LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
Reload this Page Flooded with ICMP Unreachable Messages
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-03-2009, 03:45 PM   #1
komodo9
LQ Newbie
 
Registered: Sep 2009
Posts: 2

Rep: Reputation: 0
Flooded with ICMP Unreachable Messages

Hi,

One of my servers has recently been sending out 400-500 ICMP Unreachable messages per second.

I'm aware these messages are normally sent when a connection is attempted on a closed UDP port, but I'm trying to look into this a bit deeper.

Does anyone know how to log what port these connections are attempting to connect on? I want to make sure it's not an actual port in use (such as bind), that is denying valid connection attempts for some reason. Perhaps some tcpdump or netstat arguments?

Thanks!
 
Old 09-03-2009, 04:01 PM   #2
Hewson
Member
 
Registered: Feb 2007
Location: /home
Distribution: Kubuntu and CentOS
Posts: 214

Rep: Reputation: 32
The ICMP messages will typically contain the closed port.
You could tcpdump on that server to some pcap, copy it locally then browse the pcap file with wireshark.
 
Old 09-03-2009, 04:07 PM   #3
komodo9
LQ Newbie
 
Registered: Sep 2009
Posts: 2

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Hewson View Post
The ICMP messages will typically contain the closed port.
That would be great... I'm just not sure how to view the ICMP messages.

Quote:
Originally Posted by Hewson View Post
You could tcpdump on that server to some pcap, copy it locally then browse the pcap file with wireshark.
The problem is this server is extremely high-traffic, so a pcap file would grow massive almost immediately.

Thanks.
 
Old 09-03-2009, 04:18 PM   #4
Hewson
Member
 
Registered: Feb 2007
Location: /home
Distribution: Kubuntu and CentOS
Posts: 214

Rep: Reputation: 32
Quote:
Originally Posted by komodo9 View Post
That would be great... I'm just not sure how to view the ICMP messages.
wireshark; just look at one of the packets, the inner most payload will have what you are looking for.

Quote:
Originally Posted by komodo9 View Post
The problem is this server is extremely high-traffic, so a pcap file would grow massive almost immediately.

Thanks.
ya you'd probably want a tcpdump filter.
google knows some good examples; heres one i found: http://acs.lbl.gov/~jason/tcpdump_advanced_filters.txt
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
icmp 68: host anos unreachable - admin prohibited keraj37 Linux - Networking 6 09-22-2014 04:15 PM
ICMP Destination Unreachable (Host administratively prohibited) jiml8 Linux - Networking 7 04-25-2013 04:07 AM
ICMP Port unreachable Ciralia Linux - Software 1 06-14-2007 10:20 AM
Flooded /var/log/messages stakhous Linux - Newbie 2 01-20-2006 02:04 PM
cosole constantly flooded with nv_sata messages Devrethman Debian 1 08-29-2005 07:01 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:19 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration