I just started seeing this strange icmp traffic generated from my pc (192.168.0.229). Can anyone explain why is this happening? In addition to my anti virus protection (Symantec) I've tried several other scanners and haven't detected anything. The icmp payload seems strange as well (192.168.0.209 is not a router, 192.168.0.244 is a domain controller).
Thank you. link text
asked 05 May '11, 12:39
edited 05 May '11, 12:43
What's most likely going on is a typo, in the IP configuration in the DHCP server in this network.
From your picture it occurs that your PC (192.168.0.229) is being hammered with traffic intended for the gateway (192.168.0.209). Since your PC gets these packets, and does seem to know what the gateway address is (fixed config maybe?) it sends out these redirects where to actually find the gateway.
If even 192.168.0.209 isn't your gateway, then you really need to do some auditing of your network configuration.
answered 05 May '11, 23:40
I agree with @Jaap that the DHCP server is probably handing out a wrong gateway address, but it looks like there's an additional misconfiguration. The ICMP redirect shown on the graphic is for a DNS response from 192.168.0.244 to 192.168.0.209. If a standard /24 subnet mask is in use, then the PC, the DC, and the router would all be on the same subnet. In that case, the packet should have gone directly from .244 to .209 in a Layer 2 Ethernet frame. The DC (.244) thinks it's on the same subnet as the PC (.229) but but a different subnet from the router (.209), because it tried to communicate with the router indirectly using the PC as a gateway. And the PC thinks it's on the same subnet as the router, because it issued a redirect for the router's address. It looks like these three systems don't agree on the subnet mask. FYI, a mask of /27 or higher would cause the DC to believe that it's on the same subnet as the PC but a different subnet from the router.
answered 06 May '11, 09:43