[Snort-users] ICMP Packets.

larosa, vjay larosa_vjay at ...3331...
Thu Aug 29 11:39:04 EDT 2002


I believe that this may be some sort of Microsoft'ism as well. I am still
waiting
for clearance from management here to send Phil Wood and some others actual
tcpdump files
of this traffic to see if they can help shed some light on this subject.
More to come...

vjl

-----Original Message-----
From: Matt Kettler [mailto:mkettler at ...4108...]
Sent: Thursday, August 29, 2002 2:05 PM
To: Vinay A. Mahadik
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] ICMP Packets.


As a follow-on to this thread, I too appear to be getting the same traffic 
profile, with what seems to be the identical content upon casual inspection.

I see these coming in from workstations at a remote site (via VPN) and they 
are heading to our netware fileserver on a regular basis. The snort sensor 
is seeing the unencrypted traffic behind the tunnel walls.

Is this some kind of weird  (read: on crack) way of discovering the path 
MTU to a fileserver for MS clients?




At 12:42 PM 8/27/2002 -0700, Vinay A. Mahadik wrote:
>"larosa, vjay" wrote:
> >
> > This traffic is ICMP Echo Request, and an ICMP Echo Reply. It appears
the
> > ICMP payload is identical in both packets. If this was really an image 
> being
> > transferred does anybody know
> > if it is possible to reconstruct it? Thanks!
> >
> > vjl
> >
>
>Incidentally, that is what I was doing.. I see a 'Microsoft' image after
>reconstructing it!
>
>If you need the file (binary jpeg), I could send it to you off the list
>(not sure if binary attachments are allowed here).
>
>Thanks,
>Vinay.
>
>--
>Vinay A. Mahadik
>Summer Intern
>Computer Protection Program
>Lawrence Berkeley National Laboratory
>(510) 495 2618
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by: OSDN - Tired of that same old
>cell phone?  Get a new here for FREE!
>https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list