ICMP Ping Request to Broadcast Address
Hey,
During a client capture I saw a lot of ICMP ping requests from some Windows 10 clients (see download below). All have been sent to 255.255.255.255 with a raising TTL between 1 and 30. This scans happens every 10 minutes per client source and have a count of exactly 900 requests per scan. I can't find any common between the affected clients. They're for different usages and so they have different software installed. Our standard software like AV, backup, etc. is installed on every client. So if one of this software is the cause, I should see a lot of more clients doing this.
My guess is that this is a kind of communication. The changing TTL could be a password or paring code. My hope is that this is not a virus/trojan.
Has anybody seen this before? Any ideas how to identify the process which sends this requests?
Jas
Download capture (IP addresses sanitized by TraceWrangler)
What was the original payload data? Did TraceWrangler set it to E's ?
@Chuckc This is the original payload. TraceWrangler changed the IP addresses only.
These are all requests, is there ever an answer?
I vaguely remember something about printer drivers pulling stunts like this, does that sound familiar?
@Jaap Unfortunately the 10-minutes-pattern occured only on one client. All others are sending this requests randomly. I was not able to run a capture on a client at the right time to capture the responses. But when I use nping to send an ping to 255.255.255.255, I can't see any incoming responses on my client. I would totally aggree that printer software could do this fancy scannings. But all affeccted clients havn't any printer connected or any printer software installed.