求救：solaris 主机不停另一台主机发送ICMP包，可以如何定位？

waterlh

目前发现这台主机（168.168.101.12)不停的往另外一台主机（168.168.111.100)发送ICMP包，并且有可能影响该主机（168.168.111.100)的业务，但是没有发现任何可疑的进程；其他主机没有发现该现象。各位能否帮助分析定位下？

iview> date;snoop -d bge2 -V 168.168.111.100
Thu Nov 16 14:55:37 CST 2006
Using device /dev/bge (promiscuous mode)
________________________________
  iview_bge2 -> 168.168.111.100 ETHER Type=0800 (IP), size = 50 bytes
  iview_bge2 -> 168.168.111.100 IP  D=168.168.111.100 S=168.168.101.12 LEN=36, ID=5894
  iview_bge2 -> 168.168.111.100 ICMP Echo request (ID: 10244 Sequence number: 32583)
________________________________
168.168.111.100 -> iview_bge2   ETHER Type=0800 (IP), size = 60 bytes
168.168.111.100 -> iview_bge2   IP  D=168.168.101.12 S=168.168.111.100 LEN=36, ID=44383
168.168.111.100 -> iview_bge2   ICMP Echo reply (ID: 10244 Sequence number: 32583)
________________________________
  iview_bge2 -> 168.168.111.100 ETHER Type=0800 (IP), size = 50 bytes
  iview_bge2 -> 168.168.111.100 IP  D=168.168.111.100 S=168.168.101.12 LEN=36, ID=5895
  iview_bge2 -> 168.168.111.100 ICMP Echo request (ID: 10244 Sequence number: 3258
________________________________
168.168.111.100 -> iview_bge2   ETHER Type=0800 (IP), size = 60 bytes
168.168.111.100 -> iview_bge2   IP  D=168.168.101.12 S=168.168.111.100 LEN=36, ID=44384
168.168.111.100 -> iview_bge2   ICMP Echo reply (ID: 10244 Sequence number: 3258
________________________________
  iview_bge2 -> 168.168.111.100 ETHER Type=0800 (IP), size = 50 bytes
  iview_bge2 -> 168.168.111.100 IP  D=168.168.111.100 S=168.168.101.12 LEN=36, ID=5896
  iview_bge2 -> 168.168.111.100 ICMP Echo request (ID: 10244 Sequence number: 32593)
观察发现每3～6秒发送一次，没有间断。

iview linus>ps -ef|grep IView
   linus 20354 20341  0 16:59:45 pts/3    0:00 grep IView
iview linus>ifconfig -a
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000
bge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
        inet 10.10.10.5 netmask ffffff00 broadcast 10.10.10.255
bge1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
        inet 10.10.11.5 netmask ffffff00 broadcast 10.10.11.255
bge2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 4
        inet 168.168.101.13 netmask ffff0000 broadcast 168.168.255.255
        groupname ipmp1
bge2:1: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 4
        inet 168.168.101.12 netmask ffff0000 broadcast 168.168.255.255
bge3: flags=69040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER,STANDBY,INACTIVE> mtu 1500 index 5
        inet 168.168.101.14 netmask ffff0000 broadcast 168.168.255.255
        groupname ipmp1
iview linus>

