Keep in mind that a number of firewall products only report the last process in the chain that causes the communication attempt. That this is part of the OS is because that is the "owner" of the hardware, in this case the networking interfaces. This superficial reporting by these products does not help one understand that it is something running that has asked the OS to do this, very often third-party software.
Should I allow my WinXP Sygate Firwall to allow ICMP Type 8 echo requests?
For some reason, I periodically get wierd Internet Control Message Protocol (ICMP) Type 8 requests on WinXP such as:
NT Kernel System (ntoskrnl.exe) is trying to send an ICMP Type 8 (Echo Request) packet to [202.232.13.185]. Do you want to allow this program to access the network?
NT Kernel System (ntoskrnl.exe) is trying to send an ICMP Type 8 (Echo Request) packet to [202.232.221.175]. Do you want to allow this program to access the network?
I have no idea what these requests are for.
When I do a reverse dns look up at
OrgName: Asia Pacific Network Information Centre OrgID: APNIC Address: PO Box 2131 City: Milton StateProv: QLD PostalCode: 4064 Country: AU
I looked up RFC 792 which describes ICMP, but I did not understand it as I am not a techie
One of the articles I looked up suggested "netstat -an" but that didn't show anything listening of that IP address.
What is an ICMP Type 8 echo request? Whom do these IP addresses belong to? Should I allow these ICMP Type 8 echo requests or should I deny them?
202.232.221.175 is registered to Toshiba. 202.232.13.185 is registered to IIJ Internet, which happens to bhe the ISP providing DNS service for the Toshiba block immediately above.
Do you have some Toshiba related equipment? Possibly including some software that might be periodically checking for updated drivers or updated software utilities?
Why do you drive a software, which asks you questions you don't understand? This does not make you more secure in any way.
See RFC 792. It's for network testing.
Both belong to Internet Initiative Japan Inc.
You could allow them. You could deny them. But why are you sending them?
F'up2csf, where it is on-topic.
Yours, VB.
ICMP echo type 8 is "ping" or more technically speaking it is the first part of a "ping" ie the icmp echo request and the pc being pinged sends an icmp echo reply.
The IP address goes back to Japan. It sounds like you have some kind of "dial home" software or worse.....
Good luck, Imhotep
yes, it's fine, there's no risk. There might be a risk to them if you were trying to attack them! But there isn't mcuh tyou can do with ping alone.
open a command prompt and type C:\\WINDOWS> ping
now you'll be sending ICMP messages to
You'll gets lots and lots of different outgoing things. ICMP messages(like you described), And outgoing TCP connections (e.g. connecting to a computer at port 80)
For ICMP you needn't worry. They carry no data, only codes. Mostly you needn't worry. If a process is sending packets or messages out, then you see if it's a windows process, in which case it's probably fine - nuless it has been compromised. And if it's not a windows process and it bothers you, then google and i'm sure you'll find out soon enough if it's spyware. sending harmless advertising data out.
Either way, it's not big deal. If your computer is slowing down then you have spyware. Outgoign connections that your firewal warns you about are - at worst - spyware. But most of the outgoing traffic is legitimate. Hence you should allow windows processes and hyour browser and other trusted programs to send whatever they want outwards.
a)a windows process - so it you should really trusted unless you have reason no to i.e. unless you think it has been compromised b)it's sending something outwards, not even any personal data in an ICMP.
It's just a emssage to test if a remote computer on the internet is up and running
so you should google around and as soon as you don't see "SPYWARE SPYWARE" all over the place in the results, you assume it's fine.
that only applies to UDP and TCP. They show servers listening.
ICMP works at a lower level. It isn't displayed by netstat, doesn't use ports, doesn't use listening servers
a message intended to reach a host and requesting that the host reply to say it is online
it's a free country. you can send ICMP messages yourself. ping command.
somebody posted toshiba and an isp or something, so maybe you did the lookup wrong.
allow. Otherwise the legitimate trusted processes trying to send them will not know what's going on, and may not continue to do what they were intended to do, and what they were intended to do is most probably for your benefit.
and really. as people have said before. You shouldn't block outgoing. You would only monitor outgoing if you are technically interested, but even then, it's a nuisance to have popups hassling you while you're trying to use your computer. There'll be loads of outgoing messages coming up, you dont' want popups interrupting you all the time. Just Allow the process NTKernel.exe or whatever it is called, so it won't ask you next time.
The windows firewall is ok too. I particularly like Sygate's port logger, but Sygate has a few security issues mentioned in prev threads. And of course the windows firewall is going to be a bit of a target. But I think either of them are fine as a PFW - i.e. for those that use PFWs. IF you want more security you probably have to go more technical (linux firewall) or more expensive(checkpoint or watchguard firewall). If it's any consolation, I am stuck with a PFW.
what would show the full chain? something like sysinternals 'process explorer'? or any particular software firewall?
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.