When a protocol is used, sometimes some faults may occur. How can we handle them in some devices? Today, we have provided some examples of ICMP faults to help you analyze and provide some solutions. What's the problem? First, let's describe it. Although there is no obvious exception during the operation of the router, it is often seen such a log: "209.24.79.200" is the router's uplink interface address, I don't know why there are so many ICMP faults from routers to these irregular IP addresses.
ICMP fault
Check these IP addresses, some from provinces in China, some from Japan, and some from the United States, Argentina, and Singapore, without any regularity. Is someone attacking a router? Or is there an internal bot being attacked? What's strange is that there is only a record of outgoing packets, but no records of incoming packets?
When talking about ICMP faults, you must be familiar with it. The most common ping command is ICMP. The full name of ICMP is Internet Control Message Protocol (ICMP). It is an integral part of IP and is used to provide error reports. Once a variety of error types are found, they are returned to the original host, and there are also a variety of ICMP-based attack methods. Why is this log generated? Let me bring everyone up and check.
ICMP fault
The topology of our school is a simple star structure, and the center node is SSR8000 of Enterasys, a three-layer exchange router ). One port is uplinked to CERNET, and other ports are internally connected, and multiple VLANs are divided for the internal network based on ports.
In order to check whether the information is sent from inside the network, logs are set for each interface of the internal VLAN, or no relevant ICMP logs are recorded, but only the data of the uplink interface is recorded ). If the internal computer sends ICMP data packets, the problem may occur on the uplink interface. log records can only record information at the protocol layer, but cannot record deeper data packets.
ICMP fault
To view the data packets of the uplink interface, you can easily use the port mirroring function to capture and analyze data packets by using computers connected to the mirror port. First download the packet analysis software WINDUMP: http://windump.polito.it ). On computer A, install and connect to the RJ45 port to be mirrored. Then, install WINDUMP on computer B and connect to the current VLAN1 Gateway: 222.222.222.1, mask: 255.255.255.0.
ICMP fault
After everything is ready, start the port image. Log on to the vro using computer B and enter the configuration mode. Run the following command: SSR (config) # port routing ing dst-ports et.1.3 src-ports gi.4.1 and run the command above to port gi.4.1) image to the destination port et.1.3). The destination port is the port connecting computer. On computer A, enter the DOS prompt, go to the directory where WINDUMP is located, and enter the command:
The above records have been filtered. The parameter "-N" in the first sentence indicates that the IP address or port number is converted to the host name or port name. The second sentence indicates that windump starts to listen on the selected Nic, and the third sentence begins with the information recorded by WINDUMP .) Run WINDUMP on computer B: view the logs on the vro. I can find any of the ICMP records:
Check that the IP address that contains "218.79.246.212" matches the data collected on computer. From the record of the two statements, the first line indicates that the packet is sent from tcp port 64627 of 218.79.246.212 to port 16881 of 222.222.222.191.
The S flag indicates that the SYN flag is set, the stream Number of the message is 2898301189, there is no data, the valid receiving window is 4096 bytes, the maximum segment size (max-segment-size) option, set mss to 1452 bytes for the request. Obviously, this is a request message. The second statement indicates that the router returns an "unreachable host inaccessible" ICMP message to 218.79.246.212. This indicates that no computer with the IP address "222.222.222.191" is found in the CIDR block.
It turns out that when the router receives a packet that does not know the IP address, that is, the router does not know the target route, it will try to send an ARP broadcast for resolution. If a target host responds to this ARP broadcast, the router forwards the data packet to the target host.
If the router does not receive a response, it will send an ARP request for the next four packets. If the 6th packets arrive, the MAC address of the target host has not been resolved, by default, the vro will discard 6th and subsequent data packets in the next 20 seconds, and return the ICMP message "the host is not reachable" to the source host.
It can also be proved from the first sentence in the record of computer B that the router sends an ARP query to the CIDR Block and finds the computer whose IP address is "222.222.222.191, the router considers that there is no target host in the CIDR block. Therefore, an ICMP message is returned to the source computer indicating that the target host cannot be reached to notify the source host that there is a problem and the original data packet is discarded.
Now the problem is clear. The ICMP logs recorded by the router are the "Destination Unreachable" information sent by the router to the source address. So why are these external IP addresses looking for computers on campus? From the collected data analysis, it is not difficult to find that these external hosts are mainly looking for three internal fixed computers. After checking the history logs, we can find the same records of the three computers:
The ports connecting the three hosts to the target host are fixed between 6881 and 6889, and these ports are common ports for BT download. It is no wonder that such logs have not appeared before until BT became popular recently. The main reason is that when these hosts use BT for download, a record is left on the BT server so that other hosts can download resources to these hosts. When these hosts are shut down, the router tells them they cannot find these hosts.
Because the Log service records information above Layer 3, and the packets received by the router are discarded on Layer 2, the exception packets of these inputs are not recorded in the log. To reduce the log volume of the vro, use "ip disable icmp-messages destination-unreachables" in configuration mode to disable the forwarding of such information.
This ICMP fault is caused by ICMP, and is not caused by system configuration, but by external factors. This type of ICMP fault can be identified only after some analysis, and then configured accordingly to eliminate the ICMP fault.