[Nagiosplug-help] check_icmp problems

[Andreas Ericsson]

Chris Adams wrote:
> Once upon a time, Andreas Ericsson <ae at op5.se> said:
>> check_icmp does indeed maintain the host id number in the icmp->seq
>> field. It's impossible to do otherwise when scanning multiple nodes
>> if one wants to determine which of the hosts generated a particular
>> error code, since error codes do not echo the data payload of the
>> original packet.
>>
>> According to the ICMP RFC though (737, iirc), the sequence number
>> of the header really shouldn't matter. It's for the sending host to
>> determine and for the responding node to echo back.
>>
>> May I ask what kind of equipment you're working on? It could be that
>> it's more worth to have accurate error responses on most hardware
>> than it is to get accurate multi-node pings for some rather special
>> hardware. Otoh, if you're running one check_icmp process per host,
>> then the issue can be worked around while maintaining accuracy in
>> error messages.
>>
> 
> I saw the same problem with IIRC some Linksys firewalls and some other
> firewall-type gear.  Basically, they were rate-limiting ICMP echo
> requests with the same sequence within a certain time frame.
> 

I can imagine that being one of the stellar ideas coming to someone in
the middle of the night who wants to earn their pat on the head while
reluctant to add any real value. After all, it sounds sensible if you
don't know horrible it can be to break standards.

> My solution was to use a few bits of the sequence number as, well, as
> sequence number. :-)  This cuts down on the number of hosts you can
> simultaneously monitor; I used 4 bits for a counter (a max of 16 unique
> sequence numbers per host, which should probably be enough) which leaves
> 12 bits for hosts (so you could still ping 2048 hosts).

4096 actually, which is probably overkill ;-)

>  The number of
> bits used for the sequence portion of the field is a #define, so it is
> easily changed (although there is no range checking, so raising it too
> high will give undefined results).
> 
> This patch has been running for me for a while now with no further
> problems.  I posted it here before; I've included it again below.

Clever solution. I'll apply it to my version of check_icmp, with SEQ_BITS
increased to 6. That'll allow 64 packets to a single host (I know some of
our customers use 30 for some of their gear), while still making it
possible to scan 1024 hosts in one go, which is almost certainly (still)
overkill.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231