There was discussion over on one of the forums I hang out at, ActiveDir.Org, about someone at TechEd mentioning that the slow link detection “ping” was sending a JPG image file to determine network speeds. There was much debate about whether this was crazy, whether the speaker was smoking the funny stuff, whether it was true, whether it was even possible, whether it made any sense, you name it.
Of course this makes sense. A compressed JPG format is pretty likely not to be compressed further by other compression algorithms. At least not compressed very much so it is a good candidate for testing connection speeds since speed in network terms is amount of data per unit of time… If the data is being compressed, the calculations can’t be compared amongst different connections because you would have to try and take the compression ratio into account which you cannot really do as it should be transparent to you as the consumer. Being a JPG really isn’t important, it is the idea of having a block of data a fixed size that isn’t likely to be compressible in any significant way. It could just as easily be a zip file or any truly chaotic data set.
There was conjecture about what if you could get at that file??? I assume the idea being that what if you changed the image, you could change the base of the calculations and wreak chaos and havoc with a core data point calculation…. Or possibly, someone just wanted to know what MSFT was secretly sending all over the network… Nude photo of Bill Gates? Photo of Steve Ballmer throwing a chair? Christina Aguilera in some classic pose? Picture of a squeaky lobster???? Who knows…
Well sorry to say, you wouldn’t, or at least I wouldn’t use an actual JPG file. I would embed some fixed portion of a JPG file’s binary data into the executable or DLL in a DATA section. That way no one could directly muck with it and I don’t have to worry about it changing size, becoming more compressible, or actually not existing for instance.
However, to prove out that it was indeed a JPG image, I turned on WireShark (a network monitor) and just told it to capture all ICMP traffic bouncing around my home lab network and I assumed that eventually it would catch this slow link detection ping traffic. Sure enough, next morning, I have a nice snapshot of the traffic which looks like
No. Time Source Destination Protocol Info 19 22:05:51.420436 192.168.0.114 192.168.0.11 IP Fragmented IP protocol (proto=ICMP 0x01, off=0) [Reassembled in #20] Frame 19 (1514 bytes on wire, 1514 bytes captured) Arrival Time: Jun 3, 2007 22:05:51.420436000 [Time delta from previous packet: 0.000203000 seconds] [Time since reference or first frame: 5460.797430000 seconds] Frame Number: 19 Packet Length: 1514 bytes Capture Length: 1514 bytes [Frame is marked: False] [Protocols in frame: eth:ip:data] Ethernet II, Src: DellEsgP_98:aa:e7 (00:0b:db:98:aa:e7), Dst: Microsof_47:86:60 (00:03:ff:47:86:60) Destination: Microsof_47:86:60 (00:03:ff:47:86:60) Address: Microsof_47:86:60 (00:03:ff:47:86:60) .... ...0 .... .... .... .... = Multicast: This is a UNICAST frame .... