[Snort-users] ICMP Packets.
mkettler at ...4108...
Thu Aug 29 11:05:04 EDT 2002
As a follow-on to this thread, I too appear to be getting the same traffic
profile, with what seems to be the identical content upon casual inspection.
I see these coming in from workstations at a remote site (via VPN) and they
are heading to our netware fileserver on a regular basis. The snort sensor
is seeing the unencrypted traffic behind the tunnel walls.
Is this some kind of weird (read: on crack) way of discovering the path
MTU to a fileserver for MS clients?
At 12:42 PM 8/27/2002 -0700, Vinay A. Mahadik wrote:
>"larosa, vjay" wrote:
> > This traffic is ICMP Echo Request, and an ICMP Echo Reply. It appears the
> > ICMP payload is identical in both packets. If this was really an image
> > transferred does anybody know
> > if it is possible to reconstruct it? Thanks!
> > vjl
>Incidentally, that is what I was doing.. I see a 'Microsoft' image after
>If you need the file (binary jpeg), I could send it to you off the list
>(not sure if binary attachments are allowed here).
>Vinay A. Mahadik
>Computer Protection Program
>Lawrence Berkeley National Laboratory
>(510) 495 2618
>This sf.net email is sponsored by: OSDN - Tired of that same old
>cell phone? Get a new here for FREE!
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users