Labnario Huawei From Scratch
Let’s imagine you are an IP engineer and suddenly found increasing number of “TTL exceeded” packets on your router. Your first thought is “what the hell is it? How to find a source of these packets?”
Take it easy. You will know how to investigate such issue on Huawei router.
[labnario]display ip statistics
Input: sum 2783201 local 2321967
bad protocol 0 bad format 0
bad checksum 0 bad options 0
discard srr 0 TTL exceeded 494196
Output: forwarding 0 local 886008
dropped 0 no route 0
Fragment: input 0 output 0
dropped 0
fragmented 0 couldn't fragment 0
Reassembling:sum 0 timeouts 0
As you can see there are “TTL exceeded” packets. “Display ip statistics” command shows packets that are directed to CPU. Don’t mix it up with packets found on the interface. For example, you don’t have dropped packets on the interface but “display ip statistics” shows such packets.
What does it mean “TTL exceeded”?
It means the router receives packets with TTL=1.
What happens if it receives such packets?
It sends timeout-icmp packets.
We can check it using the following command:
[labnario]display icmp statistics
Input: bad formats 0 bad checksum 0
echo 3108 destination unreachable 294
source quench 0 redirects 0
echo reply 0 parameter problem 0
timestamp 0 information request 0
mask requests 0 mask replies 0
time exceeded 0
Mping request 0 Mping reply 0
Output:echo 0 destination unreachable 0
source quench 0 redirects 0
echo reply 3108 parameter problem 0
timestamp 0 information reply 0
mask requests 0 mask replies 0
time exceeded 494196
Mping request 0 Mping reply 0
When you compare both outputs you will see that “TTL exceeded = time exceeded“.
And now how to find the source of these packets:
Feb 14 2012 09:08:08.250.1 labnario IP/7/debug_icmp:Slot=3;ICMP Send: ttl-exceeded(Type=11, Code=0), Src = 10.222.143.13, Dst = 172.16.20.88; Original IP header: Pro = 17, Src = 172.16.20.88, Dst = 10.222.143.113, First 8 bytes = B5E400A1 002C9D0D
As you can see debugging ICMP packets is helpful in this case.