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address Source: DellEsgP_98:aa:e7 (00:0b:db:98:aa:e7) Address: DellEsgP_98:aa:e7 (00:0b:db:98:aa:e7) .... ...0 .... .... .... .... = Multicast: This is a UNICAST frame .... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address Type: IP (0x0800) Internet Protocol, Src: 192.168.0.114 (192.168.0.114), Dst: 192.168.0.11 (192.168.0.11) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 1500 Identification: 0x97ba (38842) Flags: 0x02 (More Fragments) 0... = Reserved bit: Not set .0.. = Don't fragment: Not set ..1. = More fragments: Set Fragment offset: 0 Time to live: 128 Protocol: ICMP (0x01) Header checksum: 0xfb98 [correct] [Good: True] [Bad : False] Source: 192.168.0.114 (192.168.0.114) Destination: 192.168.0.11 (192.168.0.11) Reassembled IP in frame: 20 Data (1480 bytes) 0000 00 03 ff 47 86 60 00 0b db 98 aa e7 08 00 45 00 ...G.`........E. 0010 05 dc 97 ba 20 00 80 01 fb 98 c0 a8 00 72 c0 a8 .... ........r.. 0020 00 0b 08 00 7a d3 02 00 3f 02 ff d8 ff fe 00 08 ....z...?....... 0030 57 41 4e 47 32 02 ff e0 00 10 4a 46 49 46 00 01 WANG2.....JFIF.. 0040 01 01 00 60 00 60 00 00 ff db 00 43 00 10 0b 0c ...`.`.....C.... 0050 0e 0c 0a 10 0e 0d 0e 12 11 10 13 18 28 1a 18 16 ............(... 0060 16 18 31 23 25 1d 28 3a 33 3d 3c 39 33 38 37 40 ..1#%.(:3=<9387@ 0070 48 5c 4e 40 44 57 45 37 38 50 6d 51 57 5f 62 67 H\N@DWE78PmQW_bg 0080 68 67 3e 4d 71 79 70 64 78 5c 65 67 63 ff db 00 hg>Mqypdx\egc... 0090 43 01 11 12 12 18 15 18 2f 1a 1a 2f 63 42 38 42 C......./../cB8B 00a0 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63 cccccccccccccccc 00b0 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63 cccccccccccccccc 00c0 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63 cccccccccccccccc 00d0 63 63 ff c0 00 11 08 00 26 00 9e 03 01 21 00 02 cc......&....!.. 00e0 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 ................ 00f0 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 ................ 0100 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 ................ 0110 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 ..........}..... 0120 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 ...!1A..Qa."q.2. 0130 91 a1 08 23 42 b1 c1 15 52 d1 f0 24 33 62 72 82 ...#B...R..$3br. 0140 09 0a 16 17 18 19 1a 25 26 27 28 29 2a 34 35 36 .......%&'()*456 0150 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 789:CDEFGHIJSTUV 0160 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 WXYZcdefghijstuv 0170 77 78 79 7a 83 84 85 86 87 88 89 8a 92 93 94 95 wxyz............ 0180 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 ................ 0190 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca ................ 