[Snort-users] L3 retriever ping

Jens Hassler j.hassler at ...158...
Tue Apr 17 05:13:39 EDT 2001

Hi there,

for three (or more) months now I have a very strange problem with these "L3
retriever ping"s coming from a Windows NT 4 Server in our network. I really
don't know what's causing this. No abnormal program is running on this
server, no viruses are present. But this strange ping is here.


- it started suddenly (don't know when exactly)
- it happens exactly every 30 minutes (24 hours a day)

- the icmp goes this path:

  1. (Win NT)
  2. (Linux Firewall)
     travelling over VPN to our local office
  3. (Linux Firewall - Snort is here)
  4. (our Linux Webserver)

- this is the entry in the snort log file:


[**] ICMP L3retriever Ping [**]
04/17-09:16:10.752555 0:50:BA:CA:3B:F7 -> 0:10:E0:0:4B:96 type:0x800
len:0x4A -> ICMP TTL:29 TOS:0x0 ID:6280 IpLen:20
Type:8  Code:0  ID:256   Seq:57601  ECHO
41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50  ABCDEFGHIJKLMNOP
51 52 53 54 55 56 57 41 42 43 44 45 46 47 48 49  QRSTUVWABCDEFGHI


- VERY strange thing:

  This ICMP ping SUDDENLY stopped on March 31 at 23:30:02.
  Then, after one week, on April 7 at 09:32:32 it started again.

  And now it's here again... every 30 minutes, exactly.

- Also strange:

  The TTL field was "30" on earlier occasions, and is now always "29".
  If you have a look at the path, the ICMP normally starts with TTL 32,
  is decreased by one at the linux router (31), and is then decreased
  again by the other linux router running snort, so its "30" the time
  Snort catches it. I don't know if the TTL is decreased BEFORE or
  AFTER Snort gets it on the local interface... but either way, the
  new TTL of 29 seems very strange to me.

Here is a normal ping done from the Win NT machine to our Webserver:


[**] ICMP Echo Request [**]
04/17-10:41:54.284730 0:50:BA:CA:3B:F7 -> 0:10:E0:0:4B:96 type:0x800
len:0x4A -> ICMP TTL:30 TOS:0x0 ID:1082 IpLen:20
Type:8  Code:0  ID:256   Seq:61441  ECHO
61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70  abcdefghijklmnop
71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69  qrstuvwabcdefghi


As you can see, the TTL is 30 (as expected).

- There are also a few other Windows machines doing this L3 ping. But these
  very seldom...

I really have no clue what's causing this. It's there now for many months
and I don't know if its a security risk or if its a normal sign of a program
that is running there. I also don't know why it is pinging our internal
Webserver IP. No program there is configured with this IP. And in the week
the L3 Ping was away, there was no change to hardware or software in the
computers involved - nothing.

Maybe someone of you has the answer, at least I hope so.

Thx a lot,

More information about the Snort-users mailing list