Ask Your Question
1

Packet sent repeatedly with decreasing TTL

asked 2019-04-29 11:30:48 +0000

Ludek gravatar image

updated 2019-04-29 11:57:06 +0000

grahamb gravatar image

I am wondering what's going on. On my Windows 8 computer I see many packets sent to the same host (identical ports) with ever decreasing TTL until ICMP TTL exceeded come back. For example below, packet 591 has TTL=84, packet 593 has TTL=83,... and so on Packet 592 has TTL=127, packet 594 TTL=126, ... and so on. All sent from my local ip address. Simillar I see with UDP conversation of OpenVPN connection - many rapidly sent packets with always decreased TTL by one, followed by ICMP ttl-exceeded replies. I couldn't google anything like this to help me understand.

591 2019-04-29 12:27:47,669222  192.168.9.16    208.123.73.199  TCP 54  43955 → 443 [ACK] Seq=168 Ack=255 Win=903 Len=0 TTL=84
592 2019-04-29 12:27:47,669316  192.168.9.16    208.123.73.199  TCP 178 [TCP Retransmission] 43955 → 443 [PSH, ACK] Seq=168 Ack=454 Win=902 Len=124  TTL=127
593 2019-04-29 12:27:47,669396  192.168.9.16    208.123.73.199  TCP 54  43955 → 443 [ACK] Seq=168 Ack=255 Win=903 Len=0 TTL=83
594 2019-04-29 12:27:47,669472  192.168.9.16    208.123.73.199  TCP 178 [TCP Retransmission] 43955 → 443 [PSH, ACK] Seq=168 Ack=454 Win=902 Len=124  TTL=126

I can't attach pcap file, so here is other part of unfiltered interface capture: Packet 1 has TTL=128, 2 TTL=127, ..., packet 5 TTL=124, ... and so on, this five packets sent in mere 354 us(!)

1   2019-04-29 12:27:45,917262  192.168.9.16    194.213.207.90  UDP 216 58165 → 34536 Len=174
2   2019-04-29 12:27:45,917386  192.168.9.16    194.213.207.90  UDP 216 58165 → 34536 Len=174
3   2019-04-29 12:27:45,917459  192.168.9.16    194.213.207.90  UDP 216 58165 → 34536 Len=174
4   2019-04-29 12:27:45,917546  192.168.9.16    194.213.207.90  UDP 216 58165 → 34536 Len=174
5   2019-04-29 12:27:45,917616  192.168.9.16    194.213.207.90  UDP 216 58165 → 34536 Len=174
edit retag flag offensive close merge delete

Comments

You can share a pcap using a public sharing site, e.g. Google Dive, DropBox etc. and then posting a link to the share as a comment.

grahamb gravatar imagegrahamb ( 2019-04-29 11:57:47 +0000 )edit

OK, here is full capture. http://www.ludek.aldor.cz/download/TT...

Ludek gravatar imageLudek ( 2019-04-29 12:11:46 +0000 )edit
add a comment

2 Answers

Sort by » oldest newest most voted
1

answered 2019-04-29 14:24:01 +0000

naskop gravatar image

Looks like you have some sort of networking loop. If you look at the packet ID, it is the same.

edit flag offensive delete link more

Comments

Thanks for answer. Excuse my delay I didn't notice the answer before. Any suggestions how to diagnose this further? Here is capture on both ends of OpenVPN connection: http://www.ludek.aldor.cz/download/bo...

The Windows sends identical packet 4 times now, with TTL decreasing from 128 to 125. All four packets are received byremote server, only the TTL is increasing here from 114 to 117. Does that mean the 4 packets batch arrives in reverse order? The response packet is sent and received only one time, sent with TTL=64, received with TTL=51. The above pattern is consistent with next packets.

I wonder why the TCP connection to the port 443 is not seen at my client side capture?

I also tried capture on TAP VPN interface and see simmilar. For excample ping packet is sent 4 times with TTL 128,127,126,125. Server reply ...(more)

Ludek gravatar imageLudek ( 2019-05-20 11:59:09 +0000 )edit

Here is similar issue https://www.ntkernel.com/forums/topic... TTL is decreased for duplicated packets same way as in my case. But no solution. I am not on VMWare, my is physical laptop and I don't have virtualization software on it. Here is my network connection bindings http://www.ludek.aldor.cz/download/Ne... I see several LightWeightFilters there, I suspect it is to be blamed.

Ludek gravatar imageLudek ( 2019-05-20 12:40:08 +0000 )edit
add a comment
0

answered 2019-05-20 16:03:27 +0000

Ludek gravatar image

The problem is kind of described here https://www.ntkernel.com/forums/topic... My initial network configuration is here: http://www.ludek.aldor.cz/download/Ne... I uninstalled all unnecessary network related software and ended with network stack like this: http://www.ludek.aldor.cz/download/Ne... No duplicate packets are sent now. However I might have introduced another problem, by not properly uninstalling last of LWF drivers. Unable to find better approach, I did manualy "uninstall" in the network adapter properties. Restart after took unusually long time. https://support.microsoft.com/en-gb/h...

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2019-04-29 11:30:48 +0000

Seen: 1,808 times

Last updated: May 20 '19

Related questions

icmp ttl and total_length are displayed with commas

How can I display DNS time to live (TTL) in Days Hours Minutes Seconds format?

Is the TTL I see on a packet arriving from a server to my computer is the original TTL or the TTL after the routers between stripped some numbers?

"Time To Live" always 0 when creating custom pcap file programmatically