Snort mailing list archives
RE: ICMP Packets.
From: "larosa, vjay" <larosa_vjay () emc com>
Date: Thu, 29 Aug 2002 14:37:00 -0400
I believe that this may be some sort of Microsoft'ism as well. I am still waiting for clearance from management here to send Phil Wood and some others actual tcpdump files of this traffic to see if they can help shed some light on this subject. More to come... vjl -----Original Message----- From: Matt Kettler [mailto:mkettler () evi-inc com] Sent: Thursday, August 29, 2002 2:05 PM To: Vinay A. Mahadik Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] ICMP Packets. As a follow-on to this thread, I too appear to be getting the same traffic profile, with what seems to be the identical content upon casual inspection. I see these coming in from workstations at a remote site (via VPN) and they are heading to our netware fileserver on a regular basis. The snort sensor is seeing the unencrypted traffic behind the tunnel walls. Is this some kind of weird (read: on crack) way of discovering the path MTU to a fileserver for MS clients? At 12:42 PM 8/27/2002 -0700, Vinay A. Mahadik wrote:
"larosa, vjay" wrote:This traffic is ICMP Echo Request, and an ICMP Echo Reply. It appears
the
ICMP payload is identical in both packets. If this was really an imagebeingtransferred does anybody know if it is possible to reconstruct it? Thanks! vjlIncidentally, that is what I was doing.. I see a 'Microsoft' image after reconstructing it! If you need the file (binary jpeg), I could send it to you off the list (not sure if binary attachments are allowed here). Thanks, Vinay. -- Vinay A. Mahadik Summer Intern Computer Protection Program Lawrence Berkeley National Laboratory (510) 495 2618 ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP Packets. larosa, vjay (Aug 26)
- Re: ICMP Packets. Skip Carter (Aug 26)
- Re: ICMP Packets. Jim Burwell (Aug 26)
- <Possible follow-ups>
- RE: ICMP Packets. larosa, vjay (Aug 26)
- Re: ICMP Packets. Jason Haar (Aug 26)
- RE: ICMP Packets. Rich Adamson (Aug 27)
- RE: ICMP Packets. larosa, vjay (Aug 27)
- RE: ICMP Packets. larosa, vjay (Aug 27)
- Re: ICMP Packets. Vinay A. Mahadik (Aug 27)
- Re: ICMP Packets. Matt Kettler (Aug 29)
- Re: ICMP Packets. Vinay A. Mahadik (Aug 27)
- RE: ICMP Packets. larosa, vjay (Aug 29)