Snort mailing list archives
Re: [Fwd: ICMP L3retriever Ping?]
From: Chris Keladis <Chris.Keladis () cmc cwo net au>
Date: Fri, 31 Aug 2001 21:35:32 +1000
Hi all, Apologies.. After reading Ofir's paper it became apparent it was HP/UX doing PMTU-D not HPOV or NNM as i originally thought. Regards, Chris. Chris Keladis wrote:
Monitoring a slightly less verbose trace session it became obvious NNM sends an 84 byte ICMP echo request packet (64 bytes + IP_H) and then a 1500 byte ICMP echo request packet (1480 + IP_H) immediately after. It confused me seeing a request and a reply from two seperate ping sessions. If i get around to it, i might look at some network dumps in Ethereal and see if there is any way to improve the signatures to differentiate requests/replys generated by HPOV/NNM to other 1500-byte packets. (If it really matters, anyway). ..Need sleep.. :) NB: I also noticed it sending Address Mask requests as well.. Seems like it's a pandoras box of probes in there... Cheers, Chris. Chris Keladis wrote:John Berkers wrote:Comment from Joshua Wright is that this is generated by Win2K boxes. I have noticed the same.[**] MISC Large ICMP Packet [**] 08/15/01-16:54:40.265443 219.171.139.23 -> <other external ip> ICMP TTL:255 TOS:0x0 ID:35085 IpLen:20 DgmLen:1500 Type:0 Code:0 ID:0 Seq:0 ECHO REPLY 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ <snip>1500 Byte ICMP packets come from HP-UX systems performing some sort of load balancing act. We received a whole bunch of them from one network at one stage, so I queried it with the admin, it can be turned off at the source, but it might be a bit of a hassle chasing down admins for all of these systems. The target system for these packets was our DNS whenever either mail was being sent, or our web proxy was fulfilling someone's request and looking up the server address.I assume those ICMP echo-request packets are generated by HP Openview (a popular network management application which usually runs atop of HP/UX). Using the regular ping command from our HP/UX 11.00 box generated a regular 64-byte ping (and response). My guess is HPOV (Network Node Manager specifically) somehow finds servers around the place and attempts to ping them with this odd ping, for inclusion in it's poll cycle. (They probably use 1500 byte packets to do more thorough end-to-end tests, test for MTU size, PMTU, fragmentation, etc). Looking at some dumps quickly it seems NNM generates a regular sized ICMP 'echo-request' however the 'echo-reply' is 1500 bytes long + IP_H. Very odd.. It's late and i'm lacking sleep, so i wont make any conclusions tonight :-) Regards, Chris.
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- [Fwd: ICMP L3retriever Ping?] Chris Keladis (Aug 30)
- Re: [Fwd: ICMP L3retriever Ping?] Beckster (Aug 30)
- Re: [Fwd: ICMP L3retriever Ping?] Chris Keladis (Aug 31)