Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2021-01-10 12:27:04 +0000

JasMan gravatar image

ICMP Ping Request to Broadcast Address

Hey,

During a client capture I saw a lot of ICMP ping requests from some Windows 10 clients. All have been sent to 255.255.255.255 with a raising TTL between 1 and 30. This scans happens every 10 minutes per client source and have a count of exactly 900 requests per scan. I can't find any common between the affected clients. They're for different usages and so they have different software installed. Our standard software like AV, backup, etc. is installed on every client. So if one of this software is the cause, I should see a lot of more clients doing this.

My guess is that this is a kind of communication. The changing TTL could be a password or paring code. My hope is that this is not a virus/trojan.

Has anybody seen this before? Any ideas?

Jas

Download me (client mac and IP addresses sanitized by TraceWrangler)

ICMP Ping Request to Broadcast Address

Hey,

During a client capture I saw a lot of ICMP ping requests from some Windows 10 clients. All have been sent to 255.255.255.255 with a raising TTL between 1 and 30. This scans happens every 10 minutes per client source and have a count of exactly 900 requests per scan. I can't find any common between the affected clients. They're for different usages and so they have different software installed. Our standard software like AV, backup, etc. is installed on every client. So if one of this software is the cause, I should see a lot of more clients doing this.

My guess is that this is a kind of communication. The changing TTL could be a password or paring code. My hope is that this is not a virus/trojan.

Has anybody seen this before? Any ideas?ideas how to identify the process which sends this requests?

Jas

Download me (client mac and IP addresses sanitized by TraceWrangler)

ICMP Ping Request to Broadcast Address

Hey,

During a client capture I saw a lot of ICMP ping requests from some Windows 10 clients. clients (see download below). All have been sent to 255.255.255.255 with a raising TTL between 1 and 30. This scans happens every 10 minutes per client source and have a count of exactly 900 requests per scan. I can't find any common between the affected clients. They're for different usages and so they have different software installed. Our standard software like AV, backup, etc. is installed on every client. So if one of this software is the cause, I should see a lot of more clients doing this.

My guess is that this is a kind of communication. The changing TTL could be a password or paring code. My hope is that this is not a virus/trojan.

Has anybody seen this before? Any ideas how to identify the process which sends this requests?

Jas

Download mecapture (client mac and IP (IP addresses sanitized by TraceWrangler)

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2