Revision history [back]
ICMP Ping Request to Broadcast Address
Hey,
During a client capture I saw a lot of ICMP ping requests from some Windows 10 clients (see download below). All have been sent to 255.255.255.255 with a raising TTL between 1 and 30. This scans happens every 10 minutes per client source and have a count of exactly 900 requests per scan. I can't find any common between the affected clients. They're for different usages and so they have different software installed. Our standard software like AV, backup, etc. is installed on every client. So if one of this software is the cause, I should see a lot of more clients doing this.
My guess is that this is a kind of communication. The changing TTL could be a password or paring code. My hope is that this is not a virus/trojan.
Has anybody seen this before? Any ideas how to identify the process which sends this requests?
Jas
Download capture (IP addresses sanitized by TraceWrangler)
ICMP Ping Request to Broadcast Address
Hey,
During a client capture I saw a lot of ICMP ping requests from some Windows 10 clients (see download below). clients. All have been sent to 255.255.255.255 with a raising TTL between 1 and 30. This scans happens every 10 minutes per client source and have a count of exactly 900 requests per scan.
I can't find any common between the affected clients. They're for different usages and so they have different software installed. Our standard software like AV, backup, etc. is installed on every client. So if one of this software is the cause, I should see a lot of more clients doing this.
My guess is that this is a kind of communication. The changing TTL could be a password or paring code. My hope is that this is not a virus/trojan.
Has anybody seen this before? Any ideas how to identify the process which sends this requests?
Jas
Download captureme (IP (client mac and IP addresses sanitized by TraceWrangler)
ICMP Ping Request to Broadcast Address
Hey,
During a client capture I saw a lot of ICMP ping requests from some Windows 10 clients. All have been sent to 255.255.255.255 with a raising TTL between 1 and 30. This scans happens every 10 minutes per client source and have a count of exactly 900 requests per scan. I can't find any common between the affected clients. They're for different usages and so they have different software installed. Our standard software like AV, backup, etc. is installed on every client. So if one of this software is the cause, I should see a lot of more clients doing this.
My guess is that this is a kind of communication. The changing TTL could be a password or paring code. My hope is that this is not a virus/trojan.
Has anybody seen this before? Any ideas how to identify the process which sends this requests?ideas?
Jas
Download me (client mac and IP addresses sanitized by TraceWrangler)