Hello all... I've searched on Google, and other than some short discussion in the past, I've nothing to answer my question... I saw some of this traffic today, watching a machine which had made several failed attempts to connect to servers they shouldn't (both machines are internal), and then seeing some SNMP traffic to external hosts which I failed to capture... What I saw was this: (snort -vde capture) 01/25-18:05:09.399334 8:0:20:9E:ED:B3 -> 0:10:F6:8E:A0:0 type:0x800 len:0x4A (INTERNAL) -> (EXTERNAL) ICMP TTL:62 TOS:0x0 ID:43296 IpLen:20 DgmLen:60 Type:8 Code:0 ID:1 Seq:9 ECHO 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 EEEEEEEEEEEEEEEE 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 EEEEEEEEEEEEEEEE =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 01/25-18:05:09.419335 0:10:F6:8E:A0:0 -> 8:0:20:9E:ED:B3 type:0x800 len:0x4A (EXTERNAL) -> (INTERNAL) ICMP TTL:113 TOS:0x0 ID:44568 IpLen:20 DgmLen:60 Type:0 Code:0 ID:1 Seq:9 ECHO REPLY 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 EEEEEEEEEEEEEEEE 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 EEEEEEEEEEEEEEEE =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Yes it's a ping echo/reply pair, but why the string of EE's? I could recreate this slightly using 'ping -p 45 host' from another system, but it was still slightly different at the front... Can anyone explain this, or what might be generating this traffic? The internal host in question appears to be a Windows machine, but we'll only be able to investigate properly after the weekend. --------------------------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-927 2124 / Fax: 0207- 636 9838 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 25 2002 - 11:16:37 PST