My NTOP is showing a particular SM sending out 1-1.5mb ICMP traffic an hour, its configured the same as others, its only contacting our internal and public IPs, at random Im guessing. None of the other similarly configured, same firmware/hardware SMs are doing this. Theres been no complaints but Im just curious what this traffic would be
are you sure its not one of your monitoring devices?
ICMP is usually ping
If you know which sm its coming from, block icmp or contact the customer and ask them why they are pinging your internal network.
I’d setup a sniffer like Wireshark on one of the IPs receiving the traffic to find out what it is before contacting your customer… around here you’d be hard pressed to find someone who knows what ICMP is. Likely a virus or some sort of internet security suite gone haywire.
the customer should not be able to ping anything internal, the radio is bridged,and we provide a router on the other side. NTOP is where it showed up. Theres no way the customr can ping out from the IP of the radio, its like the radio itself is doing it. Is LLDAP an ICMP type protocol? and why would it just be this one radio, the other devices its contacting arent monitoring devices, and its random what they are, its not just sm-sm or even motorola gear. Is there some type of programmer mode the radio could be in?
his is really odd, its running just under a meg of consistent outbound ICMP every hour. Its like its ping scanning the network. I do have a gateway on it in the network config, so I believe thats how its trying to contact off subnet peers, but its really odd. Is it possible its telnet interface is hosed and letting a ping run out of it somehow? In the GUI I dont see anything, but is there anything commandline I can use to source this issue?
Telnet+> icmpstat
ICMP layer stats:
icmpInMsgs 3225 icmpInErrors 0
In counters: DestUnreach 0 TimeExceed 0 ParmProb 0
SrcQuench 0 Redirect 0 Echo(ping) 3225 EchoReps 0
Timestmp 0 TStmpRep 0 AddrMasks 0 AddrMaskRep 0
icmpOutMsgs 3918463 icmpOutErrors 69
Out counts: DestUnreach 3915238 TimeExceed 0 ParmProb 0
SrcQuench 0 Redirect 0 Echo(ping) 0 EchoReps 3225
Timestmp 0 TStmpRep 0 AddrMasks 0 AddrMaskRep 0
what i see here is this thing is in fact pinging out on its own and getting mostly destination unreachable. But why is it pinging?
Turn off the Ethernet port and reboot. If the ping stops he’s got a virus. If it doesn’t replace the SM.
thanks jerry, I will try this tonite
These radios are all in bridge mode, not NAT, Is there something he could be running (through a dlink router) that would cause the ICMP traffic to look like its originating from the SM?
In bridge mode everything looks like it originates form the SM.
Are you blocking the typical protocols in the SM?
So I turned off the ethernet port, shut down all the protocols except arp, bootp, disabled vlan learning, its still there.
Im curious as to what is acually happening here, is it pinging on its own? Is this a common issue? Is it possible the unit has been compromised (I believe every user is secretly a high level hacker with nothing but giving me headaches on their mind). If a person got the snmp write community string would they be able to initiate something like this?
It’s possible that one could write a script that runs a continuous ping from the radio.
Telnet to the radio and do icmpstat and tcpstat. Compare the results to a known good radio.
Mine looks like:
Telnet+> icmpstat
ICMP layer stats:
icmpInMsgs 42717 icmpInErrors 0
In counters: DestUnreach 0 TimeExceed 0 ParmProb 0
SrcQuench 0 Redirect 0 Echo(ping) 42717 EchoReps 0
Timestmp 0 TStmpRep 0 AddrMasks 0 AddrMaskRep 0
icmpOutMsgs 42717 icmpOutErrors 0
Out counts: DestUnreach 0 TimeExceed 0 ParmProb 0
SrcQuench 0 Redirect 0 Echo(ping) 0 EchoReps 42717
Timestmp 0 TStmpRep 0 AddrMasks 0 AddrMaskRep 0
Telnet+> ipstat
IP MIB statistics:
Gateway: YES default TTL: 30
rcv: total: 64310 header err: 0 address err: 0
rcv: unknown Protocls: 0 delivered: 64310
send: total: 64266 discarded: 0 No routes: 0
Routing; forwarded: 0 discarded: 0
Recvd fragments: 0, Frames reassembled: 0
Pkts fragmented: 0, Fragments sent: 0, dropped: 0
Reasm.Timeouts: 0, Reasm.Errors: 0
How long has that radio been on jerry?
15d, 05:23:32