Peter Bates wrote: > Yes it's a ping echo/reply pair, but why the string of EE's? Good question. My guess would be some kind of automated scanning tool. I could have sworn i've seen ICMP ping/pong packets with E's as the payload, but i cant pinpoint where. > I could recreate this slightly using 'ping -p 45 host' from another > system, > but it was still slightly different at the front... It probably was the data for a timeval struct which ping uses to work out the RTT times. Your packets are made from a dedicated tool of some kind. > Can anyone explain this, or what might be generating this traffic? > > The internal host in question appears to be a Windows machine, but > we'll only be able to investigate properly after the weekend. Just looking at my Snort rules, i found that WebTrends Scanner sends packets filled with 0x45's (E's), the only difference being is they have 4 leading NULL bytes whereas yours dont. WebTrends make a security scanning product, perhaps this it? Unfortunately Google didn't yield much more information. :( HIH, Chris. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 25 2002 - 13:58:25 PST