Solved

Unidentified traffic on ADSL

Posted on 2007-12-03
7
408 Views
Last Modified: 2013-12-27
I lately noted that a LED on my ADSL modem blinked every few seconds eventhough all apps that normally access the Internet (IE, Outlook Express, etc) were off. I checked the traffic with Wireshark and here what it sniffed (this is only a snippet -- the sequence "Echo Request , Echo Reply goes on for ever).
What it this? What causes it and how can I stop it (wasn't there before)?

No.     Time        Source                Destination           Protocol Info
      1 0.000000    Receive_22            Receive_22            PPP LCP  Echo Request

Frame 1 (26 bytes on wire, 26 bytes captured)
Ethernet II, Src: Receive_22 (20:52:45:43:56:22), Dst: Receive_22 (20:52:45:43:56:22)
PPP Link Control Protocol

No.     Time        Source                Destination           Protocol Info
      2 0.000000    Send_22               Send_22               PPP LCP  Echo Reply

Frame 2 (26 bytes on wire, 26 bytes captured)
Ethernet II, Src: Send_22 (20:53:45:4e:44:22), Dst: Send_22 (20:53:45:4e:44:22)
PPP Link Control Protocol

No.     Time        Source                Destination           Protocol Info
      3 10.240234   Receive_22            Receive_22            PPP LCP  Echo Request

Frame 3 (26 bytes on wire, 26 bytes captured)
Ethernet II, Src: Receive_22 (20:52:45:43:56:22), Dst: Receive_22 (20:52:45:43:56:22)
PPP Link Control Protocol

No.     Time        Source                Destination           Protocol Info
      4 10.240234   Send_22               Send_22               PPP LCP  Echo Reply

Open in new window

0
Comment
Question by:Emanuel053197
7 Comments
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 20397176
PPP LCP  Echo Request is a standard echo request coming from your service provider going to your adsl modem.  Did you recently change service providers or has your service provider recently changed its standard for method of delivery?



Definition:
 PPP LCP  Echo Request:
LCP: PPP Link Control Protocol

The Link Control Protocol (LCP) is used to automatically agree upon the encapsulation format options, handle varying limits on sizes of packets, detect a looped-back link and other common misconfiguration errors, and terminate the link. Other optional facilities provided are authentication of the identity of its peer on the link, and determination when a link is functioning properly and when it is failing. The Link Control Protocol LCP in PPP is versatile and portable to a wide variety of environment.

There are three classes of LCP packets:

1.Link Configuration packets used to establish and configure a link (Configure-Request, Configure-Ack, Configure-Nak and Configure-Reject).

2. Link Termination packets used to terminate a link (Terminate-Request and Terminate-Ack).

3. Link Maintenance packets used to manage and debug a link (Code-Reject, Protocol-Reject, Echo-Request, Echo-Reply, and Discard-Request).

In the interest of simplicity, there is no version field in the LCP packet. A correctly functioning LCP implementation will always respond to unknown Protocols and Codes with an easily recognizable LCP packet, thus providing a deterministic fallback mechanism for implementations of other versions.

Regardless of which Configuration Options are enabled, all LCP Link Configuration, Link Termination, and Code-Reject packets (codes 1 through 7) are always sent as if no Configuration Options were negotiated. In particular, each Configuration Option specifies a default value. This ensures that such LCP packets are always recognizable, even when one end of the link mistakenly believes the link to be open.

Exactly one LCP packet is encapsulated in the PPP Information field, where the PPP Protocol field indicates type hex c021 (Link Control Protocol).

Protocol Structure - LCP: PPP Link Control Protocol
IE:
Code :8  Identifier: 16   Length: 32bit   Data: variable
 
Code - Decimal value which indicates the type of LCP packet:
1- Configure-Request.
2- Configure-Ack.
3- Configure-Nak.
4- Configure-Reject.
5- Terminate-Request.
6- Terminate-Ack.
7- Code-Reject.
8- Protocol-Reject.
9- Echo-Request.
10- Echo-Reply.
11- Discard-Request.
12- Link-Quality Report.
 
Identifier - Decimal value which aids in matching requests and replies.
Length - Length of the LCP packet, including the Code, Identifier, Length and Data fields.
Data - Variable length field which may contain one or more configuration options.

Hope this helps you understand a bit more....
   
0
 
LVL 57

Expert Comment

by:giltjr
ID: 20400615
This is perfectly normal.  By default a LCP echo request is done every 10 seconds.  This insures that the link is active.
0
 

Author Comment

by:Emanuel053197
ID: 20401146
To giltjr:
Shouldn't the source and destination addresses be different? For example see Frame 1 in which Src: Receive_22 (20:52:45:43:56:22), Dst: Receive_22 (20:52:45:43:56:22).
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:Emanuel053197
ID: 20402101
To giltjr:

OK for Echo Request / Reply every 10 seconds but is the other traffic, such as this:

No.     Time        Source                Destination           Protocol Info
     84 382.032226  217.132.137.220       217.132.66.71         TCP      39138 > microsoft-ds [SYN] Seq=0 Len=0 MSS=1360 WS=2

or this:
No.     Time        Source                Destination           Protocol Info
    116 496.948242  217.132.245.39        217.132.66.71         TCP      2298 > epmap [SYN] Seq=0 Len=0 MSS=1460 WS=2
0
 
LVL 57

Accepted Solution

by:
giltjr earned 250 total points
ID: 20402735
The two packets in your last post are two other computers on the Internet that are attempting to connect to your computer via the Internet.

As for your other question on the addresses being different, no.  PPP is a point to point protocol, so each end does not have a unique "MAC" layer address like Ethernet does.
0
 
LVL 10

Expert Comment

by:dragonjim
ID: 20412505
Traffic from other computers; looks like different computers on your ISP's network -- if you have a router & firewall software running, unless you're getting hits on the same IP - its probably nothing to worry about. On occassion packets do crop up like this.

If you see the same source IP - you can always forward logs to the ISP, but I doubt its a willful attempt to break into your computer.
0
 

Author Closing Comment

by:Emanuel053197
ID: 31412383
Thanks.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The following recovery method will work on All Cisco Switchs that run ISO software. You will need a good copy of the IOS version you want you use saved on your PC and a Com's Cable. The software for these switches comes as a .tar file. Tar is …
Sometimes you have to pull out old tricks to get a new firewall to work… While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understa…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question