Neat little find - Network forensics

Overview
This post may seem trivial, pointless, and indicative of a security noob, but the other day I was perusing some network traffic between a windows DC and a client and found some interesting traffic. As I later discovered, what I found is standard traffic from a Windows domain controller, but since it was the first time I saw it, I was intrigued. It began with me looking at some larger-than-usual ICMP traffic.

The Pcap
When I first saw the Pcap, it looked rather normal. Then I noticed the 'Length' of some of the ICMP replies, and I wondered why they were so big. 

So I popped into a couple of the big ICMP reply packets and instantly saw a JPEG magic number in the hex-offset. "JFIF" aka 0x4a464946

I started to think, "what the heck is this?". The best way to figure that out was to carve the image right out of the pcap and see what it was.

To do this was super easy. There are a lot of programs than can carve files out of pcaps for you automatically, but this file was so small that I just did it manually. First I started by copying the bytes in a hex-stream format.

Once I copied the hex-stream, I moseyed on over to Malzilla since it has a fantastic converter functionality for "Hex to File". So it'll decode the hex-stream straight to a file.

Once that completes it will save the file as "hexfile.bin", so I just changed the extension to .jpg and presto...wait...wtf?

Yeah. That's the image all right. Anyways, a quick google of that behavior from a client/ MS domain controller and I came to realize I discovered standard DC operation. It's basically their method for slow link detection which if you were unaware of this like me, you can read about it from Microsoft's site

So call me a noob if you must. I thought it was a neat find.