[Dshield] RE: Abnormal ICMP Traffic -- Please advise

Eric Hines eric.hines at appliedwatch.com
Mon Mar 1 20:51:41 GMT 2004


James,

Thanks for the follow-up. However, per my second post, the sescond fragment in 
the fragment train actually has an offset of 0x00B9, which is decimal 185. This 
overlaps the first fragment. Any ideas if that part of these I guess, what I 
now understand is legitimate traffic, has been discussed or referenced? Or was 
that an oversight by people thus far?


BRDS,
Eric Hines, GCIA
CEO, President
Applied Watch Technologies, Inc.


-------------------------------------------
Eric Hines, GCIA
CEO, Chairman
Applied Watch Technologies, Inc.
web: http://www.appliedwatch.com
email: eric.hines at appliedwatch.com
-------------------------------------------
Direct: (877) 262-7593 - Toll Free x327
Fax: (815) 425-2173
General: (877) 262-7593 (9am-5pm CST)
-------------------------------------------



Quoting James C Slora Jr <Jim.Slora at phra.com>:

>  
> Eric Hines wrote Monday, March 01, 2004 14:56
> 
> > 1. Has anyone seen such large ICMP packets requiring 
> > fragmentation that are legitimate?
> 
> Yes. Slow link detection - common topic. Nice description at
> http://www.wfu.edu/~steinsj5/work/icmp.html
> 
> I did not check byte for byte, but spot checks match the baseline file at
> that site.
> 
> Lots of other references googling "wang2 icmp jfif"
> 
> > 2. Is that binary/some sort of file in the payload of the packet?
> 
> Yes. A jpeg microsoft logo.
>  
>  
> > 3. These packets seem to be mapping our network? Anyone seen 
> > this payload before? The destination IP Address is actually 
> > in the payload of the packet.
> 
> Don't know those packets.
> 
> 




More information about the list mailing list