Recently I was discussing network monitoring with someone and realised ICMP would be very useful to know about. ICMP is the Internet Control Message Protocol - it is the protocol that carries messages about connectivity.

As an example, if there is a routing problem then you may well get ICMP type 3 (unreachable) code 0 (network unreachable), so a large increase in this would suggest a routing problem. Likewise, if you got loads of type 3 code 4 (fragmentation needed, but can't fragment) then you would know that there was some packet size related problem. Any distinct changes in ICMP patterns may indicate some change in connectivity. What is better, you don't have to actually ping all destinations which would be impractical anyway - the ICMP is generated on demand as connections are created or fail.

It isn't necessarily going to show up everything (eg. packets are just being lost or if inbound connectivity is failing), but provides a useful "passive" way of monitoring a network.

I searched around for such a tool.... and found none that where practical for continuous monitoring of networks. The ICMP monitoring tools I could find where predominantly ping tools, but that's not the aim here - I want to passively listen and measure the volumes of different types of ICMP to detect changes in connectivity, and that's most useful if they are graphed to make changing patterns easy to spot. With that in mind I cobbled together one of my own in Perl using the pcap modules to listen for both ICMP (IPv4) and ICMPv6 (IPv6), plus some extension scripts to ship the data via snmpd.

Shipping the data via SNMP allows for easy remote monitoring of devices, and makes it rather easy to hook it up to Cacti.

Monitoring Daemon

The ICMP monitoring would normally need to run as root to capture packets, and be running continuously so it made sense to write a simple daemon. This runs in the background and periodically writes a stats file in a location of your choosing. This can be read by simple shell scripts to get the data into a form that is useful.

The daemon takes 4 arguments:

• The device (eg. eth0)
• Should it use promiscuous capture (ie. listen for all packets rather than just ones destined for it) - this can be useful if one node is monitoring a whole network via a mirror / SPAN port on a switch
• The time between writing the stats file - if this is exceeded then the stats file is written.
• The path of the stats file to write to

So for a SNMP set up like I run you would launch the daemon with something like:

# ./icmpmond eth0 false 60 /var/local/snmp/icmp

Download: ICMP monitoring daemon

snmpd Extensions

These are really simple shell scripts that loop through all the possibilities. The usual story - add the config to your /etc/snmpd.conf as per the SNMP basics discussed before:

extend icmp6 /etc/snmp/icmp6-stats-total
extend icmp6err1 /etc/snmp/icmp6-stats-err1
extend icmp6err3 /etc/snmp/icmp6-stats-err3
extend icmp6err4 /etc/snmp/icmp6-stats-err4
extend icmp /etc/snmp/icmp-stats-total
extend icmperr3 /etc/snmp/icmp-stats-err3
extend icmperr5 /etc/snmp/icmp-stats-err5
extend icmperr11 /etc/snmp/icmp-stats-err11
extend icmperr12 /etc/snmp/icmp-stats-err12

After restarting snmpd it should be able to pick up the counts in the data file. If you are using a custom file/location then you will need to tweak the scripts appropriately.

Download: ICMP snmpd extension scripts (tarball)

Cacti

And finally a set of Cacti templates to go with these. If you are doing ping monitoring then the "ICMP Types" graphs can get swamped by that so I have also provided a "no Ping" version and a ping graph which can be much clearer under these circumstances.

Download: ICMP monitoring Cacti Template

The graphs look like this: