IBM Support

Using tcpdump to verify ICMP polling.

Troubleshooting


Problem

ITNM appears to be raising ping fail event when the device is up.

Resolving The Problem

Before raising a Service Request with IBM, double check that the ping fails are unexpected.
tcpdump is the linux command line tool required to collect packets.
You can limit the amount of data it captures by specifying that only icmp data is to be collected like this
tcpdump icmp

You can also limit the interface on which tcpdump listens. If you can accurately determine the interface, and if the customer has many interfaces, then use the -i flag.
tcpdump -i eth0 icmp

I am using eth0 as an example, you need to determine which interface ITNM Poller is sending/receiving ping packets.
You can list the interfaces that tcpdump can listen to using -D
tcpdump -D

You can prevent hostname and port resolution (to make this faster) by using -nn
tcpdump -nni eth0  icmp  

If the ping fails consistently come from a small set of IP addresses you can specify the IPs in the command:
tcpdump -nni eth0  icmp and host IP1 and host IP2

.... where IP1 is your first IP and IP2 is your second.

If you cannot tell which host is going to raise the ping fail then leave out the host options. You can use the same filter when reading the output to find the icmp requests and responses from the problematic device.

If the suspected ping fails are sporadic then you can store the output for reading later.
Write the output to a file using -w
tcpdump -w /tmp/icmp.pcap  -nni eth0  icmp

Restrict the size of the output file to a certain size using -C. I use 100 megabytes in the example, you need to determine how large you want the file to be.
tcpdump -C 100 -w /tmp/icmp.pcap  -nni eth0  icmp

Instruct tcpdump to store a certain number of files using -W. I use 50 files as an example, you need to determine how many files you can store based on your storage capacity.
tcpdump -W 50 -C 100 -w /tmp/icmp.pcap  -nni eth0  icmp

Fifty files at 100 mb each is about 5 gb.

Once you have the IP of the suspected false ping fail, then read through the output using the -r option
tcpdump -r /tmp/icmp.pcap host IP

... where IP is the IP address that raised the ping fail. Alternatively you can load the icmp.pcap file in Wireshark and use the following filter to show all requests that received no response:
ip.addr==IP and not icmp.resp_in and icmp.type==8

[{"Product":{"code":"SSSHRK","label":"Tivoli Network Manager IP Edition"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
17 June 2018

UID

swg21968658

Page Feedback