Snort mailing list archives
Re: ICMP Packets.
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 29 Aug 2002 14:05:07 -0400
As a follow-on to this thread, I too appear to be getting the same traffic profile, with what seems to be the identical content upon casual inspection.
I see these coming in from workstations at a remote site (via VPN) and they are heading to our netware fileserver on a regular basis. The snort sensor is seeing the unencrypted traffic behind the tunnel walls.
Is this some kind of weird (read: on crack) way of discovering the path MTU to a fileserver for MS clients?
At 12:42 PM 8/27/2002 -0700, Vinay A. Mahadik wrote:
"larosa, vjay" wrote: > > This traffic is ICMP Echo Request, and an ICMP Echo Reply. It appears the> ICMP payload is identical in both packets. If this was really an image being> transferred does anybody know > if it is possible to reconstruct it? Thanks! > > vjl > Incidentally, that is what I was doing.. I see a 'Microsoft' image after reconstructing it! If you need the file (binary jpeg), I could send it to you off the list (not sure if binary attachments are allowed here). Thanks, Vinay. -- Vinay A. Mahadik Summer Intern Computer Protection Program Lawrence Berkeley National Laboratory (510) 495 2618 ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP Packets. larosa, vjay (Aug 26)
- Re: ICMP Packets. Skip Carter (Aug 26)
- Re: ICMP Packets. Jim Burwell (Aug 26)
- <Possible follow-ups>
- RE: ICMP Packets. larosa, vjay (Aug 26)
- Re: ICMP Packets. Jason Haar (Aug 26)
- RE: ICMP Packets. Rich Adamson (Aug 27)
- RE: ICMP Packets. larosa, vjay (Aug 27)
- RE: ICMP Packets. larosa, vjay (Aug 27)
- Re: ICMP Packets. Vinay A. Mahadik (Aug 27)
- Re: ICMP Packets. Matt Kettler (Aug 29)
- Re: ICMP Packets. Vinay A. Mahadik (Aug 27)
- RE: ICMP Packets. larosa, vjay (Aug 29)