Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

2151 Subsignature details

We have been tracking many hits on signature 2151 and therefore many subsignatures. After we upgraded to 2.5 on our sensors we noticed a marked increase in the number of subsignatures. There are no details about these. We are attempting to better understand this icmp traffic. Is there somewhere online or off that I can get some details. We are seeing traffic from digital island with a subsignature of 81480 for instance. The particular packets are "network monitoring" packets. We have so far been unsucessful in getting an explanation from Digital Island about them. Ethereal is also unable to interpret the iplogs.



Cisco Employee

Re: 2151 Subsignature details


The subsignature tells you what ICMP message type and length. It is type * 10000 + message length.

So a value of 81480 means:

IcmpType 8 (echo request) with an IP Data Length of 1480.

If you see a value, X < 10000, that would be a

IcmpType 0 (echo reply) where X is the IP Data Len.

Hope this helps,

Scott Cothrell

New Member

Re: 2151 Subsignature details


There has been a similar discussion on the Focus-IDS mail list about large ICMP traffic. Here's are a couple of excerpts from some of the postings that may help you:


The digisle [Digital Island] packets are part of some "internet weather map" that they're doing.

I get them every few minutes from over 200 unique ip addresses, all directed at

my primary DNS server.

I found it mentioned on a few lists doing a google search:

Seems legit, but annoying.


The 1500-byte empty ICMP datagrams are usually an OS (HP-UX frequently) doing path MTU discovery. Annoying, but relatively harmless.


CreatePlease login to create content