SETH STEIN :::::::::: SETH STEIN :::::::::: SETH STEIN :::::::::: SETH STEIN :::::::::: SETH STEIN
ICMP traffic
 
HOME
PERSONAL
SPORTS
WORK
skip prosser
adobe cps
icmp
red hat
php directory
google search
ibm 4758
ibm 4960
printer display
videocharger
technology @ WFU
RANDOM STUFF
deacon & mr. peanut
test patterns

A comment about an increased amount of ICMP traffic on our network led me to set up a sniffer on a Windows XP box to see what type of ICMP traffic was on our network and especially to see what ICMP packets were originating from my machine.

Running 'netstat -s -p icmp' on my machine showed nearly 2000 ICMP echo request packets that had been sent from my machine. I hadn't been running any pings from the command line, so I knew something was suspicious.

After studying the sniffer output captured over a 3-hour period, I found that about every 15 minutes, my machine would send an ICMP echo request packet to one of our Windows 2000 "domain controllers". The data payload of the ICMP packet was just a series of characters from A to W. OK, no big deal. But, one set of ICMP echo request/replies was different from the other ones.

   
View a printout of a normal ICMP request & reply   View a printout of a ICMP request and reply with an image in the data section   Download an Ethereal capture file of the ICMP packets with an image in the data section

There was one ICMP echo request to the "domain controller" which had 2048 bytes of data fragmented over 2 ICMP request packets. After gathering some information from Google, I found that the payload was part of a JPEG image. A little bit of Perl processing to extract the image from the sniffer capture and save it into a file, I came up with the following image:

IE users: click image for a GIF version

Why would a Windows XP machine tunnel a Microsoft logo JPEG image inside of an ICMP echo request to a "domain controller"?

Were some Microsoft programmers bored? Is this just some sort of license tracking mechanism?


UPDATE - JUNE 2003:
The mystery has been solved! And no it's not a Microsoft conspiracy.
Windows 2000 & Windows XP are just doing "Slow Link Detection" for applying group policy and roaming profiles.

Microsoft has Knowledge Base article Q227260 about it, see http://support.microsoft.com/?id=227260.
Also see http://www.microsoft.com/windows2000/techinfo/reskit/samplechapters/dsec/dsec_pol_blsa.asp#dsec_pol_chzb for even more detail about the "Slow Link Detection" algorithm and how to tweak it with group policy.

[an error occurred while processing this directive]
stein insert_at_sign_here alumni.duke.edu