免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
最近访问板块 发新帖
查看: 1710 | 回复: 9
打印 上一主题 下一主题

求救:solaris 主机不停另一台主机发送ICMP包,可以如何定位? [复制链接]

论坛徽章:
0
跳转到指定楼层
1 [收藏(0)] [报告]
发表于 2006-11-17 09:23 |只看该作者 |倒序浏览
目前发现这台主机(168.168.101.12)不停的往另外一台主机(168.168.111.100)发送ICMP包,并且有可能影响该主机(168.168.111.100)的业务,但是没有发现任何可疑的进程;其他主机没有发现该现象。各位能否帮助分析定位下?

iview> date;snoop -d bge2 -V 168.168.111.100
Thu Nov 16 14:55:37 CST 2006
Using device /dev/bge (promiscuous mode)
________________________________
  iview_bge2 -> 168.168.111.100 ETHER Type=0800 (IP), size = 50 bytes
  iview_bge2 -> 168.168.111.100 IP  D=168.168.111.100 S=168.168.101.12 LEN=36, ID=5894
  iview_bge2 -> 168.168.111.100 ICMP Echo request (ID: 10244 Sequence number: 32583)
________________________________
168.168.111.100 -> iview_bge2   ETHER Type=0800 (IP), size = 60 bytes
168.168.111.100 -> iview_bge2   IP  D=168.168.101.12 S=168.168.111.100 LEN=36, ID=44383
168.168.111.100 -> iview_bge2   ICMP Echo reply (ID: 10244 Sequence number: 32583)
________________________________
  iview_bge2 -> 168.168.111.100 ETHER Type=0800 (IP), size = 50 bytes
  iview_bge2 -> 168.168.111.100 IP  D=168.168.111.100 S=168.168.101.12 LEN=36, ID=5895
  iview_bge2 -> 168.168.111.100 ICMP Echo request (ID: 10244 Sequence number: 3258
________________________________
168.168.111.100 -> iview_bge2   ETHER Type=0800 (IP), size = 60 bytes
168.168.111.100 -> iview_bge2   IP  D=168.168.101.12 S=168.168.111.100 LEN=36, ID=44384
168.168.111.100 -> iview_bge2   ICMP Echo reply (ID: 10244 Sequence number: 3258
________________________________
  iview_bge2 -> 168.168.111.100 ETHER Type=0800 (IP), size = 50 bytes
  iview_bge2 -> 168.168.111.100 IP  D=168.168.111.100 S=168.168.101.12 LEN=36, ID=5896
  iview_bge2 -> 168.168.111.100 ICMP Echo request (ID: 10244 Sequence number: 32593)
观察发现每3~6秒发送一次,没有间断。

iview linus>ps -ef|grep IView
   linus 20354 20341  0 16:59:45 pts/3    0:00 grep IView
iview linus>ifconfig -a
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000
bge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
        inet 10.10.10.5 netmask ffffff00 broadcast 10.10.10.255
bge1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
        inet 10.10.11.5 netmask ffffff00 broadcast 10.10.11.255
bge2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 4
        inet 168.168.101.13 netmask ffff0000 broadcast 168.168.255.255
        groupname ipmp1
bge2:1: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 4
        inet 168.168.101.12 netmask ffff0000 broadcast 168.168.255.255
bge3: flags=69040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER,STANDBY,INACTIVE> mtu 1500 index 5
        inet 168.168.101.14 netmask ffff0000 broadcast 168.168.255.255
        groupname ipmp1
iview linus>

iview> ps -ef
     UID   PID  PPID  C    STIME TTY      TIME CMD
    root     0     0  0   Jun 06 ?        0:17 sched
    root     1     0  0   Jun 06 ?        1:21 /etc/init -
    root     2     0  0   Jun 06 ?        0:00 pageout
    root     3     0  0   Jun 06 ?       1583:06 fsflush
    root   405     1  0   Jun 06 ?        0:00 /usr/lib/saf/sac -t 300
    root   408   405  0   Jun 06 ?        0:00 /usr/lib/saf/ttymon
    root   392     1  0   Jun 06 ?        0:00 /usr/lib/snmp/snmpdx -y -c /etc/snmp/conf
    root 20321 18358  0 16:57:41 pts/3    0:00 ps -ef
    root    40     1  0   Jun 06 ?        0:53 /sbin/in.mpathd
    root    70     1  0   Jun 06 ?        0:00 /usr/lib/sysevent/syseventd
    root   177     1  0   Jun 06 ?        0:01 /usr/sbin/inetd -s
    root   153     1  0   Jun 06 ?        0:00 /usr/sbin/rpcbind
    root   198     1  0   Jun 06 ?        0:00 /usr/lib/autofs/automountd
  oracle   357     1  0   Jun 06 ?        2:00 ora_lgwr_IVIEWDB
    root   265   263  0   Jun 06 ?        0:00 /usr/sadm/lib/smc/bin/smcboot
  daemon   186     1  0   Jun 06 ?        0:00 /usr/lib/nfs/statd
    root   185     1  0   Jun 06 ?        0:00 /usr/lib/nfs/lockd
    root   239     1  0   Jun 06 ?        0:00 /usr/lib/lpsched
    root   263     1  0   Jun 06 ?        0:00 /usr/sadm/lib/smc/bin/smcboot
    root   259     1  0   Jun 06 ?        0:01 /usr/lib/inet/xntpd
    root   233     1  0   Jun 06 ?        0:18 /usr/sbin/nscd
    root   215     1  0   Jun 06 ?        0:00 /usr/sbin/syslogd
    root   217     1  0   Jun 06 ?        0:13 /usr/sbin/cron
    root   256     1  0   Jun 06 ?        0:00 /usr/lib/utmpd
    root   322     1  0   Jun 06 ?        0:00 /usr/dt/bin/dtlogin -daemon
    root   275     1  0   Jun 06 ?        0:00 /usr/sbin/vold
    root   292     1  0   Jun 06 ?        0:00 /usr/lib/efcode/sparcv9/efdaemon
    root   282     1  0   Jun 06 ?        0:00 /usr/lib/sendmail -bd -q15m
  oracle   355     1  0   Jun 06 ?        1:09 ora_dbw0_IVIEWDB
  oracle   361     1  0   Jun 06 ?        0:00 ora_smon_IVIEWDB
    root   378     1  0   Jun 06 ?        0:00 /etc/STATsrv/bin/STATsrv -p 5000
  oracle   359     1  0   Jun 06 ?       30:31 ora_ckpt_IVIEWDB
  oracle   353     1  0   Jun 06 ?        0:00 ora_pmon_IVIEWDB
    root 19040     1  0 15:41:07 console  0:00 /usr/lib/saf/ttymon -g -h -p iview console login:  -T sun -d /dev/console -l co
  oracle   363     1  0   Jun 06 ?        0:00 ora_reco_IVIEWDB
    root   399     1  0   Jun 06 ?        0:00 /usr/lib/dmi/snmpXdmid -s iview
    root   398     1  0   Jun 06 ?        0:00 /usr/lib/dmi/dmispd
    root   409   392  0   Jun 06 ?        0:08 mibiisa -r -p 32804
   linus   488     1  0   Jun 06 ?        0:00 /in/oracle/bin/tnslsnr IVIEW -inherit
    root 18356   177  0 14:55:20 ?        0:00 in.telnetd
    root 18358 18356  0 14:55:20 pts/3    0:00 -ksh
etlbilli 18562   177  0 15:09:43 ?        0:10 in.ftpd
iview>

