Ethereal-users: Re: [Ethereal-users] Capture filters

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date: Fri, 29 Apr 2005 15:46:17 -0400
On Fri, Apr 29, 2005 at 12:51:36PM -0400, Rancier, Jeff wrote:
> Can someone explain the following filter (from the Wiki):
> 
> icmp[icmptype]==icmp-echo and ip[2:2]==92 and icmp[8:4]==0xAAAAAAAA
>

Hi Jeff,

The filter looks for an icmp echo request that is 92 bytes long
and has an icmp payload that begins with 4 bytes of A's (hex).  It is
the signature of the welchia worm just before it tries to compromise
a system.

Hope this helps,
Mike