Phantom ICMP Packets

Unanswered Question
Feb 19th, 2009
User Badges:

I am trying to clean up some items on my network, and I noticed this under my realtime log viewer. A IP address (old Citrix Web interface server) has been turned off for 3 months, and I'm seeing this packet transfered every 3-5 seconds It is always a built ICMP followed by a Teardown. The IP its going to ( (which is on) is a Citrix netscaler.

Does anyone have any ideas how I can track down these requests coming from this server that is turned off?

Feb 19 2009 09:59:19 302020 0 7168 Built outbound ICMP connection for faddr gaddr laddr

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cody.mautner Thu, 02/19/2009 - 10:32
User Badges:

I have very little experiance with Cisco or IOS. What does the clear xlate command do and how could it adversly affect our network?

robertson.michael Thu, 02/19/2009 - 10:03
User Badges:
  • Silver, 250 points or more

Hi Cody,

Can you do a packet capture on the interface that the source is behind? The capture will give you the MAC address of the source host and this might give you some insight into where the packet is coming from. Your capture might look something like this:

ASA(config)# access-list cap-acl permit icmp host host

ASA(config)# capture cap1 access-list cap-acl interface packet-length 1518

You can watch the progress of the capture with the 'show capture' command. If you have HTTP access to the firewall enabled, simply browse to https:///capture/cap1/pcap to download the capture file that you can then open in Wireshark to see the MAC address of the packet.

Hope that helps.


cody.mautner Thu, 02/19/2009 - 11:07
User Badges:

I ran the capture, and also on the entire DMZ and Internal interface... no traces of these IPs in the packet capture....

cody.mautner Thu, 02/19/2009 - 11:14
User Badges:

I noticed these two are repeatly showing up in arp broadcasts, would that cause this type of traffic?


This Discussion