Normal ICMP Data fields are composed of a pretty standard 32 byte string of alphabet characters.
abcdefghijklmnopqrstuvwabcdefghi
I have captured a series of ICMP echo requests using WireShark with a modified Data field and I have no idea what it means. (Underscores represent spaces.)
abcdefghijklmnopprstuvwxyzabcdefghi
abcdefghijklmnoparstuvwxyzabcdefghi
__abcdefghijklmnopsrstuvwxyzabcdefghi
__abcdefghijklmnopsrstuvwxyzabcdefghi
__abcdefghijklmnopwrstuvwxyzabcdefghi
__abcdefghijklmnopdrstuvwxyzabcdefghi__
Note:
- The position of the "q" character
- The addition of "xyz"
- The addition of spaces before and after the payload
- When you look at the position of "q" horizontally it spells "passwd" which is a Linux/Unix command for changing a users password.
Any ideas?
Best Answer
There is no standard which would define what data an ICMP echo request / reply packet has to carry, so any implementation might do what it wants to. There even are implementations of ICMP echo packets as a covert channel. Find out, who or what is sending the packets in question, it should help you deduce the "why".