论坛徽章:
1
狮子座
日期:2013-09-02 12:10:41
2 [报告]
发表于 2006-11-17 13:43 |只看该作者
这个文件/etc/rc2.d/S70staticroutes存在吗?

论坛徽章:
0
3 [报告]
发表于 2006-11-17 13:55 |只看该作者
观察发现每3~6秒发送一次,没有间断。。。这个根本不会影响目标机的业务

论坛徽章:
0
4 [报告]
发表于 2006-11-17 16:36 |只看该作者
/etc/rc2.d/S70staticroutes这个文件不存在,
而且现在发现它不仅仅往一台主机发ICMP包,现在发现在往4台主机上发。

论坛徽章:
0
5 [报告]
发表于 2006-11-17 16:38 |只看该作者
难道是有病毒?

论坛徽章:
0
6 [报告]
发表于 2006-11-17 16:43 |只看该作者
2台机器见有没有业务通信.

论坛徽章:
0
7 [报告]
发表于 2006-11-17 16:45 |只看该作者
现在不止往一台机器发,而且这些机器跟它都没有任何业务联系的。

  iview_bge2 -> 168.168.111.102 ICMP Echo request (ID: 10244 Sequence number: 18010)
168.168.111.102 -> iview_bge2   ICMP Echo reply (ID: 10244 Sequence number: 18010)
  iview_bge2 -> 168.168.111.104 ICMP Echo request (ID: 10244 Sequence number: 18011)
168.168.111.104 -> iview_bge2   ICMP Echo reply (ID: 10244 Sequence number: 18011)
  iview_bge2 -> 168.168.111.101 ICMP Echo request (ID: 10244 Sequence number: 18012)
168.168.111.101 -> iview_bge2   ICMP Echo reply (ID: 10244 Sequence number: 18012)
  iview_bge2 -> 168.168.111.102 ICMP Echo request (ID: 10244 Sequence number: 18015)
168.168.111.102 -> iview_bge2   ICMP Echo reply (ID: 10244 Sequence number: 18015)
  iview_bge2 -> 168.168.111.104 ICMP Echo request (ID: 10244 Sequence number: 18016)
168.168.111.104 -> iview_bge2   ICMP Echo reply (ID: 10244 Sequence number: 18016)
  iview_bge2 -> 168.168.111.101 ICMP Echo request (ID: 10244 Sequence number: 18017)
168.168.111.101 -> iview_bge2   ICMP Echo reply (ID: 10244 Sequence number: 18017)
  iview_bge2 -> 168.168.111.102 ICMP Echo request (ID: 10244 Sequence number: 18020)

论坛徽章:
0
8 [报告]
发表于 2006-11-17 16:51 |只看该作者
有可能是ipmp。

论坛徽章:
0
9 [报告]
发表于 2006-11-17 23:06 |只看该作者
post the following :
more /etc/hosts
netstat -rn

论坛徽章:
0
10 [报告]
发表于 2006-11-18 11:48 |只看该作者
是正常情况-这个系统使用了IP多路径 IPMP - IP Multi-Path功能.
它的原理就是通过ping同网段的其它IP测试本网卡的联接情况。
可以看出bge2和bge3是在同一个IPMP组中。
-----------------------
bge2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 4
        inet 168.168.101.13 netmask ffff0000 broadcast 168.168.255.255
        groupname ipmp1
bge2:1: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 4
        inet 168.168.101.12 netmask ffff0000 broadcast 168.168.255.255
bge3: flags=69040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER,STANDBY,INACTIVE> mtu 1500 index 5
        inet 168.168.101.14 netmask ffff0000 broadcast 168.168.255.255
        groupname ipmp1

用下面的命令可以检测IP配置
# more /etc/hostname.*

关于IPMP的内容在Solaris 10的管理手册中有
http://docs.sun.com/app/docs/doc/816-4554/6maoq027h?a=view
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP