RE: Strings of 'EEEE' in pings...

From: dlaumannat_private
Date: Fri Jan 25 2002 - 15:21:20 PST

  • Next message: Nick FitzGerald: "Re: Odd string in packet..."

    > 01/25-18:05:09.399334 8:0:20:9E:ED:B3 -> 0:10:F6:8E:A0:0 type:0x800
    > len:0x4A
    > (INTERNAL) -> (EXTERNAL) ICMP TTL:62 TOS:0x0 ID:43296 IpLen:20
    > DgmLen:60
    > Type:8  Code:0  ID:1   Seq:9  ECHO
    > 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE
    > 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE
    > 
    > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    > =+=+=+=+=+=+
    > 
    > 01/25-18:05:09.419335 0:10:F6:8E:A0:0 -> 8:0:20:9E:ED:B3 type:0x800
    > len:0x4A
    > (EXTERNAL) -> (INTERNAL) ICMP TTL:113 TOS:0x0 ID:44568 IpLen:20
    > DgmLen:60
    > Type:0  Code:0  ID:1  Seq:9  ECHO REPLY
    > 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE
    > 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE
    > 
    > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    > =+=+=+=+=+=+
    > 
    > Yes it's a ping echo/reply pair, but why the string of EE's?
    > 
    > I could recreate this slightly using 'ping -p 45 host' from another
    > system,
    > but it was still slightly different at the front...
    > 
    > Can anyone explain this, or what might be generating this traffic?
    > 
    > The internal host in question appears to be a Windows machine, but
    > we'll only be able to investigate properly after the weekend.
    
    what makes you think the internal host is windows? the icmp echo request
    ttl, the icmp id, and the icmp sequence for the internal host are _not_
    consistent with unmodified windows ip stacks. it would be helpful if you
    posted a few more echo request/reply pairs to the list for further analysis.
    
    -dave
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Jan 25 2002 - 16:44:43 PST