iview> ps -ef
     UID   PID  PPID  C    STIME TTY      TIME CMD
    root     0     0  0   Jun 06 ?        0:17 sched
    root     1     0  0   Jun 06 ?        1:21 /etc/init -
    root     2     0  0   Jun 06 ?        0:00 pageout
    root     3     0  0   Jun 06 ?       1583:06 fsflush
    root   405     1  0   Jun 06 ?        0:00 /usr/lib/saf/sac -t 300
    root   408   405  0   Jun 06 ?        0:00 /usr/lib/saf/ttymon
    root   392     1  0   Jun 06 ?        0:00 /usr/lib/snmp/snmpdx -y -c /etc/snmp/conf
    root 20321 18358  0 16:57:41 pts/3    0:00 ps -ef
    root    40     1  0   Jun 06 ?        0:53 /sbin/in.mpathd
    root    70     1  0   Jun 06 ?        0:00 /usr/lib/sysevent/syseventd
    root   177     1  0   Jun 06 ?        0:01 /usr/sbin/inetd -s
    root   153     1  0   Jun 06 ?        0:00 /usr/sbin/rpcbind
    root   198     1  0   Jun 06 ?        0:00 /usr/lib/autofs/automountd
  oracle   357     1  0   Jun 06 ?        2:00 ora_lgwr_IVIEWDB
    root   265   263  0   Jun 06 ?        0:00 /usr/sadm/lib/smc/bin/smcboot
  daemon   186     1  0   Jun 06 ?        0:00 /usr/lib/nfs/statd
    root   185     1  0   Jun 06 ?        0:00 /usr/lib/nfs/lockd
    root   239     1  0   Jun 06 ?        0:00 /usr/lib/lpsched
    root   263     1  0   Jun 06 ?        0:00 /usr/sadm/lib/smc/bin/smcboot
    root   259     1  0   Jun 06 ?        0:01 /usr/lib/inet/xntpd
    root   233     1  0   Jun 06 ?        0:18 /usr/sbin/nscd
    root   215     1  0   Jun 06 ?        0:00 /usr/sbin/syslogd
    root   217     1  0   Jun 06 ?        0:13 /usr/sbin/cron
    root   256     1  0   Jun 06 ?        0:00 /usr/lib/utmpd
    root   322     1  0   Jun 06 ?        0:00 /usr/dt/bin/dtlogin -daemon
    root   275     1  0   Jun 06 ?        0:00 /usr/sbin/vold
    root   292     1  0   Jun 06 ?        0:00 /usr/lib/efcode/sparcv9/efdaemon
    root   282     1  0   Jun 06 ?        0:00 /usr/lib/sendmail -bd -q15m
  oracle   355     1  0   Jun 06 ?        1:09 ora_dbw0_IVIEWDB
  oracle   361     1  0   Jun 06 ?        0:00 ora_smon_IVIEWDB
    root   378     1  0   Jun 06 ?        0:00 /etc/STATsrv/bin/STATsrv -p 5000
  oracle   359     1  0   Jun 06 ?       30:31 ora_ckpt_IVIEWDB
  oracle   353     1  0   Jun 06 ?        0:00 ora_pmon_IVIEWDB
    root 19040     1  0 15:41:07 console  0:00 /usr/lib/saf/ttymon -g -h -p iview console login:  -T sun -d /dev/console -l co
  oracle   363     1  0   Jun 06 ?        0:00 ora_reco_IVIEWDB
    root   399     1  0   Jun 06 ?        0:00 /usr/lib/dmi/snmpXdmid -s iview
    root   398     1  0   Jun 06 ?        0:00 /usr/lib/dmi/dmispd
    root   409   392  0   Jun 06 ?        0:08 mibiisa -r -p 32804
   linus   488     1  0   Jun 06 ?        0:00 /in/oracle/bin/tnslsnr IVIEW -inherit
    root 18356   177  0 14:55:20 ?        0:00 in.telnetd
    root 18358 18356  0 14:55:20 pts/3    0:00 -ksh
etlbilli 18562   177  0 15:09:43 ?        0:10 in.ftpd
iview>

byuq

这个文件/etc/rc2.d/S70staticroutes存在吗？

yuhuohu

观察发现每3～6秒发送一次，没有间断。。。这个根本不会影响目标机的业务

waterlh

/etc/rc2.d/S70staticroutes这个文件不存在，
而且现在发现它不仅仅往一台主机发ICMP包，现在发现在往4台主机上发。

waterlh

难道是有病毒？

风之幻想

2台机器见有没有业务通信.

waterlh

现在不止往一台机器发，而且这些机器跟它都没有任何业务联系的。

  iview_bge2 -> 168.168.111.102 ICMP Echo request (ID: 10244 Sequence number: 18010)
168.168.111.102 -> iview_bge2   ICMP Echo reply (ID: 10244 Sequence number: 18010)
  iview_bge2 -> 168.168.111.104 ICMP Echo request (ID: 10244 Sequence number: 18011)
168.168.111.104 -> iview_bge2   ICMP Echo reply (ID: 10244 Sequence number: 18011)
  iview_bge2 -> 168.168.111.101 ICMP Echo request (ID: 10244 Sequence number: 18012)
168.168.111.101 -> iview_bge2   ICMP Echo reply (ID: 10244 Sequence number: 18012)
  iview_bge2 -> 168.168.111.102 ICMP Echo request (ID: 10244 Sequence number: 18015)
168.168.111.102 -> iview_bge2   ICMP Echo reply (ID: 10244 Sequence number: 18015)
  iview_bge2 -> 168.168.111.104 ICMP Echo request (ID: 10244 Sequence number: 18016)
168.168.111.104 -> iview_bge2   ICMP Echo reply (ID: 10244 Sequence number: 18016)
  iview_bge2 -> 168.168.111.101 ICMP Echo request (ID: 10244 Sequence number: 18017)
168.168.111.101 -> iview_bge2   ICMP Echo reply (ID: 10244 Sequence number: 18017)
  iview_bge2 -> 168.168.111.102 ICMP Echo request (ID: 10244 Sequence number: 18020)

Barrfee

有可能是ipmp。

aric

post the following :
more /etc/hosts
netstat -rn

mkwf

是正常情况－这个系统使用了IP多路径 IPMP - IP Multi-Path功能.
它的原理就是通过ping同网段的其它IP测试本网卡的联接情况。
可以看出bge2和bge3是在同一个IPMP组中。
-----------------------
bge2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 4
        inet 168.168.101.13 netmask ffff0000 broadcast 168.168.255.255
        groupname ipmp1
bge2:1: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 4
        inet 168.168.101.12 netmask ffff0000 broadcast 168.168.255.255
bge3: flags=69040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER,STANDBY,INACTIVE> mtu 1500 index 5
        inet 168.168.101.14 netmask ffff0000 broadcast 168.168.255.255
        groupname ipmp1

用下面的命令可以检测IP配置
# more /etc/hostname.*

关于IPMP的内容在Solaris 10的管理手册中有
http://docs.sun.com/app/docs/doc/816-4554/6maoq027h?a=view