Ethereal-users: [Ethereal-users] Welchia FIlter

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Jacques van Jaarsveld <jjaarsveld@xxxxxxxxxxx>
Date: Wed, 8 Sep 2004 18:24:52 +0200

NB: This email and its contents are subject to our email legal notice which can be viewed at http://www.sars.gov.za/Email_Disclaimer.pdf

Should you be unable to access the link provided, please contact our offices for a copy of the legal notice at 0860 12 12 14 or 27 012 422 6301



Guys,

 

I came a cross an article published by Jon Waller regarding Welchia signatures.

 

He published the following filter that will filter the “Welchia Payload”

 

icmp && icmp[0] = 8 && ip[40:4] = 0xaaaaaaaa

 

I tried this, but it seems incorrect…The icmp type must be 8 and the payload must 0xaaaaaaaa

 

I’m running Ethereal 0.10.6….Please help !!!!!!!!!!!!!!

 

Thanx

 

Jacques