Hey Hey,

This really won't spur much of a discussion... it's just more of an FYI for those that like interesting facts, and those who are bored.

We were sitting in class the other day, doing a DHCP lab I believe, and we were sniffing ICMP ECHOs. I was bored and scrolling through the packet contents and found the data field rather amusing.

abcdefghijklmnopqrstuvwabcdefghi
These are the contents of the data field on both Windows XP and Windows 98.

I decided to come home and compare this with the data field contents from an ICMP ECHO Request originating from my linux box (SuSE 9.1 w/ a 2.6.4 kernel). The contents were as follows.

D^¶@b<


 !"#$%&'()*+,-./01234567
Again a pattern is evident, there are 10 bytes of data, followed by an apparent pattern. The characters start counting at hex value 0a and continue on, counting up numerically.

I decided to give my buddy a call and have him ping me with his Mac (Running Mac OS 10.3).

@¶~Ê æ

 !"#$%&'()*+,-./01234567
The initial 10 bytes differ from the first 10 bytes of the Linux ICMP Echo Request data field, however the data that follows is the exact same.

So MS systems start at a and move to w before starting the cycle over and repeated themselves. I'm actually kind of curious as to why they didn't go all the way to Z, so if anyone knows I'd love to hear about it. *nix based systems seem to follow their own pattern... 10 seemingly random bytes and then starting at 0a. I'm curious about this system. The count ends up dead on because the bytes preceding 0A would be 00,01,02,03,04,05,06,07,08,09 (10 bytes), yet seemingly random bytes are used instead. Another question that I would love to see the answer to.

I thought I'd share this because little things like this tend to amuse me. I get bored easily and I'm amused by most things... hehe

Anyways I'm going to play with a few more operating systems and since I've been trying to learn snort more in depth, I may attempt to write a series of rules that will identify ICMPs and the operating system they originated from (unless this already exists.. if so... let me know so I don't waste my time).

Also if anyone wants to capture packets from their machines operating systems and either paste the data field, or the packet... or post a capture file here, it'd be greatly appreciated... I'm going to attempt to compile a rather complete list if possible.

Anyways that's my sharing for the evening.....

Peace,
HT