ICMP echo identifier
Carter Bullard
carter at qosient.com
Fri Dec 14 12:53:12 EST 2007
The identifier is in the icmp flow model, but you want to be able to
print it?
Carter
On Dec 14, 2007, at 12:47 PM, CS Lee wrote:
> Hi Carter,
>
> Yeah I know that I can filter out all icmp echo traffics using echo
> keyword(but not same identifier), and the reason why I need the icmp
> Identifier in echo ping and reply traffic is because for example:
>
> nmap uses icmp echo ping/reply with same identifier across all the
> hosts in the network so if all of the flows from any source that
> doing ping sweeping to the network will have same icmp identifier in
> the icmp header.
>
> But if you are using hping to do that, the identifier number for
> icmp echo will start 0100, 0200, and follow the sequence.
>
> So by tracking the flow with the identifier number in icmp header,
> it is pretty easy to know what tools are used because of different
> behaviour in the icmp identifier.
>
> Sorry for the confusion if I don't explain it clearly in previous
> mail, thanks ;]
>
>
>
> On Dec 14, 2007 11:40 PM, Carter Bullard <carter at qosient.com > wrote:
> Sorry for the late response.
>
> You can filter on the keyword "echo" to get icmp echo/echo response
> flows.
> Is there another identifier that you are interested in?
>
> Carter
>
>
> On Nov 18, 2007, at 7:50 AM, CS Lee wrote:
>
>> Hi Carter,
>>
>> Lately I have played around quite a few of scanning tools and it
>> seems to be interesting that the ICMP ping sweeping can be easily
>> identified by performing the tracking of the identifier, and I have
>> one request, if we have already kept track of the tcp connection
>> setup, maybe adding icmp echo identifier as one of the flow metric
>> can be useful especially in the way of identifying large scale of
>> network scanning that launched by specific tools.
>>
>> Anyway it is just my idea, sorry to hesitate you again since I have
>> nothing to do but argus on Sunday.
>>
>> Thanks ;]
>>
>> --
>> Best Regards,
>>
>> CS Lee<geekooL[at]gmail.com>
>>
>> http://geek00l.blogspot.com
>
>
>
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20071214/af481026/attachment.html>
More information about the argus
mailing list