01a0 d2 d3 d4 d5 d6 d7 d8 d9 da e1 e2 e3 e4 e5 e6 e7 ................ 01b0 e8 e9 ea f1 f2 f3 f4 f5 f6 f7 f8 f9 fa ff c4 00 ................ 01c0 1f 01 00 03 01 01 01 01 01 01 01 01 01 00 00 00 ................ 01d0 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 ................ 01e0 00 b5 11 00 02 01 02 04 04 03 04 07 05 04 04 00 ................ 01f0 01 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 ..w.......!1..AQ 0200 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 .aq."2...B.....# 0210 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 3R..br...$4.%... 0220 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 ..&'()*56789:CDE 0230 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 FGHIJSTUVWXYZcde 0240 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 fghijstuvwxyz... 0250 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 ................ 0260 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ................ 0270 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 ................ 0280 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 ................ 0290 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 ................ 02a0 00 3f 00 ed 35 6d 4a 1d 23 4d 96 fa e1 64 68 a2 .?..5mJ.#M...dh. 02b0 c6 e1 18 05 b9 20 71 92 3d 6a ae 81 e2 2b 2f 10 ..... q.=j...+/. 02c0 47 33 59 89 50 c2 40 74 95 40 23 3d 0f 04 8e c7 G3Y.P.@t.@#=.... 02d0 bf 6a 00 d6 ae 75 fc 67 a6 2e b6 34 a5 8e e5 e6 .j...u.g...4.... 02e0 f3 c4 1b d5 06 cd e4 e3 b9 cf 07 8e 9d bb d0 06 ................ 02f0 86 a7 ad db 69 77 b6 16 b3 a4 ac f7 d2 79 71 94 ....iw.......yq. 0300 00 80 72 a3 9c 91 fd e1 eb 5a 54 00 51 40 05 14 ..r......ZT.Q@.. 0310 00 51 40 05 14 00 51 40 0d 92 44 8a 36 92 47 54 .Q@...Q@..D.6.GT 0320 44 05 99 98 e0 28 1d 49 35 cc db f8 f3 49 b9 d4 D....(.I5....I.. 0330 62 b3 86 2b b6 69 65 11 24 9b 14 29 24 e0 1e 5b b..+.ie.$..)$..[ 0340 38 fc 33 ed 40 1b d6 ba 8d a5 e5 d5 cd b5 b4 eb 8.3.@........... 0350 24 b6 a4 2c ca a0 fc 84 e7 8c f4 3d 0f 4e 98 ab $..,.......=.N.. 0360 54 01 cf f8 ef fe 45 0b ef fb 67 ff 00 a3 16 b9 T.....E...g..... 0370 9f 0c 11 a1 f8 a2 c6 1d ca 96 fa a5 84 4e 07 98 .............N.. 0380 40 0e 50 1c 90 7a 92 ca c0 0f f6 f8 f4 a0 0e f3 @.P..z.......... 0390 53 bd 4d 37 4d b9 bd 93 69 10 46 5f 6b 36 dd c4 S.M7M...i.F_k6.. 03a0 0e 17 3e e7 03 f1 af 2d d3 ac da 39 fc 3b a8 4c ..>....-...9.;.L 03b0 db e7 be d4 19 da 42 c4 b3 05 78 c7 39 ef bb 79 ......B...x.9..y 03c0 fc 68 03 d1 35 ad 77 fb 27 51 d2 ed 3e cd e6 fd .h..5.w.'Q..>... 03d0 be 5f 2f 76 fd bb 39 51 9c 60 e7 ef 7b 74 ab 5a ._/v..9Q.`..{t.Z 03e0 be af 69 a2 d9 7d aa f5 d9 50 9d aa 15 49 2c d8 ..i..}...P...I,. 03f0 24 01 f5 c1 eb 81 40 1c ef fc 27 13 47 fe 91 71 $.....@...'.G..q 0400 a0 5f 47 a7 9e 45 ce 0f 2a 7e e9 c1 00 73 91 fc ._G..E..*~...s.. 0410 5d fb d7 45 2e a9 07 f6 24 ba a5 ab 2d c4 29 03 ]..E....$...-.). 0420 4c bb 4e 37 6d 04 e3 db a6 3d a8 03 9d b6 f1 c4 L.N7m....=...... 