Discovering ICMP Tunneling on PacketTotal

I found this packet capture upload on PacketTotal, and noticed it was using ICMP tunneling to communicate with its command-and-control server.


The alert written on PacketTotal is “OpenSSH in ICMP Payload”. The Alert Signature field states that OpenSSH was detected over ICMP.

I downloaded the pcap from PacketTotal:


… and opened it up in Wireshark.

In the ICMP protocol, there are the Type, Code (essentially a subtype), Checksum, and Data fields.

I scrolled down in Wireshark until I found this request:


Sure enough, we have an ICMP request with the following fields: Type: 8 (Request) Code: 0 Checksum: 0x0000, Data: The SSH key negotiation!

You can download any packet capture on Try it yourself!