Security Incidents mailing list archives
RE: Strings of 'EEEE' in pings...
From: dlaumann () suntzu net
Date: Fri, 25 Jan 2002 17:21:20 -0600
01/25-18:05:09.399334 8:0:20:9E:ED:B3 -> 0:10:F6:8E:A0:0 type:0x800 len:0x4A (INTERNAL) -> (EXTERNAL) ICMP TTL:62 TOS:0x0 ID:43296 IpLen:20 DgmLen:60 Type:8 Code:0 ID:1 Seq:9 ECHO 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 EEEEEEEEEEEEEEEE 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 EEEEEEEEEEEEEEEE =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+=+ 01/25-18:05:09.419335 0:10:F6:8E:A0:0 -> 8:0:20:9E:ED:B3 type:0x800 len:0x4A (EXTERNAL) -> (INTERNAL) ICMP TTL:113 TOS:0x0 ID:44568 IpLen:20 DgmLen:60 Type:0 Code:0 ID:1 Seq:9 ECHO REPLY 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 EEEEEEEEEEEEEEEE 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 EEEEEEEEEEEEEEEE =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+=+ Yes it's a ping echo/reply pair, but why the string of EE's? I could recreate this slightly using 'ping -p 45 host' from another system, but it was still slightly different at the front... Can anyone explain this, or what might be generating this traffic? The internal host in question appears to be a Windows machine, but we'll only be able to investigate properly after the weekend.
what makes you think the internal host is windows? the icmp echo request ttl, the icmp id, and the icmp sequence for the internal host are _not_ consistent with unmodified windows ip stacks. it would be helpful if you posted a few more echo request/reply pairs to the list for further analysis. -dave ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Strings of 'EEEE' in pings... Peter Bates (Jan 25)
- Re: Strings of 'EEEE' in pings... Chris Keladis (Jan 25)
- <Possible follow-ups>
- RE: Strings of 'EEEE' in pings... dlaumann (Jan 25)