0430 d7 e9 00 d3 74 49 ee e7 6f f5 c8 8e 76 c2 4b 10 ....tI..o...v.K. 0440 a0 b6 dc 72 06 72 70 07 af 5c 6d 78 83 c4 16 9a ...r.rp..\mx.... 0450 05 a8 92 e7 73 cb 20 6f 26 25 07 f7 84 63 bf 41 ....s. o&%...c.A 0460 d4 75 fd 7a 50 06 2a f8 de e2 de 68 8e ab a0 dd .u.zP.*....h.... 0470 d8 5a bb ec 69 df 71 0a 4f b1 51 9f e7 8c f5 ae .Z..i.q.O.Q..... 0480 99 f5 1b 48 f4 d1 a8 c9 3a a5 a1 8c 4b e6 30 23 ...H....:...K.0# 0490 e5 23 23 8e bc e4 71 d6 80 39 9f f8 4d 6f 2e 3f .##...q..9..Mo.? 04a0 7b a7 f8 6e fa e6 d5 be e4 bc 8d de bd 14 8e b9 {..n............ 04b0 1d 7b 56 c7 87 3c 45 6b e2 1b 79 1e dd 24 8a 58 .{V..?......b3yx. 05e0 27 e6 27 39 1c 83 b1 41 1e 94 '.'9...A.. No. Time Source Destination Protocol Info 20 22:05:51.420449 192.168.0.114 192.168.0.11 ICMP Echo (ping) request Frame 20 (610 bytes on wire, 610 bytes captured) Arrival Time: Jun 3, 2007 22:05:51.420449000 [Time delta from previous packet: 0.000013000 seconds] [Time since reference or first frame: 5460.797443000 seconds] Frame Number: 20 Packet Length: 610 bytes Capture Length: 610 bytes [Frame is marked: False] [Protocols in frame: eth:ip:icmp:data] [Coloring Rule Name: ICMP] [Coloring Rule String: icmp] Ethernet II, Src: DellEsgP_98:aa:e7 (00:0b:db:98:aa:e7), Dst: Microsof_47:86:60 (00:03:ff:47:86:60) Destination: Microsof_47:86:60 (00:03:ff:47:86:60) Address: Microsof_47:86:60 (00:03:ff:47:86:60) .... ...0 .... .... .... .... = Multicast: This is a UNICAST frame .... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address Source: DellEsgP_98:aa:e7 (00:0b:db:98:aa:e7) Address: DellEsgP_98:aa:e7 (00:0b:db:98:aa:e7) .... ...0 .... .... .... .... = Multicast: This is a UNICAST frame .... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address Type: IP (0x0800) Internet Protocol, Src: 192.168.0.114 (192.168.0.114), Dst: 192.168.0.11 (192.168.0.11) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 596 Identification: 0x97ba (38842) Flags: 0x00 0... = Reserved bit: Not set .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 1480 Time to live: 128 Protocol: ICMP (0x01) Header checksum: 0x1e68 [correct] [Good: True] [Bad : False] Source: 192.168.0.114 (192.168.0.114) Destination: 192.168.0.11 (192.168.0.11) [IP Fragments (2056 bytes): #19(1480), #20(576)] [Frame: 19, payload: 0-1479 (1480 bytes)] [Frame: 20, payload: 1480-2055 (576 bytes)] Internet Control Message Protocol Type: 8 (Echo (ping) request) Code: 0 Checksum: 0x7ad3 [correct] Identifier: 0x0200 Sequence number: 0x3f02 Data (2048 bytes) Frame (610 bytes): 0000 00 03 ff 47 86 60 00 0b db 98 aa e7 08 00 45 00 ...G.`........E. 0010 02 54 97 ba 00 b9 80 01 1e 68 c0 a8 00 72 c0 a8 .T.......h...r.. 0020 00 0b 01 d8 5c 41 1d cd bc b6 f3 2e e8 a5 42 8e ....\A........B. 0030 b9 c6 41 18 23 8a c3 97 48 87 44 f0 7e a7 67 6f ..A.#...H.D.~.go 0040 34 f2 c5 f6 79 99 7c e6 0c 57 28 78 18 03 03 bf 4...y.|..W(x.... 0050 d4 9a 00 6f 80 63 44 f0 95 9b 22 2a 97 32 33 10 ...o.cD..."*.23. 