HPE Community
Operating System - HP-UX
1833780 Members
2400 Online
110063 Solutions
New Discussion

Re: Server constantly sends icmp packets to IP address

 
SOLVED
Go to solution
Jason Fedynak
Advisor

‎09-27-2006 05:22 AM

‎09-27-2006 05:22 AM

Server constantly sends icmp packets to IP address

We looked at our firewall logs and saw that one of our HP-UX servers constantly sends icmp packets to IP address 192.168.234.235.

Looked at the syslog.log and there is nothing specific to this address. Where can I start to find out what is causing this?
Expert: In asking questions.
0 Kudos
Reply
8 REPLIES 8
IT_2007
Honored Contributor

‎09-27-2006 05:49 AM

‎09-27-2006 05:49 AM

Re: Server constantly sends icmp packets to IP address

use traceroute command to find how it queries to that IP.

traceroute 192.168.234.235
0 Kudos
Reply
Jason Fedynak
Advisor

‎09-27-2006 06:51 AM

‎09-27-2006 06:51 AM

Re: Server constantly sends icmp packets to IP address

FYI, we do know the server that is sending the packets (backup server), but how do we find out what app or why it is being sent?
Expert: In asking questions.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎09-27-2006 07:02 AM

‎09-27-2006 07:02 AM

Re: Server constantly sends icmp packets to IP address

There's no way to find the program since there is no open socket. Is the 192 address a router? If so, regular pings are done (by default) to monitor router availability. If this is just another server, try grep'ing the address (and also the hostname if applicable) in /etc config files. Check the logs to see if this is a burst then idle or a very regular pattern. A burst means it probably came from a program so look at the time stamps on the ICMP packets to see what what was running at that time. For a regular interval, look at cron jobs.


Bill Hassell, sysadmin
0 Kudos
Reply
spex
Honored Contributor

‎09-27-2006 07:14 AM

‎09-27-2006 07:14 AM

Re: Server constantly sends icmp packets to IP address

Hi Jason,

# netstat -an | grep '192.168.234.235'
to get the source port(s).

Then,
# grep /etc/services
to see the port alias, if it has one.

Or you can try 'lsof'.

PCS
0 Kudos
Reply
Jason Fedynak
Advisor

‎09-27-2006 07:23 AM

‎09-27-2006 07:23 AM

Re: Server constantly sends icmp packets to IP address

1) the traceroute of the IP takes 2 hops, one through the core router and then to our default gateway to the internet.

2) 192.168.234.235 is not a server/node on our network.

3) netstat -an | grep '192.168.234.235' returns nothing.

I will check the firewall and check if it is bursts or constant.
Expert: In asking questions.
0 Kudos
Reply
Jason Fedynak
Advisor

‎09-27-2006 07:44 AM

‎09-27-2006 07:44 AM

Re: Server constantly sends icmp packets to IP address

FYI, we get the icmp packet every 60 seconds, 24 hours a day.
Expert: In asking questions.
0 Kudos
Reply
Jim Keeble
Trusted Contributor

‎09-28-2006 12:26 AM

‎09-28-2006 12:26 AM

Solution

Re: Server constantly sends icmp packets to IP address

Hi Jason,

It may help to know what kind of icmp packet it is. ICMP has several message types, from the echo and echo replies that ping uses, to messages like "network unreachable" or "port unreachable".

If the firewall log doesn't give this level of detail, get a "nettl" trace and look at the packet details.

The ICMP message could be a diagnostic reaction to a packet the server previously received. If it is, the ICMP packet carries a copy of the packet header that caused the message inside.

You can use "ethereal" (see ethereal.com) to analyze the nettl trace. Or, you could have your network support collect the trace from outside the HP with a "sniffer" (a protocol analyzer).
Reply
Jason Fedynak
Advisor

‎09-29-2006 10:17 AM

‎09-29-2006 10:17 AM

Re: Server constantly sends icmp packets to IP address

Well I have run a nettl trace on the server and there is quite a bit of info. Of course the network guys are not seeing the dropped packets anymore. I will have to wait untill they show up again. The nettl output looks like what I am looking for though. Thanks!
Expert: In asking questions.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.