0

This seems to occur when I initiate a connection to an IP that I haven't previously before.

Is this a botnet trying to say hi to his friends?

As you can see I have an ip filter set in this image, it takes roughly 30-40 seconds for it to rack up that much ICMP traffic.. is there a windows service that does this? And if so for what reason exactly?

http://imgur.com/rrF3NNM

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
user40262
  • 1
  • 1
    Those are not normal pings. _Exactly what_ did you do to communicate with this hidden IP address? – Michael Hampton Jul 29 '14 at 03:15
  • Can you post the full packet capture? – Grant Jul 29 '14 at 03:18
  • it's a simple chat relay program I am working on with a friend. I noticed them yesterday. I tested on another machine and it does not seem to happen whatsoever.. if it means anything, our chat relay is just some custom application layer protocol using TCP. – user40262 Jul 29 '14 at 03:19
  • If you intend on hiding the IP address in the image, you may want to also hide it in the packet capture bytes displayed in the ICMP payload you have selected. Simply convert your source IP to hexadeciaml, look for the 4 bytes representing it, then mask the next 4 bytes in the packet, stopping at and masking `0xB2 (178)`. – Michael J. Gray Jul 29 '14 at 04:36
  • I believe you can use [Network Monitor](http://www.microsoft.com/en-au/download/details.aspx?id=4865) or [Process Monitor](http://technet.microsoft.com/en-au/sysinternals/bb896645.aspx) to identify which process ID is sending the ICMP packet. – DarkMoon Jul 29 '14 at 08:57

0 Answers0