Check_ping problems ?

Andreas Ericsson ae at op5.se
Sun Apr 3 16:09:21 CEST 2005

Previous message: Check_ping problems ?
Next message: Check_ping problems ?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Chris Wilson wrote:
> Hi all,
> 
> On Fri, 2005-04-01 at 08:54, Andreas Ericsson wrote:
> 
>>Drew Kollasch wrote:
>>
>>> I am currently running a nagios 1.2 box monitoring approx 120 hosts and
>>>200 services. On about 20 of the services (almost always as of recently)
>>>I get a WARNING status that says "PING WARNING - DUPLICATES FOUND!
>>>Packet loss = 1%, RTA = 0.27 ms". (or something very similar) have
>>>anyone else seen this odd behavior?
>>
>>It basically means that the ping program receives multiple 
>>ICMP_ECHO_REPLY packets to a single ICMP_ECHO_REQUEST, which goes 
>>against the standard (rfc 792, I believe).
> 
> 
> This plugin runs the standard ping program, right? If you ping the same
> host with two ping commands at the same time, both will report duplicate
> packets, because they can't distinguish between each others' pings.
> 

Ofcourse they can distinguish between their own and other programs 
requests. The ICMP header contains 16 bits for id purposes. ping 
programs tag this with the lower 16 bits of their pid. Only if
the kernel sports a 32bit pid_t (FreeBSD 5.x + some others) AND it also 
randomizes pids (stupid thing to do, really) OR more than 65536 
processes are running, of which two are PING processes targeting the 
same host.

There are four scenarios that can cause this to happen for real.
1) The PING program is broken. Considering PING is a very simple program 
that isn't very likely.
2) The IP-stack on the "bouncing" end is broken. This is even less likely.
3) Someone is doing a random-replay attack in the network for black-hat 
auditing purposes. This isn't very likely either, as icmp is a very 
un-interesting protocol to do random-replay attacks on.
4) ICMP_ECHO_REQUEST's are being sent to a broadcast address (this is 
very likely to be the case). Common broadcast addresses end in 255, 191, 
127, 15. They always end in something which is exactly 2^x - 1, where x 
is always between 2 and 30 in IPv4 networks.

> So this problem may just be caused by someone or something pinging from
> the nagios server to the remote host at the same time as Nagios does its
> checks.
> 

Read /usr/include/netinet/ip_icmp.h or rfc 792 for details.

> Cheers, Chris.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Lead Developer

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

Previous message: Check_ping problems ?
Next message: Check_ping problems ?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list