ICMP echo identifier

Carter Bullard carter at qosient.com
Fri Dec 14 12:53:12 EST 2007


The identifier is in the icmp flow model, but you want to be able to  
print it?
Carter


On Dec 14, 2007, at 12:47 PM, CS Lee wrote:

> Hi Carter,
>
> Yeah I know that I can filter out all icmp echo traffics using echo  
> keyword(but not same identifier), and the reason why I need the icmp  
> Identifier in echo ping and reply traffic is because for example:
>
> nmap uses icmp echo ping/reply with same identifier across all the  
> hosts in the network so if all of the flows from any source that  
> doing ping sweeping to the network will have same icmp identifier in  
> the icmp header.
>
> But if you are using hping to do that, the identifier number for  
> icmp echo will start 0100, 0200, and follow the sequence.
>
> So by tracking the flow with the identifier number in icmp header,  
> it is pretty easy to know what tools are used because of different  
> behaviour in the icmp identifier.
>
> Sorry for the confusion if I don't explain it clearly in previous  
> mail, thanks ;]
>
>
>
> On Dec 14, 2007 11:40 PM, Carter Bullard <carter at qosient.com > wrote:
> Sorry for the late response.
>
> You can filter on the keyword "echo" to get icmp echo/echo response  
> flows.
> Is there another identifier that you are interested in?
>
> Carter
>
>
> On Nov 18, 2007, at 7:50 AM, CS Lee wrote:
>
>> Hi Carter,
>>
>> Lately I have played around quite a few of scanning tools and it  
>> seems to be interesting that the ICMP ping sweeping can be easily  
>> identified by performing the tracking of the identifier, and I have  
>> one request, if we have already kept track of the tcp connection  
>> setup, maybe adding icmp echo identifier as one of the flow metric  
>> can be useful especially in the way of identifying large scale of  
>> network scanning that launched by specific tools.
>>
>> Anyway it is just my idea, sorry to hesitate you again since I have  
>> nothing to do but argus on Sunday.
>>
>> Thanks ;]
>>
>> -- 
>> Best Regards,
>>
>> CS Lee<geekooL[at]gmail.com>
>>
>> http://geek00l.blogspot.com
>
>
>
>
> -- 
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20071214/af481026/attachment.html>


More information about the argus mailing list