Check_ping problems ?

Drew Kollasch drewk at bvrmc.org
Mon Apr 4 15:15:21 CEST 2005
Previous message: Check_ping problems ?
Next message: Notification Limits
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
These are not being sent to broadcast addresses.
The IP stacks on both ends are fine.
No, my printer(s) are not 0wn3d.

Fixed!! Solution(ish):
I went back to a previous version of the check_ping program, and I have
not seen a single one of these now. I plan on re-compiling from scratch
the most recent plugins and seeing if there is something that was
conflicting w/ my system. (good thing for backups!) :D
Thanks for all your suggestions though!

 -------------------------------------------------------
Drew Kollasch
Network/Desktop Technician
kollasch.drew at bvrmc.org
712-213-8668

Buena Vista Regional Medical Center
1525 W 5th St
Storm Lake, IA 50588
-----Original Message-----
From: nagios-users-admin at lists.sourceforge.net
[mailto:nagios-users-admin at lists.sourceforge.net] On Behalf Of Andreas
Ericsson
Sent: Sunday, April 03, 2005 9:09 AM
To: Nagios Users
Subject: Re: [Nagios-users] Check_ping problems ?

Chris Wilson wrote:
> Hi all,
> 
> On Fri, 2005-04-01 at 08:54, Andreas Ericsson wrote:
> 
>>Drew Kollasch wrote:
>>
>>> I am currently running a nagios 1.2 box monitoring approx 120 hosts 
>>>and 200 services. On about 20 of the services (almost always as of 
>>>recently) I get a WARNING status that says "PING WARNING - DUPLICATES
FOUND!
>>>Packet loss = 1%, RTA = 0.27 ms". (or something very similar) have 
>>>anyone else seen this odd behavior?
>>
>>It basically means that the ping program receives multiple 
>>ICMP_ECHO_REPLY packets to a single ICMP_ECHO_REQUEST, which goes 
>>against the standard (rfc 792, I believe).
> 
> 
> This plugin runs the standard ping program, right? If you ping the 
> same host with two ping commands at the same time, both will report 
> duplicate packets, because they can't distinguish between each others'
pings.
> 

Ofcourse they can distinguish between their own and other programs
requests. The ICMP header contains 16 bits for id purposes. ping
programs tag this with the lower 16 bits of their pid. Only if the
kernel sports a 32bit pid_t (FreeBSD 5.x + some others) AND it also
randomizes pids (stupid thing to do, really) OR more than 65536
processes are running, of which two are PING processes targeting the
same host.

There are four scenarios that can cause this to happen for real.
1) The PING program is broken. Considering PING is a very simple program
that isn't very likely.
2) The IP-stack on the "bouncing" end is broken. This is even less
likely.
3) Someone is doing a random-replay attack in the network for black-hat
auditing purposes. This isn't very likely either, as icmp is a very
un-interesting protocol to do random-replay attacks on.
4) ICMP_ECHO_REQUEST's are being sent to a broadcast address (this is
very likely to be the case). Common broadcast addresses end in 255, 191,
127, 15. They always end in something which is exactly 2^x - 1, where x
is always between 2 and 30 in IPv4 networks.

> So this problem may just be caused by someone or something pinging 
> from the nagios server to the remote host at the same time as Nagios 
> does its checks.
> 

Read /usr/include/netinet/ip_icmp.h or rfc 792 for details.

> Cheers, Chris.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Lead Developer


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide Read honest & candid
reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when
reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null
Previous message: Check_ping problems ?
Next message: Notification Limits
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users mailing list