This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Weird icmp traffic - redirect for network

0

I just started seeing this strange icmp traffic generated from my pc (192.168.0.229). Can anyone explain why is this happening? In addition to my anti virus protection (Symantec) I've tried several other scanners and haven't detected anything. The icmp payload seems strange as well (192.168.0.209 is not a router, 192.168.0.244 is a domain controller).

Thank you. link text

asked 05 May '11, 12:39

naskop's gravatar image

naskop
16337
accept rate: 0%

edited 05 May '11, 12:43

http://img707.imageshack.us/img707/7526/icmp.png

(05 May '11, 12:40) naskop

And Laura, my name's not Fred :)

(05 May '11, 13:59) naskop

Can you make the actual capture file available, instead of a picture? What I'm seeing doesn't make sense to me, and I'd like to be able to poke around a bit.

(05 May '11, 15:06) Jim Aragon

It seems to be malware related. I've reinstalled my computer since and I don't see such traffic anymore. I will try to clean up the tracefile and post it for reference.

(06 May '11, 10:22) naskop

2 Answers:

2

What's most likely going on is a typo, in the IP configuration in the DHCP server in this network.

From your picture it occurs that your PC (192.168.0.229) is being hammered with traffic intended for the gateway (192.168.0.209). Since your PC gets these packets, and does seem to know what the gateway address is (fixed config maybe?) it sends out these redirects where to actually find the gateway.

If even 192.168.0.209 isn't your gateway, then you really need to do some auditing of your network configuration.

answered 05 May '11, 23:40

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

1

I agree with @Jaap that the DHCP server is probably handing out a wrong gateway address, but it looks like there's an additional misconfiguration. The ICMP redirect shown on the graphic is for a DNS response from 192.168.0.244 to 192.168.0.209. If a standard /24 subnet mask is in use, then the PC, the DC, and the router would all be on the same subnet. In that case, the packet should have gone directly from .244 to .209 in a Layer 2 Ethernet frame. The DC (.244) thinks it's on the same subnet as the PC (.229) but but a different subnet from the router (.209), because it tried to communicate with the router indirectly using the PC as a gateway. And the PC thinks it's on the same subnet as the router, because it issued a redirect for the router's address. It looks like these three systems don't agree on the subnet mask. FYI, a mask of /27 or higher would cause the DC to believe that it's on the same subnet as the PC but a different subnet from the router.

answered 06 May '11, 09:43

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%