ICMP echo identifier
CS Lee
geek00l at gmail.com
Fri Dec 14 12:47:27 EST 2007
Hi Carter,
Yeah I know that I can filter out all icmp echo traffics using echo
keyword(but not same identifier), and the reason why I need the icmp
Identifier in echo ping and reply traffic is because for example:
nmap uses icmp echo ping/reply with same identifier across all the hosts in
the network so if all of the flows from any source that doing ping sweeping
to the network will have same icmp identifier in the icmp header.
But if you are using hping to do that, the identifier number for icmp echo
will start 0100, 0200, and follow the sequence.
So by tracking the flow with the identifier number in icmp header, it is
pretty easy to know what tools are used because of different behaviour in
the icmp identifier.
Sorry for the confusion if I don't explain it clearly in previous mail,
thanks ;]
On Dec 14, 2007 11:40 PM, Carter Bullard <carter at qosient.com> wrote:
> Sorry for the late response.
> You can filter on the keyword "echo" to get icmp echo/echo response flows.
> Is there another identifier that you are interested in?
>
> Carter
>
>
> On Nov 18, 2007, at 7:50 AM, CS Lee wrote:
>
> Hi Carter,
>
> Lately I have played around quite a few of scanning tools and it seems to
> be interesting that the ICMP ping sweeping can be easily identified by
> performing the tracking of the identifier, and I have one request, if we
> have already kept track of the tcp connection setup, maybe adding icmp echo
> identifier as one of the flow metric can be useful especially in the way of
> identifying large scale of network scanning that launched by specific tools.
>
>
> Anyway it is just my idea, sorry to hesitate you again since I have
> nothing to do but argus on Sunday.
>
> Thanks ;]
>
> --
> Best Regards,
>
> CS Lee<geekooL[at]gmail.com>
>
> http://geek00l.blogspot.com
>
>
>
--
Best Regards,
CS Lee<geek00L[at]gmail.com>
http://geek00l.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20071215/ec4298da/attachment.html>
More information about the argus
mailing list