Icmp pmtud


#1

So we are starting to implement Jumbo frames. But I wanted to setup a trigger\alert\and dashboard. to be able to see when and where we have issues. so I was looking for a metric with ICMP type 4, code 3. But it looking it looks like extrahop does not pull the ICMP codes.
Does anyone have a trigger or quick method for pulling icmp type 4, Code 3 messages?
One of our sales engineer suggested I start with this

if (event == 'ICMP_MESSAGE'){

if (ICMP.msgType != 3){return};

debug ("Gateway: " + ICMP.gwAddr + " Source: " + ICMP.original.srcAddr + " Destination: "

+ ICMP.original.dstAddr + "Message Type: " + ICMP.msgType);

}

Bu t I am pretty sure I will have to unpack the ICMP message based on the need for code3.
Any suggestions greatly appreciated.


#2

You should be able to use something like the following:
(note: untested code)

// Look for destination unreachable due to DF bit set and fragmentation needed.
if( ICMP.msgType == 3 && ICMP.msgCode == 4 ) {
    Network.metricAddDetailCount("icmp_df_fragneeded", "Gateway: " + ICMP.gwAddr + " Source: " + ICMP.original.srcAddr + " Destination: "+ICMP.original.dstAddr, 1);
}

Then, just use an alert for the “icmp_df_fragneeded” detail metric, or display it on a dashboard.


#3

This worked perfectly. Much appreciated.


#4

We did make a change to this. For the gateway we changed and used Flow.sender.ipaddr for some reason the ICMP.gwAddr was blank or null quite often. With the Flow.sender.ipaddr we get the router that replied with the ICMP message which tells us where to look immediatly.

thanks.