[Snort-users] ICMP Packets.

Matt Kettler mkettler at ...4108...
Thu Aug 29 11:05:04 EDT 2002

As a follow-on to this thread, I too appear to be getting the same traffic 
profile, with what seems to be the identical content upon casual inspection.

I see these coming in from workstations at a remote site (via VPN) and they 
are heading to our netware fileserver on a regular basis. The snort sensor 
is seeing the unencrypted traffic behind the tunnel walls.

Is this some kind of weird  (read: on crack) way of discovering the path 
MTU to a fileserver for MS clients?

At 12:42 PM 8/27/2002 -0700, Vinay A. Mahadik wrote:
>"larosa, vjay" wrote:
> >
> > This traffic is ICMP Echo Request, and an ICMP Echo Reply. It appears the
> > ICMP payload is identical in both packets. If this was really an image 
> being
> > transferred does anybody know
> > if it is possible to reconstruct it? Thanks!
> >
> > vjl
> >
>Incidentally, that is what I was doing.. I see a 'Microsoft' image after
>reconstructing it!
>If you need the file (binary jpeg), I could send it to you off the list
>(not sure if binary attachments are allowed here).
>Vinay A. Mahadik
>Summer Intern
>Computer Protection Program
>Lawrence Berkeley National Laboratory
>(510) 495 2618
>This sf.net email is sponsored by: OSDN - Tired of that same old
>cell phone?  Get a new here for FREE!
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list