This is a static archive of our old Q&A Site. Please post any new questions and answers at

Weird icmp traffic - redirect for network


I just started seeing this strange icmp traffic generated from my pc ( Can anyone explain why is this happening? In addition to my anti virus protection (Symantec) I've tried several other scanners and haven't detected anything. The icmp payload seems strange as well ( is not a router, is a domain controller).

Thank you. link text

asked 05 May '11, 12:39

naskop's gravatar image

accept rate: 0%

edited 05 May '11, 12:43

(05 May '11, 12:40) naskop

And Laura, my name's not Fred :)

(05 May '11, 13:59) naskop

Can you make the actual capture file available, instead of a picture? What I'm seeing doesn't make sense to me, and I'd like to be able to poke around a bit.

(05 May '11, 15:06) Jim Aragon

It seems to be malware related. I've reinstalled my computer since and I don't see such traffic anymore. I will try to clean up the tracefile and post it for reference.

(06 May '11, 10:22) naskop

2 Answers:


What's most likely going on is a typo, in the IP configuration in the DHCP server in this network.

From your picture it occurs that your PC ( is being hammered with traffic intended for the gateway ( Since your PC gets these packets, and does seem to know what the gateway address is (fixed config maybe?) it sends out these redirects where to actually find the gateway.

If even isn't your gateway, then you really need to do some auditing of your network configuration.

answered 05 May '11, 23:40

Jaap's gravatar image

Jaap ♦
accept rate: 14%


I agree with @Jaap that the DHCP server is probably handing out a wrong gateway address, but it looks like there's an additional misconfiguration. The ICMP redirect shown on the graphic is for a DNS response from to If a standard /24 subnet mask is in use, then the PC, the DC, and the router would all be on the same subnet. In that case, the packet should have gone directly from .244 to .209 in a Layer 2 Ethernet frame. The DC (.244) thinks it's on the same subnet as the PC (.229) but but a different subnet from the router (.209), because it tried to communicate with the router indirectly using the PC as a gateway. And the PC thinks it's on the same subnet as the router, because it issued a redirect for the router's address. It looks like these three systems don't agree on the subnet mask. FYI, a mask of /27 or higher would cause the DC to believe that it's on the same subnet as the PC but a different subnet from the router.

answered 06 May '11, 09:43

Jim%20Aragon's gravatar image

Jim Aragon
accept rate: 24%