Menu
Index

Contact
LinkedIn
GitHub
Atom Feed
Comments Atom Feed



Tweet

Similar Articles

26/08/2014 09:41
NTP Monitoring on Cacti over SNMP
31/10/2009 11:03
Linux (Debian, Ubuntu) SNMP basics
24/03/2013 15:44
fail2ban on Cacti via SNMP
22/12/2011 09:30
Peak Network Bandwidth for Cacti
24/03/2013 16:19
Detailed process statistics on Cacti via SNMP (processes+)
16/11/2011 20:12
OpenVz User Beancounters (UBC) on Cacti via SNMP

Recent Articles

23/04/2017 14:21
Raspberry Pi SD Card Test
07/04/2017 10:54
DNS Firewall (blackhole malicious, like Pi-hole) with bind9
28/03/2017 13:07
Kubernetes to learn Part 4
23/03/2017 16:09
Kubernetes to learn Part 3
21/03/2017 15:18
Kubernetes to learn Part 2

Glen Pitt-Pladdy :: Blog

ICMP Connectivity Monitoring with Cacti

Recently I was discussing network monitoring with someone and realised ICMP would be very useful to know about. ICMP is the Internet Control Message Protocol - it is the protocol that carries messages about connectivity.

As an example, if there is a routing problem then you may well get ICMP type 3 (unreachable) code 0 (network unreachable), so a large increase in this would suggest a routing problem. Likewise, if you got loads of type 3 code 4 (fragmentation needed, but can't fragment) then you would know that there was some packet size related problem. Any distinct changes in ICMP patterns may indicate some change in connectivity. What is better, you don't have to actually ping all destinations which would be impractical anyway - the ICMP is generated on demand as connections are created or fail.

It isn't necessarily going to show up everything (eg. packets are just being lost or if inbound connectivity is failing), but provides a useful "passive" way of monitoring a network.

I searched around for such a tool.... and found none that where practical for continuous monitoring of networks. The ICMP monitoring tools I could find where predominantly ping tools, but that's not the aim here - I want to passively listen and measure the volumes of different types of ICMP to detect changes in connectivity, and that's most useful if they are graphed to make changing patterns easy to spot. With that in mind I cobbled together one of my own in Perl using the pcap modules to listen for both ICMP (IPv4) and ICMPv6 (IPv6), plus some extension scripts to ship the data via snmpd.

Shipping the data via SNMP allows for easy remote monitoring of devices, and makes it rather easy to hook it up to Cacti.

Monitoring Daemon

The ICMP monitoring would normally need to run as root to capture packets, and be running continuously so it made sense to write a simple daemon. This runs in the background and periodically writes a stats file in a location of your choosing. This can be read by simple shell scripts to get the data into a form that is useful.

The daemon takes 4 arguments:

  • The device (eg. eth0)
  • Should it use promiscuous capture (ie. listen for all packets rather than just ones destined for it) - this can be useful if one node is monitoring a whole network via a mirror / SPAN port on a switch
  • The time between writing the stats file - if this is exceeded then the stats file is written.
  • The path of the stats file to write to

So for a SNMP set up like I run you would launch the daemon with something like:

# ./icmpmond eth0 false 60 /var/local/snmp/icmp

Download: ICMP monitoring daemon

snmpd Extensions

These are really simple shell scripts that loop through all the possibilities. The usual story - add the config to your /etc/snmpd.conf as per the SNMP basics discussed before:

extend icmp6 /etc/snmp/icmp6-stats-total
extend icmp6err1 /etc/snmp/icmp6-stats-err1
extend icmp6err3 /etc/snmp/icmp6-stats-err3
extend icmp6err4 /etc/snmp/icmp6-stats-err4
extend icmp /etc/snmp/icmp-stats-total
extend icmperr3 /etc/snmp/icmp-stats-err3
extend icmperr5 /etc/snmp/icmp-stats-err5
extend icmperr11 /etc/snmp/icmp-stats-err11
extend icmperr12 /etc/snmp/icmp-stats-err12

After restarting snmpd it should be able to pick up the counts in the data file. If you are using a custom file/location then you will need to tweak the scripts appropriately.

Download: ICMP snmpd extension scripts (tarball)

Cacti

And finally a set of Cacti templates to go with these. If you are doing ping monitoring then the "ICMP Types" graphs can get swamped by that so I have also provided a "no Ping" version and a ping graph which can be much clearer under these circumstances.

Download: ICMP monitoring Cacti Template

The graphs look like this:

ICMP Cacti Types Graph

ICMP Cacti Types Graph - no Ping

ICMP Cacti Ping Graph

ICMP Cacti Type 3 Graph

ICMP Cacti Type 5 Graph

ICMP Cacti Type 11 Graph

ICMP Cacti Type 12 Graph

ICMPv6 Cacti Types Graph

ICMPv6 Cacti Types Graph - no Ping

ICMPv6 Cacti Ping Graph

ICMPv6 Cacti Type 1 Graph

ICMPv6 Cacti Type 3 Graph

ICMPv6 Cacti Type 4 Graph

Comments:

luis Image  23/10/2014 22:37 :: luis

i follow this article, but i cant do to function, when i run de command with snmpwalk, i see this error, snmpwalk -v 1 -c public 192.168.19.128 NET-SNMP-EXTEND-MIB::nsExtendOutLine."icmp".4
NET-SNMP-EXTEND-MIB::nsExtendOutLine.icmp.4: Unknown Object Identifier (Index out of range: icmp (nsExtendToken))
somebody , can help me, tks

Glen Pitt-Pladdy Image  24/10/2014 18:37 :: Glen Pitt-Pladdy

There are multiple possible things which could cause this, but first of all the shell will evaluate the quoting and unless you either escape it or put further quoting around the OID I don't think it will work. Either:

snmpwalk -v 1 -c public 192.168.19.128 NET-SNMP-EXTEND-MIB::nsExtendOutLine.\"icmp\".4

OR

snmpwalk -v 1 -c public 192.168.19.128 'NET-SNMP-EXTEND-MIB::nsExtendOutLine."icmp".4'

See if that solves the problem first




Are you human? (reduces spam)
Note: Identity details will be stored in a cookie. Posts may not appear immediately