Troubleshooting
Problem
ITNM appears to be raising ping fail event when the device is up.
Resolving The Problem
Before raising a Service Request with IBM, double check that the ping fails are unexpected.
tcpdump is the linux command line tool required to collect packets.
You can limit the amount of data it captures by specifying that only icmp data is to be collected like this
tcpdump icmp
You can also limit the interface on which tcpdump listens. If you can accurately determine the interface, and if the customer has many interfaces, then use the -i flag.
tcpdump -i eth0 icmp
I am using eth0 as an example, you need to determine which interface ITNM Poller is sending/receiving ping packets.
You can list the interfaces that tcpdump can listen to using -D
tcpdump -D
You can prevent hostname and port resolution (to make this faster) by using -nn
tcpdump -nni eth0 icmp
If the ping fails consistently come from a small set of IP addresses you can specify the IPs in the command:
tcpdump -nni eth0 icmp and host IP1 and host IP2
.... where IP1 is your first IP and IP2 is your second.
If you cannot tell which host is going to raise the ping fail then leave out the host options. You can use the same filter when reading the output to find the icmp requests and responses from the problematic device.
If the suspected ping fails are sporadic then you can store the output for reading later.
Write the output to a file using -w
tcpdump -w /tmp/icmp.pcap -nni eth0 icmp
Restrict the size of the output file to a certain size using -C. I use 100 megabytes in the example, you need to determine how large you want the file to be.
tcpdump -C 100 -w /tmp/icmp.pcap -nni eth0 icmp
Instruct tcpdump to store a certain number of files using -W. I use 50 files as an example, you need to determine how many files you can store based on your storage capacity.
tcpdump -W 50 -C 100 -w /tmp/icmp.pcap -nni eth0 icmp
Fifty files at 100 mb each is about 5 gb.
Once you have the IP of the suspected false ping fail, then read through the output using the -r option
tcpdump -r /tmp/icmp.pcap host IP
... where IP is the IP address that raised the ping fail. Alternatively you can load the icmp.pcap file in Wireshark and use the following filter to show all requests that received no response:
ip.addr==IP and not icmp.resp_in and icmp.type==8
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21968658