[Snort-users] ICMP Echo Replies & Unknowns?

Sheahan, Paul (PCLN-NW) Paul.Sheahan at ...2218...
Thu Jun 28 00:59:48 EDT 2001


Every day, I see many "ICMP Echo Replies" and "ICMP unknowns" from random
machines on the Internet.
Some example traces are below...these packets came back to back three
seconds apart (icmp unknown then icmp echo reply right afterward). Does
anyone know why I would see so many of these? Could this come from a probing
tool? I see so many, I'm trying to figure out what's going on! Thanks.

06/27-20:28:39.078559 209.193.66.111 -> xx.xx.xx.xx
ICMP TTL:110 TOS:0x0 ID:35584 IpLen:20 DgmLen:708
Type:211  Code:235  UNKNOWN
.z:;b............................&T...S..........s?\.....2T.....
@...0.........P..z:;....******S*....................X....=......
.........................z:;4....z:;4.................%@.z:;....
H*T...T.....0........pP. z:;....******S*....................X...
................................!z:;.>..!z:;..................%@
.z:;.....+T..cT.h...0.......GCP.#z:;.]..******S*.z:;............
....X...................................&z:;D...&z:;D...........
....**S*..........S.(.S.....X...................................
'z:;....'z:;................**S*.y:;.OiV.X.I%&.z...:u..54[.U.c.O
._j"RxTv.+.2.J/U'p..3e50.ti..q.5.t:>...y.x..!L(N....C~.s._...(iF
.PJhE..msd.d5qM6./...r...B.].K.\.y.X v...zE"
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/27-20:28:42.507288 209.193.66.111 -> xx.xx.xx.xx
ICMP TTL:110 TOS:0x0 ID:37888 IpLen:20 DgmLen:708
Type:0  Code:0  ID:0  Seq:0  ECHO REPLY
.....0T.`.S.2z:;1...0.T...%@6z:;2...******S*..T.................
..............................%@..%@6z:;.f..******S*............
....0.........%@..T.........................4z:;Iv..4z:;Iv......
.....................fT..:T.#z:;I...(.S.(.%@............1...0.T.
..%@4z:;Iv..******S*....................X... at ...2409...
............4z:;....4z:;................1.....T......fT.x;T.****
I...(.S.(.%@............1...0.T...%@4z:;....******S*............
.... at ...2410...:;j...4z:;j.......
........1.....T......fT..<T.****.OiV.X.I%&.z...:u..54[.U.c.O._j"
RxTv.+.2.J/U'p..3e50.ti..q.5.t:>...y.x..!L(N....C~.s._...(iF.PJh
E..msd.d5qM6./...r...B.].K.\.y.X v...zE"




More information about the Snort-users mailing list