[Dshield] RE: Abnormal ICMP Traffic -- Please advise
James C Slora Jr
Jim.Slora at phra.com
Mon Mar 1 20:26:56 GMT 2004
Eric Hines wrote Monday, March 01, 2004 14:56
> 1. Has anyone seen such large ICMP packets requiring
> fragmentation that are legitimate?
Yes. Slow link detection - common topic. Nice description at
I did not check byte for byte, but spot checks match the baseline file at
Lots of other references googling "wang2 icmp jfif"
> 2. Is that binary/some sort of file in the payload of the packet?
Yes. A jpeg microsoft logo.
> 3. These packets seem to be mapping our network? Anyone seen
> this payload before? The destination IP Address is actually
> in the payload of the packet.
Don't know those packets.
More information about the list