Hey,
During a client capture I saw a lot of ICMP ping requests from some Windows 10 clients. All have been sent to 255.255.255.255 with a raising TTL between 1 and 30. This scans happens every 10 minutes per client source and have a count of exactly 900 requests per scan. I can't find any common between the affected clients. They're for different usages and so they have different software installed. Our standard software like AV, backup, etc. is installed on every client. So if one of this software is the cause, I should see a lot of more clients doing this.
My guess is that this is a kind of communication. The changing TTL could be a password or paring code. My hope is that this is not a virus/trojan.
Has anybody seen this before? Any ideas?
Jas
Download me (client mac and IP addresses sanitized by TraceWrangler)