Re: ICMP_TIME_EXCEEDED to network address?

["Edwards, David (JTD)" <Edwards.David2 () SAUGOV SA GOV AU>]

Hi,

> -----Original Message-----
> From: Melissa [mailto:mlovett () WARRIOR MGC PEACHNET EDU]
> Sent: Friday, 2 February 2001 3:38 AM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Re: [INCIDENTS] ICMP_TIME_EXCEEDED to network address?
>
> Anyway, I am currently
> researching/solving a similar problem.  I have discovered
> that multimedia
> keyboards send constant pings to the following address, at
> least on our
> network, 207.26.131.137.  Our sniffer reports the Time
> Exceeded in Transit,
> TTL set to 1.

Next thing you know your watch will be pinging your
car to see if it's awake..

No idea why this might occur.  Run it under a
debugger, it may produce some insights.

> Also, I have discovered that pathping, in Windows 2000,
> causes a report of
> Time exceeded in transit, TTL set to 1.  If you have a
> sniffer, you can
> watch this.  Just pathping any address, even on your network,
> and it will
> report Time to Live Exceeded in Transit, TTL 1.

This would be expected as it uses the time-exceeded
msgs to work out the path to the host.  I'd guess it
sends a ping packet to the host with TTL=1 first, then
another with TTL=2 and so on until the host replies,
the icmp packets returned show the path.

ciao
dave
---
Dave Edwards
Justice Technology Division
Ph: +61 8 82265426 || 0408 808355
mailto: edwards.david2 () saugov sa gov au
Snail : Justice Technology Division
        GPO Box 2048, Adelaide 5001
---
The information in this e-mail may be confidential and/or legally
privileged.  Use or disclosure by anyone other than the intended
recipient is prohibited and may be unlawful.  If you have received
this e-mail in error, please advise me immediately
---