Re: Strange Large ICMP packets IDS246

To: Marcel Weber <mmweber@ncpro.com>
Cc: <debian-security@lists.debian.org>
Subject: Re: Strange Large ICMP packets IDS246
From: <enyc@eeek.org.uk>
Date: Mon, 18 Nov 2002 23:37:01 +0000 (GMT)
Message-id: <[🔎] Pine.LNX.4.33.0211182324580.22065-100000@eeek.org.uk>
In-reply-to: <[🔎] 3DD96F89.4050206@ncpro.com>

> Today I had a whole bunch of large ICMP packages on the company's LAN (about 20).
> Interesting is, that they came mostly from the Windows 2000 Servers. I
> discovered the first of these packages 2 or 3 weeks ago.
> These packets are long (2090 Bytes) and not filled with nulls, but with
> more or less weird content. They have no "Don't fragment" flags set, so I
> wonder where they come from and what they good for.
> Has anybody seem such packets yet? (See attachment)
Looking at your packet --

>0000  00 e0 7d 8a 07 11 00 a0 c9 af bb 7f 08 00 45 00   ..}...........E.
>0010  08 1c ff d7 00 00 80 01 e8 aa c0 a8 64 1e c0 a8   ............d...
>0020  64 ef 00 00 bd d5 02 00 04 00 ff d8 ff fe 00 08   d...............
>0030  57 41 4e 47 32 02 ff e0 00 10 4a 46 49 46 00 01   WANG2.....JFIF..
>0040  01 01 00 60 00 60 00 00 ff db 00 43 00 10 0b 0c   ...`.`.....C....
>0050  0e 0c 0a 10 0e 0d 0e 12 11 10 13 18 28 1a 18 16   ............(...
>0060  16 18 31 23 25 1d 28 3a 33 3d 3c 39 33 38 37 40   ..1#%.(:3=<9387@
>0070  48 5c 4e 40 44 57 45 37 38 50 6d 51 57 5f 62 67   H\N@DWE78PmQW_bg
[...cut...]
>07f0  a7 fe 8c 6a cd f1 35 9d ee 91 af 47 e2 4d 36 06   ...j..5....G.M6.
>0800  99 16 32 2f 23 0c 46 54 60 64 f3 9e 98 e8 30 36   ..2/#.FT`d....06
>0810  64 d0 04 77 7e 35 3a bd ac 96 3e 1f b1 bc 92 f6   d..w~5:...>.....
>0820  61 b0 33 28 5f 2d 4f 05 b2 ac                     a.3(_-O...

This looks like a JPG picture !
-- I cut out the data from this packet-dump into a file --
STARTING from location 0034 -- starting from the "2" after "WANG" --
so file starts with [32 02 ff e0 00 10 4a 46 49 46] ("2.....JFIF") --
upto the end of the packet....
all looks very like a JPG file -- except it starts with [32 02] --
I replaced the first 2 bytes in the file with [FF D8] (correct start of
JPG file -- this JPG displays -- appears to be an incomplete JPG of the
3vil word "Microsoft" -- except some of the jpg cut-off/not-shown (may
not display in some jpg-viewers therefore).

Hangon.. surely this message is off-topic -- what does this have to do
with debian-linux ??

Heh.. This is first time I've posted to a mailing list actually.. thinking
abuot it =).

Reply to:

Follow-Ups:
- Re: Strange Large ICMP packets IDS246
  - From: Marcel Weber <mmweber@ncpro.com>

References:
- Strange Large ICMP packets IDS246
  - From: Marcel Weber <mmweber@ncpro.com>

Prev by Date: Strange Large ICMP packets IDS246
Next by Date: Re: Strange Large ICMP packets IDS246
Previous by thread: Strange Large ICMP packets IDS246
Next by thread: Re: Strange Large ICMP packets IDS246
Index(es):
- Date
- Thread