
balancing act.  We received a whole bunch of them from one network at one
stage, so I queried it with the admin, it can be turned off at the source,
but it might be a bit of a hassle chasing down admins for all of these
systems.  The target system for these packets was our DNS whenever either
mail was being sent, or our web proxy was fulfilling someone's request and
looking up the server address.


I assume those ICMP echo-request packets are generated by HP Openview (a
popular network management application which usually runs atop of
HP/UX).

Using the regular ping command from our HP/UX 11.00 box generated a
regular 64-byte ping (and response).

My guess is HPOV (Network Node Manager specifically) somehow finds
servers around the place and attempts to ping them with this odd ping,
for inclusion in it's poll cycle. (They probably use 1500 byte packets
to do more thorough end-to-end tests, test for MTU size, PMTU,
fragmentation, etc).

Looking at some dumps quickly it seems NNM generates a regular sized
ICMP 'echo-request' however the 'echo-reply' is 1500 bytes long + IP_H.

Very odd.. It's late and i'm lacking sleep, so i wont make any
conclusions tonight :-)

Regards,

Chris.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: