Emanuel053197
asked on
Unidentified traffic on ADSL
I lately noted that a LED on my ADSL modem blinked every few seconds eventhough all apps that normally access the Internet (IE, Outlook Express, etc) were off. I checked the traffic with Wireshark and here what it sniffed (this is only a snippet -- the sequence "Echo Request , Echo Reply goes on for ever).
What it this? What causes it and how can I stop it (wasn't there before)?
No. Time Source Destination Protocol Info
1 0.000000 Receive_22 Receive_22 PPP LCP Echo Request
Frame 1 (26 bytes on wire, 26 bytes captured)
Ethernet II, Src: Receive_22 (20:52:45:43:56:22), Dst: Receive_22 (20:52:45:43:56:22)
PPP Link Control Protocol
No. Time Source Destination Protocol Info
2 0.000000 Send_22 Send_22 PPP LCP Echo Reply
Frame 2 (26 bytes on wire, 26 bytes captured)
Ethernet II, Src: Send_22 (20:53:45:4e:44:22), Dst: Send_22 (20:53:45:4e:44:22)
PPP Link Control Protocol
No. Time Source Destination Protocol Info
3 10.240234 Receive_22 Receive_22 PPP LCP Echo Request
Frame 3 (26 bytes on wire, 26 bytes captured)
Ethernet II, Src: Receive_22 (20:52:45:43:56:22), Dst: Receive_22 (20:52:45:43:56:22)
PPP Link Control Protocol
No. Time Source Destination Protocol Info
4 10.240234 Send_22 Send_22 PPP LCP Echo Reply
What it this? What causes it and how can I stop it (wasn't there before)?
No. Time Source Destination Protocol Info
1 0.000000 Receive_22 Receive_22 PPP LCP Echo Request
Frame 1 (26 bytes on wire, 26 bytes captured)
Ethernet II, Src: Receive_22 (20:52:45:43:56:22), Dst: Receive_22 (20:52:45:43:56:22)
PPP Link Control Protocol
No. Time Source Destination Protocol Info
2 0.000000 Send_22 Send_22 PPP LCP Echo Reply
Frame 2 (26 bytes on wire, 26 bytes captured)
Ethernet II, Src: Send_22 (20:53:45:4e:44:22), Dst: Send_22 (20:53:45:4e:44:22)
PPP Link Control Protocol
No. Time Source Destination Protocol Info
3 10.240234 Receive_22 Receive_22 PPP LCP Echo Request
Frame 3 (26 bytes on wire, 26 bytes captured)
Ethernet II, Src: Receive_22 (20:52:45:43:56:22), Dst: Receive_22 (20:52:45:43:56:22)
PPP Link Control Protocol
No. Time Source Destination Protocol Info
4 10.240234 Send_22 Send_22 PPP LCP Echo Reply
This is perfectly normal. By default a LCP echo request is done every 10 seconds. This insures that the link is active.
ASKER
To giltjr:
Shouldn't the source and destination addresses be different? For example see Frame 1 in which Src: Receive_22 (20:52:45:43:56:22), Dst: Receive_22 (20:52:45:43:56:22).
Shouldn't the source and destination addresses be different? For example see Frame 1 in which Src: Receive_22 (20:52:45:43:56:22), Dst: Receive_22 (20:52:45:43:56:22).
ASKER
To giltjr:
OK for Echo Request / Reply every 10 seconds but is the other traffic, such as this:
No. Time Source Destination Protocol Info
84 382.032226 217.132.137.220 217.132.66.71 TCP 39138 > microsoft-ds [SYN] Seq=0 Len=0 MSS=1360 WS=2
or this:
No. Time Source Destination Protocol Info
116 496.948242 217.132.245.39 217.132.66.71 TCP 2298 > epmap [SYN] Seq=0 Len=0 MSS=1460 WS=2
OK for Echo Request / Reply every 10 seconds but is the other traffic, such as this:
No. Time Source Destination Protocol Info
84 382.032226 217.132.137.220 217.132.66.71 TCP 39138 > microsoft-ds [SYN] Seq=0 Len=0 MSS=1360 WS=2
or this:
No. Time Source Destination Protocol Info
116 496.948242 217.132.245.39 217.132.66.71 TCP 2298 > epmap [SYN] Seq=0 Len=0 MSS=1460 WS=2
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Traffic from other computers; looks like different computers on your ISP's network -- if you have a router & firewall software running, unless you're getting hits on the same IP - its probably nothing to worry about. On occassion packets do crop up like this.
If you see the same source IP - you can always forward logs to the ISP, but I doubt its a willful attempt to break into your computer.
If you see the same source IP - you can always forward logs to the ISP, but I doubt its a willful attempt to break into your computer.
ASKER
Thanks.
Definition:
PPP LCP Echo Request:
LCP: PPP Link Control Protocol
The Link Control Protocol (LCP) is used to automatically agree upon the encapsulation format options, handle varying limits on sizes of packets, detect a looped-back link and other common misconfiguration errors, and terminate the link. Other optional facilities provided are authentication of the identity of its peer on the link, and determination when a link is functioning properly and when it is failing. The Link Control Protocol LCP in PPP is versatile and portable to a wide variety of environment.
There are three classes of LCP packets:
1.Link Configuration packets used to establish and configure a link (Configure-Request, Configure-Ack, Configure-Nak and Configure-Reject).
2. Link Termination packets used to terminate a link (Terminate-Request and Terminate-Ack).
3. Link Maintenance packets used to manage and debug a link (Code-Reject, Protocol-Reject, Echo-Request, Echo-Reply, and Discard-Request).
In the interest of simplicity, there is no version field in the LCP packet. A correctly functioning LCP implementation will always respond to unknown Protocols and Codes with an easily recognizable LCP packet, thus providing a deterministic fallback mechanism for implementations of other versions.
Regardless of which Configuration Options are enabled, all LCP Link Configuration, Link Termination, and Code-Reject packets (codes 1 through 7) are always sent as if no Configuration Options were negotiated. In particular, each Configuration Option specifies a default value. This ensures that such LCP packets are always recognizable, even when one end of the link mistakenly believes the link to be open.
Exactly one LCP packet is encapsulated in the PPP Information field, where the PPP Protocol field indicates type hex c021 (Link Control Protocol).
Protocol Structure - LCP: PPP Link Control Protocol
IE:
Code :8 Identifier: 16 Length: 32bit Data: variable
Code - Decimal value which indicates the type of LCP packet:
1- Configure-Request.
2- Configure-Ack.
3- Configure-Nak.
4- Configure-Reject.
5- Terminate-Request.
6- Terminate-Ack.
7- Code-Reject.
8- Protocol-Reject.
9- Echo-Request.
10- Echo-Reply.
11- Discard-Request.
12- Link-Quality Report.
Identifier - Decimal value which aids in matching requests and replies.
Length - Length of the LCP packet, including the Code, Identifier, Length and Data fields.
Data - Variable length field which may contain one or more configuration options.
Hope this helps you understand a bit more....