Packet sent repeatedly with decreasing TTL

asked 2019-04-29 11:30:48 +0000

updated 2019-04-29 11:57:06 +0000

I am wondering what's going on. On my Windows 8 computer I see many packets sent to the same host (identical ports) with ever decreasing TTL until ICMP TTL exceeded come back. For example below, packet 591 has TTL=84, packet 593 has TTL=83,... and so on Packet 592 has TTL=127, packet 594 TTL=126, ... and so on. All sent from my local ip address. Simillar I see with UDP conversation of OpenVPN connection - many rapidly sent packets with always decreased TTL by one, followed by ICMP ttl-exceeded replies. I couldn't google anything like this to help me understand.

591 2019-04-29 12:27:47,669222  TCP 54  43955 → 443 [ACK] Seq=168 Ack=255 Win=903 Len=0 TTL=84
592 2019-04-29 12:27:47,669316  TCP 178 [TCP Retransmission] 43955 → 443 [PSH, ACK] Seq=168 Ack=454 Win=902 Len=124  TTL=127
593 2019-04-29 12:27:47,669396  TCP 54  43955 → 443 [ACK] Seq=168 Ack=255 Win=903 Len=0 TTL=83
594 2019-04-29 12:27:47,669472  TCP 178 [TCP Retransmission] 43955 → 443 [PSH, ACK] Seq=168 Ack=454 Win=902 Len=124  TTL=126

I can't attach pcap file, so here is other part of unfiltered interface capture: Packet 1 has TTL=128, 2 TTL=127, ..., packet 5 TTL=124, ... and so on, this five packets sent in mere 354 us(!)

1   2019-04-29 12:27:45,917262  UDP 216 58165 → 34536 Len=174
2   2019-04-29 12:27:45,917386  UDP 216 58165 → 34536 Len=174
3   2019-04-29 12:27:45,917459  UDP 216 58165 → 34536 Len=174
4   2019-04-29 12:27:45,917546  UDP 216 58165 → 34536 Len=174
5   2019-04-29 12:27:45,917616  UDP 216 58165 → 34536 Len=174
You can share a pcap using a public sharing site, e.g. Google Dive, DropBox etc. and then posting a link to the share as a comment.

2 Answers

answered 2019-04-29 14:24:01 +0000

Looks like you have some sort of networking loop. If you look at the packet ID, it is the same.

Thanks for answer. Excuse my delay I didn't notice the answer before. Any suggestions how to diagnose this further? Here is capture on both ends of OpenVPN connection:

The Windows sends identical packet 4 times now, with TTL decreasing from 128 to 125. All four packets are received byremote server, only the TTL is increasing here from 114 to 117. Does that mean the 4 packets batch arrives in reverse order? The response packet is sent and received only one time, sent with TTL=64, received with TTL=51. The above pattern is consistent with next packets.

I wonder why the TCP connection to the port 443 is not seen at my client side capture?

I also tried capture on TAP VPN interface and see simmilar. For excample ping packet is sent 4 times with TTL 128,127,126,125. Server reply ...(more)

Here is similar issue TTL is decreased for duplicated packets same way as in my case. But no solution. I am not on VMWare, my is physical laptop and I don't have virtualization software on it. Here is my network connection bindings I see several LightWeightFilters there, I suspect it is to be blamed.

answered 2019-05-20 16:03:27 +0000

The problem is kind of described here My initial network configuration is here: I uninstalled all unnecessary network related software and ended with network stack like this: No duplicate packets are sent now. However I might have introduced another problem, by not properly uninstalling last of LWF drivers. Unable to find better approach, I did manualy "uninstall" in the network adapter properties. Restart after took unusually long time.

