Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Pings Every 2 Minutes

Status
Not open for further replies.
compuveg

compuveg

IS-IT--Management
Dec 3, 2001
307
US
Why would a Windows box ping a DNS server every 2 minutes?

We had 2 PCs here, one running Win2k , one running WinXP. Both fully patched before this activity began. For some reason, they both starting pinging the first external DNS server in their config. (That turns out to be the second DNS server in their config.)

This pinging continued, with a ping being sent every 2 minutes, until each machine was restarted. Neither machine has since exhibited this behavior.

Both machines are running antivirus with current definitions. In addition to looking at their AV, I've also checked in their registry, and see no indication in the normal place a virus would nest itself. (Meaning there's nothing out of order in any of the 'Run', 'RunOnce', 'RunServices', etc, branches)

Another indicator that this is not a virus is that the viruses that generate ICMP pings send them MUCH more frequently than every 2 minutes. Viruses like Blaster send hundreds per minute, not just one every 2 minutes.

I expect it is something like this... but lack satisfactory proof.

Any ideas what could cause this?

I do have TCPDump captures of these if anyone needs more detail. They just look like good old pings, with the exception that the data in the ping packet shows 'NWFS Version 3e919996 novell net service route request'.

It is quite frustrating, as I've not found anyone else who's seen this kind of behavior in a Windows machine, infected or not.
 
Sort by date Sort by votes
arp cache renewal

the only right answer to "why?" is: "why not?"
 
Upvote 0 Downvote
arp cache renewal?? Last time I checked, ARP used Address Resolution Protocol, not ICMP. Think that's why they call it "ARP"
 
Upvote 0 Downvote
Cadaveca, the biggest problem with that theory is the fact that ARP operates at the MAC level, and not routed.

My best lead so far is the suggestion that this was the Novell Client using IPX over TCP/IP to find routes to services. (Lead provided by mhkwood... THANKS!)

I'll post the answer to my question if I find it. :)
 
Upvote 0 Downvote
I have seen this behavior on computers that have "Internet Keyboards". These keyboards have an indicator LED on them to show if you are connected to the Internet. The way they tell you are connected to the Internet is by sending out a PING to a known device.

One thought would be to go through Task Manager and begin shutting down tasks until the PINGing stops. It would appear some task is trying to determine if your machine has an active connection to the Internet.

Mike
 
Upvote 0 Downvote

DUDE, I can't wait to try this, it sounds SO right. I'm just heading out of the office and will let you knwo what I find out Monday.
 
Upvote 0 Downvote
Do not ignore the possibity of a worm, not a virus.

Welchia, Qhosts and others would do the ping behavior you desdribe, and Norton AV will not pick it up without help from seperate scanning programs downloaded from their site.




 
Upvote 0 Downvote
if a service is running that uses resources such as a shared drive and gets no connection it will try pinging dns to make sure it's alive and that the arp cache does not need to be renewed. Address resolution protocol is for the conversion of mac id's to local ip. Some applications out there that are used over a large network generate these arp loops and there are patches out there for this. The .net infrastucture implimentation cause for a greater frequecy of this over 60+ client groups, caused by multiple clients resourceing the same drive @ once. I'm sorry for trying to introduce new knowledge to the base, but if you'd do a little deeper digging in your network yo may find a machine with an incorrectly mapped drive or in worst case a correctly mapped drive with a virus.

the only right answer to "why?" is: "why not?"
 
Upvote 0 Downvote
I had the same problem. The solution in my case is that my novell server had two IP addresses in different subnets. When the PC used SLP to locate the server it was given two responses. It uses an IP costing algorithm based off of icmp to determine the best patch. I turned the costing off. It is located in the network settings for the novell client under advanced options, ip address costing. Just set it to 0.
 
Upvote 0 Downvote

Well, I didn't find that it was an internet keyboard problem. KKelcey sounds like they've found the reason for the pings. I'll post my results here if they're positive.
 
Upvote 0 Downvote

Yep, changing the IP address costing to a '0' instead of '2' fixed the problem. Thanks a ton!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Wajdi Zghal
  • Locked
  • Question
Sipp between 2 VM
Replies
0
Views
505
Wajdi Zghal
Wajdi Zghal
etrusks
  • Locked
  • Question
Communicating between 2 users whos ip addresses might change 1
Replies
6
Views
186
etrusks
etrusks
iDio
  • Locked
  • Question
Pinging 2 devices connected to switch
Replies
10
Views
276
iDio
iDio
SwitchWitch
  • Locked
  • Question
STAR 2 STAR
Replies
2
Views
128
hairlessupportmonkey
hairlessupportmonkey
Mathurin1968
  • Locked
  • Question
2 MIBS in same folder doesn't work
Replies
0
Views
94
Mathurin1968
Mathurin1968

Part and Inventory Search

Sponsor

Back
Top