[Dshield] RE: Abnormal ICMP Traffic -- Please advise

James C Slora Jr Jim.Slora at phra.com
Mon Mar 1 20:26:56 GMT 2004


 
Eric Hines wrote Monday, March 01, 2004 14:56

> 1. Has anyone seen such large ICMP packets requiring 
> fragmentation that are legitimate?

Yes. Slow link detection - common topic. Nice description at
http://www.wfu.edu/~steinsj5/work/icmp.html

I did not check byte for byte, but spot checks match the baseline file at
that site.

Lots of other references googling "wang2 icmp jfif"

> 2. Is that binary/some sort of file in the payload of the packet?

Yes. A jpeg microsoft logo.
 
 
> 3. These packets seem to be mapping our network? Anyone seen 
> this payload before? The destination IP Address is actually 
> in the payload of the packet.

Don't know those packets.




More information about the list mailing list