- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Rogue pings
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2005 02:33 AM
07-05-2005 02:33 AM
Rogue pings
I have to find the cause of a server that started to ping repeatedly other nodes on our network. We know of the pings because our firewall is intercepting and dropping the packets so they're not causing any problems, but we don't know what process/app is generating them. I was looking through the netstat manpage to find some way to identify the rogue process/app, but i can't find what i'm looking for.
Does anyone know how to measure outgoing traffic from a unix machine and associate this traffic to a process/app?
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2005 07:43 PM
07-05-2005 07:43 PM
Re: Rogue pings
Use ps -ef | grep ping to know process which is causing ping.
Regards
Mahesh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2005 08:08 PM
07-05-2005 08:08 PM
Re: Rogue pings
# netstat -nap icmp
# ps -ef | grep ping
to get ping related operations.
hth.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2005 08:17 PM
07-05-2005 08:17 PM
Re: Rogue pings
I think OpenView Network Node Manager may do this to discover nodes, for example.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-06-2005 03:33 AM
07-06-2005 03:33 AM
Re: Rogue pings
The ps -ef | grep ping return nothing except my grep.
The netstat -nap icmp returns this:
icmp:
739602 calls to icmp_error
0 errors not generated because old message was icmp
Output histogram:
echo reply: 3803
destination unreachable: 739560
routing redirect: 5
time exceeded: 39
0 messages with bad code fields
0 messages < minimum length
0 bad checksums
0 messages with bad length
Input histogram:
echo reply: 32462
destination unreachable: 8163
routing redirect: 35
echo: 3803
time exceeded: 39
3803 message responses generated
Does anything seem abnormal?
As for someone installing a monitoring application, well, our consultants
are somewhat confused and often do strange things...i'll see what i can find out.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-06-2005 04:45 AM
07-06-2005 04:45 AM
Re: Rogue pings
Unless the ICMP echo requests are coming at a _very_ high rate and/or are using spoofed source IPs, even if your firewalls were not filtering them, they would not be causing any problems.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-06-2005 08:40 PM
07-06-2005 08:40 PM
Re: Rogue pings
Mark Syder (like the drink but spelt different)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-06-2005 10:14 PM
07-06-2005 10:14 PM
Re: Rogue pings
dced 1359 root 11u IPv4 0x429f0e40 0t0 ICMP *:*
ping 9721 root 6u IPv4 0x4293c040 0t0 ICMP *:*
to see if you can spot any suspects.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-07-2005 02:00 AM
07-07-2005 02:00 AM
Re: Rogue pings
"If I remember correctly, ICMP echo requests can be generated via a raw IP socket."
What does this mean? Because they are exactly that, echo requests, I can see it in my trace report.
Ermin, the output gives me only one process using icmp:
root 12012 13988 0 Jun 22 - 54:29 nim_ether
Does this mean we found the culprit?
Thanks again for the replies!
Nicolas.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-07-2005 03:22 AM
07-07-2005 03:22 AM
Re: Rogue pings
You can turn it off with ndd.
ndd -set /dev/ip ip_ire_gw_probe 0
tho to make it stick after a reboot you need to edit /etc/rc.config.d/nddconf to add:
TRANSPORT_NAME[0]=ip
NDD_NAME[0]=ip_ire_gw_probe
NDD_VALUE[0]=0
Use the next higher integer in the brackets if you already have entries there.
HPUX 10.3 and 11.0 also use an MTU detection scheme based on pings. This can also be changed in NDD.
/usr/bin/ndd -set /dev/ip ip_pmtu_strategy 1
or in nddconf:
TRANSPORT_NAME[1]=ip
NDD_NAME[1]=ip_pmtu_strategy
NDD_VALUE[1]=1
The original default, Option 2 was dropped in 11i.
Ron
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-07-2005 01:14 PM
07-07-2005 01:14 PM
Re: Rogue pings
You can verify with tusc. If you don't have tusc you can get it from
ftp://ftp.cup.hp.com/dist/networking/tools
Then attach to the process as
# tusc -fv -s sendto
In the output you should see this process making connections to other systems.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-08-2005 01:50 PM
07-08-2005 01:50 PM
Re: Rogue pings
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2005 12:00 AM
07-18-2005 12:00 AM
Re: Rogue pings
I'm closing this thread now that we found the process responsible for the pings...and that it seems to be a necessary process for our cluster to work!
Thanks again!