> 01/25-18:05:09.399334 8:0:20:9E:ED:B3 -> 0:10:F6:8E:A0:0 type:0x800 > len:0x4A > (INTERNAL) -> (EXTERNAL) ICMP TTL:62 TOS:0x0 ID:43296 IpLen:20 > DgmLen:60 > Type:8 Code:0 ID:1 Seq:9 ECHO > 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 EEEEEEEEEEEEEEEE > 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 EEEEEEEEEEEEEEEE > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > =+=+=+=+=+=+ > > 01/25-18:05:09.419335 0:10:F6:8E:A0:0 -> 8:0:20:9E:ED:B3 type:0x800 > len:0x4A > (EXTERNAL) -> (INTERNAL) ICMP TTL:113 TOS:0x0 ID:44568 IpLen:20 > DgmLen:60 > Type:0 Code:0 ID:1 Seq:9 ECHO REPLY > 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 EEEEEEEEEEEEEEEE > 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 EEEEEEEEEEEEEEEE > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > =+=+=+=+=+=+ > > Yes it's a ping echo/reply pair, but why the string of EE's? > > I could recreate this slightly using 'ping -p 45 host' from another > system, > but it was still slightly different at the front... > > Can anyone explain this, or what might be generating this traffic? > > The internal host in question appears to be a Windows machine, but > we'll only be able to investigate properly after the weekend. what makes you think the internal host is windows? the icmp echo request ttl, the icmp id, and the icmp sequence for the internal host are _not_ consistent with unmodified windows ip stacks. it would be helpful if you posted a few more echo request/reply pairs to the list for further analysis. -dave ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 25 2002 - 16:44:43 PST