ICMP echo identifier

[CS Lee]

hi Carter,

Yeah, if I can print it, that would be great because I can confirm about it,
another thing is if i can do it with racluster by aggregating the flow with
the same identifier(like what i did by cluster all the flow with same
stcpb), I can use rasort to sort the trans and easily identify how many
flows using the same identifier from single host, that way it would be
really great.

Thanks ;]

On Dec 15, 2007 1:53 AM, Carter Bullard <carter at qosient.com> wrote:

> The identifier is in the icmp flow model, but you want to be able to print
> it?Carter
>
>
> On Dec 14, 2007, at 12:47 PM, CS Lee wrote:
>
> Hi Carter,
>
> Yeah I know that I can filter out all icmp echo traffics using echo
> keyword(but not same identifier), and the reason why I need the icmp
> Identifier in echo ping and reply traffic is because for example:
>
> nmap uses icmp echo ping/reply with same identifier across all the hosts
> in the network so if all of the flows from any source that doing ping
> sweeping to the network will have same icmp identifier in the icmp header.
>
> But if you are using hping to do that, the identifier number for icmp echo
> will start 0100, 0200, and follow the sequence.
>
> So by tracking the flow with the identifier number in icmp header, it is
> pretty easy to know what tools are used because of different behaviour in
> the icmp identifier.
>
> Sorry for the confusion if I don't explain it clearly in previous mail,
> thanks ;]
>
>
>
> On Dec 14, 2007 11:40 PM, Carter Bullard <carter at qosient.com > wrote:
>
> > Sorry for the late response.
> > You can filter on the keyword "echo" to get icmp echo/echo response
> > flows.
> > Is there another identifier that you are interested in?
> >
> > Carter
> >
> >
> > On Nov 18, 2007, at 7:50 AM, CS Lee wrote:
> >
> > Hi Carter,
> >
> > Lately I have played around quite a few of scanning tools and it seems
> > to be interesting that the ICMP ping sweeping can be easily identified by
> > performing the tracking of the identifier, and I have one request, if we
> > have already kept track of the tcp connection setup, maybe adding icmp echo
> > identifier as one of the flow metric can be useful especially in the way of
> > identifying large scale of network scanning that launched by specific tools.
> >
> >
> > Anyway it is just my idea, sorry to hesitate you again since I have
> > nothing to do but argus on Sunday.
> >
> > Thanks ;]
> >
> > --
> > Best Regards,
> >
> > CS Lee<geekooL[at]gmail.com>
> >
> > http://geek00l.blogspot.com
> >
> >
> >
>
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
>
>
>


-- 
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20071215/1d5af1b9/attachment.html>