0060 31 b8 ef 61 93 eb c0 03 f0 ac d4 85 75 1f 8a 17 1..a........u... 0070 02 e8 ef 5b 1b 75 78 54 81 80 70 b8 cf 1c e0 bb ...[.uxT..p..... 0080 1f 5c e3 d2 80 3a cb fb 28 75 1b 19 ec ee 17 31 .\...:..(u.....1 0090 4c 85 5b 81 91 ee 33 dc 75 1e e2 b8 9f 0c 59 cf L.[...3.u.....Y. 00a0 ae fc 3e bc d3 44 ca 84 4e 52 22 cb c2 e0 ab e0 ..>..D..NR"..... 00b0 e3 d4 93 cf 3d 7d b1 40 10 db f8 9b 5f f0 cd bc ....=}.@...._... 00c0 56 9a b6 93 be de 04 11 24 9c a6 4e 32 a3 78 ca V.......$..N2.x. 00d0 9c 0e 30 06 78 f6 35 b9 e1 ad 43 c3 da a6 af 73 ..0.x.5...C....s 00e0 77 a6 db c9 06 a1 22 13 28 75 20 b2 e5 72 d8 04 w.....".(u ..r.. 00f0 af 27 1e f9 cd 00 53 f0 bc 2b 7b e3 3d 7a fe e4 .'....S..+{.=z.. 0100 ef 9e da 5f 26 32 40 c2 8c b2 fa 75 0a 80 67 d0 ..._&2@....u..g. 0110 9e b9 ad cf 16 d9 43 7b e1 ab e5 99 73 e5 44 d3 ......C{....s.D. 0120 21 00 65 59 41 23 19 e9 d3 1f 42 68 03 2f 4b 9e !.eYA#....Bh./K. 0130 4b 8f 86 4e f2 b6 e6 16 53 a0 38 c7 0a 19 40 fc K..N....S.8...@. 0140 80 ab 9e 04 ff 00 91 42 c7 fe da 7f e8 c6 a0 0c .......B........ 0150 ff 00 05 ff 00 c8 c3 e2 7f fa fb ff 00 d9 e4 ae ................ 0160 c2 80 39 ff 00 1d ff 00 c8 a1 7d ff 00 6c ff 00 ..9.......}..l.. 0170 f4 62 d4 d6 56 49 a9 78 2e d6 ca 4d a0 4f 61 1a .b..VI.x...M.Oa. 0180 6e 65 dd b4 94 18 6c 7b 1c 1f c2 80 38 df 05 c1 ne....l{....8... 0190 36 a1 ad d9 43 71 14 89 16 8f 13 ee 49 14 95 f3 6...Cq......I... 01a0 0b b1 e4 1f ba df 37 d7 f7 7f 96 e7 8d 3f e4 61 ......7......?.a 01b0 f0 c7 fd 7d ff 00 ec f1 d0 01 e3 4f f9 18 7c 31 ...}.......O..|1 01c0 ff 00 5f 7f fb 3c 75 37 8c 2c 2f 62 ba b2 d7 74 .._..<u7.,/b...t 01d0 88 5a 5b db 43 b1 91 50 be f4 39 ed 9e d9 23 81 .Z[.C..P..9...#. 01e0 9f 9b 39 18 a0 0a bf f0 b0 61 ba b7 f2 b4 fd 36 ..9......a.....6 01f0 ee 5d 41 d3 e4 8b 68 65 dd 8e 7a 1c 90 39 3d 06 .]A...he..z..9=. 0200 71 db b5 e8 6c 6f 6c 3c 0b 7f 1e a5 71 2c f7 6f q...lol<....q,.o 0210 6d 33 c8 64 94 c9 b3 28 70 a0 fb 00 3d 79 cd 00 m3.d...(p...=y.. 0220 4d e0 4f f9 14 2c 7f ed a7 fe 8c 6a cd f1 35 9d M.O..,.....j..5. 0230 ee 91 af 47 e2 4d 36 06 99 16 32 2f 23 0c 46 54 ...G.M6...2/#.FT 0240 60 64 f3 9e 98 e8 30 36 64 d0 04 77 7e 35 3a bd `d....06d..w~5:. 0250 ac 96 3e 1f b1 bc 92 f6 61 b0 33 28 5f 2d 4f 05 ..>.....a.3(_-O. 0260 b2 ac ..
Which I then took and slapped into the Hex Editor called XVI32 and saved as the file wang2.jfif which is the file name specified in the binary itself.
The JPG is simply 2048 bytes of info that is a partial black and white Microsoft Logo. In fact, here it is:
Pretty boring huh?
Oh yeah, sure enough, if you search the MSFT EXEs/DLLs in c:\windows\system32 for the string wang2… You will find it is in the file userenv.dll… I am expecting this shouldn’t be any huge surprise…
joe
You took this to the next level. I know a lot of people starred your response today. If anyone ever asks this in an interview everyone will know where they got their info from. Nice job as usual Joe.