[Snort-users] ICMP Packets.

larosa, vjay larosa_vjay at ...3331...
Tue Aug 27 05:05:03 EDT 2002

That's a good thought. This particular conversation is not between two hosts
on my network. I have seen it from several of my IP's talking to hosts some
out on the internet, but it might just be that the user is moving around and
a new DHCP lease. I will have to try and nbtstat'em so I can track the MAC.


-----Original Message-----
From: Rich Adamson [mailto:radamson at ...2127...]
Sent: Tuesday, August 27, 2002 4:43 AM
To: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] ICMP Packets.

> > Anybody recognize this payload? It is part of an ICMP packet. I have
> > searched google and haven't found any reason why I would see this 
> > data in an ICMP echo packet. 
> > Awfull suspicous....
> > 
> > FF D8 FF FE 00 08 57 41 4E 47 32 02 FF E0 00 10   ......WANG2.....
> > 4A 46 49 46 00 01 01 01 00 60 00 60 00 00 FF DB   JFIF.....`.`....
> > 00 43 00 10 0B 0C 0E 0C 0A 10 0E 0D 0E 12 11 10   .C.............
>    The JFIF is part of the header information in a JPEG image file.
>   If somebody is really tunneling image files through an ICMP connection
>   that is definitely not good (who knows what else is moving that way).

Another possibility is an application that is communicating license
data. The old Chameleon IP stack from NetManage.com use to do something
like that. They embeded their coded serial number in an icmp packet 
and sent it to a broadcast address. All other copies of their software
listened for the coded icmp, and if the serial number matched, disabled
the software since it was an illegal copy.

Are the source and destination addresses within your network?

This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list