A comment about an increased amount of ICMP traffic on our network led me to set up a sniffer on a Windows XP box to see what type of ICMP traffic was on our network and especially to see what ICMP packets were originating from my machine.
Running 'netstat -s -p icmp' on my machine showed nearly 2000 ICMP echo request packets that had been sent from my machine. I hadn't been running any pings from the command line, so I knew something was suspicious.
After studying the sniffer output captured over a 3-hour period, I found that about every 15 minutes, my machine would send an ICMP echo request packet to one of our Windows 2000 "domain controllers". The data payload of the ICMP packet was just a series of characters from A to W. OK, no big deal. But, one set of ICMP echo request/replies was different from the other ones.
There was one ICMP echo request to the "domain controller" which had 2048
bytes of data fragmented over 2 ICMP request packets. After gathering
some information from Google, I
found that the payload was part of a JPEG image. A little bit of Perl
processing to extract the image from the sniffer capture and save it into
a file, I came up with the following image:
Why would a Windows XP machine tunnel a Microsoft logo JPEG image inside of an ICMP echo request to a "domain controller"?
Were some Microsoft programmers bored? Is this just some sort of license tracking mechanism?
UPDATE - JUNE 2003: