Ethereal-users: Re: [Ethereal-users] Capture filters

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Ulf Lamping <ulf.lamping@xxxxxx>
Date: Fri, 29 Apr 2005 21:53:00 +0200
MH wrote:

>On Fri, Apr 29, 2005 at 12:51:36PM -0400, Rancier, Jeff wrote:
>  
>
>>Can someone explain the following filter (from the Wiki):
>>
>>icmp[icmptype]==icmp-echo and ip[2:2]==92 and icmp[8:4]==0xAAAAAAAA
>>
>>    
>>
>
>Hi Jeff,
>
>The filter looks for an icmp echo request that is 92 bytes long
>and has an icmp payload that begins with 4 bytes of A's (hex).  It is
>the signature of the welchia worm just before it tries to compromise
>a system.
>  
>
I've added this explanation to the wiki page,

Regards, ULFL