[Snort-users] Win98 on reboot

Ryan Russell ryan at ...35...
Mon Mar 12 01:25:00 EST 2001


On Sun, 11 Mar 2001, Lance Spitzner wrote:

> Rebooted Win98 desktop on my network, snort captured and
> alerted to the following.  What is my Win98 desktop trying
> to do? No packet payload in the ICMP packets :-0

It's trying to find a router.

>
> [**] ICMP Router Selection [**]
> 03/11-22:51:40.761942 192.168.1.100 -> 224.0.0.2
> ICMP TTL:128 TOS:0x0 ID:0 IpLen:20 DgmLen:28
> Type:10  Code:0  UNKNOWN
  ^^^^^^^  ^^^^^^

From:
ftp://ftp.isi.edu/in-notes/iana/assignments/icmp-parameters

10 Router Selection [RFC1256]

        Codes
            0 No Code


AKA IRDP.

http://www.cis.ohio-state.edu/htbin/rfc/rfc1256.html

This is how Windows boxen with bogus IP addresses find their way off the
local subnet (though they usually don't get eny replies that way.)

There was even a hole in it.  L0pht guys, I believe.

					Ryan





More information about the Snort-users mailing list