Wireshark-users: Re: [Wireshark-users] Ping Replys without Request

From: "Jim Young" <sysjhy@xxxxxxxxxxxxxxx>
Date: Mon, 28 Aug 2006 11:25:28 -0400
Hello Michael,

>>> "STEINECKE Michael SD-G (AREVA NP GmbH)"
<Michael.Steinecke@xxxxxxxxx> 08/28/06 4:33 AM >>>
> Hello folks,
> 
> i've a bit strange issue in the communication between a Server and
his
> client (a microcontroler).
> The controler send "Echo Reply" packets without a corresponding 
ICMP
> requests. Is there another way how this can happen then an program
or
> firmware error? Something like an TCP packet that requests a ICMP
Echo
> par example?
> 
> Best Regards
> Michael Steinecke

Does you controller have multiple NIC interfaces?  If so, then 
depending on how you've set up your route statements on 
the controller (assuming that you can) it's possible that replies 
received on one NIC interface will be returned out a different 
NIC interface.   IP addresses more than one hop away could 
be taking a "default" route (out the NIC interface towards 
your server).  

Take a look at the destination IP address (where the ping reply 
is supposed to go to) and the destination MAC address for the 
ping reply.  This should give you a clue on who/what might be 
generating the original request.

Then again if it's some type of specialized controller, then I 
wouldn't be surprised to see the vendor doing something 
non-conventual like using ICMP echo replies to send signalling
information to some other station(s).   

I've also seen some devices that use an an undocumented 
private NIC setup internally.  I've had a few occasions where
these back-end packets have leaked out the one public NIC.

I hope this find this useful.

Jim Young