Packet sniffers capture "ICMP (ping) Echo Request" packets from source 127.0.0.1 when Symantec Client VPN is installed

Article:TECH83302  |  Created: 2005-01-07  |  Updated: 2005-01-24  |  Article URL http://www.symantec.com/docs/TECH83302
Article Type
Technical Solution


Issue



You installed Symantec Client VPN 8.0 to a computer that also has Ethereal (or another packet sniffer) installed. When you use the sniffer and capture packets, you see ICMP echo request packets similar to:

Type: ICMP (ping) Echo Request
Source IP: 127.0.0.1
Source MAC: 08:00:2b:00:dc:dc
Destination IP:
Destination MAC: 08:00:2b:00:01:02

The Source MAC and Destination MAC are always the same values that are shown in the preceding example. These packets do not appear when using tcpdump. If you disable the Symantec Client VPN driver or uninstall the software, you no longer see the packets.


Solution



These packets are called routing token packets and are used by the VPN driver and server. This type of traffic allows Symantec Client VPN to perform certain PMTU functions on its own. They are also used for specific routing implementations in the VPN driver. This is why the destination of the packet is never the IP address of the client computer, but is another computer in its ARP cache or network configuration such as a default router or DNS server.

This traffic is internal to your computer and does not leave the network interface. It is processed internally on the computer and does not pass on to the network. Tcpdump does not capture these packets because they do not actually leave the interface. The other packet sniffer is capturing the internal packet processing of the VPN daemon while it performs networking function that ensure proper routing and packet processing.

To keep your packet sniffer from capturing these packets, you can stop the Symantec Client VPN service, disable the VPN driver, filter ICMP traffic from 127.0.0.1 out of your packet capture, or use tcpdump (included with Symantec Client VPN) to sniff your network traffic instead.





Legacy ID



2005040707412054


Article URL http://www.symantec.com/docs/TECH83302


Terms of use for this information are found in Legal Notices