ICMP Question

I have been looking at the traffic on our network with Ethereal, and noticed that computers are making ICMP requests. Our network is seperated into several vlans. Each of our client vlans contain around 100 to 200 computers.

My first question is, is it normal to have ICMP traffic all the time, is it like a "keepalive "? The destination tends to be some of our servers.

I am also seeing that there are three requests for every reply. Does anyone have any idea why that would be? When I use Ethereal on my computer and watch just the traffic in and out of it's NIC I see one request for one reply. However when I look at the whole vlan I see three requests for one reply.

If need be I can save a capture and of the ICMP traffic and let you look at it.

Thanks
Eric

 

Thanks Tony, that helped me answer my first question. I'm still curious though why I see three requests per reply when I look at the traffic as a whole, but see only one request per reply when I look at the traffic in and out of my NIC.

I have uploaded a small capture of some of the icmp traffic I'm seeing. You can get it here:

h**p://www.tech-corner.org/icmp/

Thanks for the help.
Eric

 

Tony, thanks again for the quick reply.

I'm not only seeing these additional requests in Ethereal, but they also show up as ICMP Anomalies on our IDS box (Network Associates IntruShield i2600). It has been these messages that I have been trying to track down, and the reason I have been looking at the traffic with Ethereal. I will continue to work on this and post back if I discover anything new.

Thanks again for the replys.

Eric

 

Is the destination IP for the ICMP packet on the same VLAN as the Source IP? My understanding of VLAN is that they act very like subnets at the MAC level. Therefore, a packet sent from one VLAN to another has to go via a gateway (A central switch). So the packet header information will be:

From PC to VLAN gateway
<L2>[source MAC] [gateway MAC]</L2><L3> [source IP] [destination IP]</L3>

From VLAN gateway to destination
<L2>[gateway MAC] [destination MAC]</L2><L3> [source IP] [destination IP]</L3>

L2 = layer 2 data link
L3 = layer 3 IP

So one connection, two packets. Would this account for what you see?

 

Well that made some since, but I just did some more captures while I pinged from another computer. If I pinged a computer on a different vlan I saw three requests for each reply. When I pinged a computer on the same vlan I saw four requests and four replys. I have added these two captures to so they can be looked. The new files start with "vlan52 ".

h**p://www.tech-corner.org/icmp/

Just for clarification (I hope). I am doing the pings from a Windows XP box at the command prompt. So ping does the standard four trys. So when I say I see "three requests for each reply" or "four request and four replys" that is what is captured for each responce in the command prompt.

Thanks
Eric

 

Have you got Cisco network cards?

I notice the ping to a destination outside your VLAN has a cisco MAC address. The one to a destination inside you VLAN has a canon MAC (a printer?). I think you have Cisco Switches controlling the VLAN and they are filtering out the additional replies.

That doesn't answer the question as to why your system is sending out 4 for each PING, or even if is should. Unfortunately I've only loaded the main Ethereal program on my PC and not the packet capture add-on.

 

Reggie you are correct. We have a Cisco 6509 that is our core switch. So when you ping a device in another vlan it goes back to this switch. You are correct on the other device, it is a canon printer.

I am going to look at Cisco's site and see if it has any information about this when I get a chance. This all just seems strange to me because I always thought you should see an echo request followed by an echo reply for each of the four pings and that would be all you see. I am also going to try this out in a test environment when I get a chance and compare what I see on it.

Thanks again for the replys.
Eric

 

I think the phenomenon is occurring due to having VLANs. I think your switch is replicating the packets for each VLAN. Searching the Cisco site (one of those places with lots of information, but difficult to navigate in my experience) is definitely the way to go. If you have a relationship with Cisco (reseller or service contract), it might be worth giving them a ring.

My gut feeling is that this is a "feature" and not a problem.

 

Thanks again to both of you for your reply's. I'm starting to think along the same lines as you and think that it has to do with the configuration of the network. I'm going to continue down that road, and will let you know what I find out.

Thanks again for help.
Eric