[SOLVED] How to reduce the number of ICMP echo requests from my LEDE box?

angelos · May 27, 2017, 5:14pm

Basically, I have two (2) questions:

[Question 1]
Using tcpdump, I see ICMP echo requests from my LEDE box to three (3) different destinations:

A.) To my ISP's DNS
B.) To google's DNS
C.) To opendns.com DNS

Why is this happening? Is it normal?

[Question 2]
I have set these parameters in /etc/ppp/options:

lcp-echo-failure 5
lcp-echo-interval 60

The interval just doesn't work!
Whatever value I set, my LEDE box sends ICMP requests to those three (3) destinations, every few seconds!
See image:

So... how can I set/reduce the number of ICMP requests?
Thank you in advance!

moeller0 · May 27, 2017, 5:38pm

I am not 100% sure, but I assume that PPP LCP echos are not using IP/ICMP packets for their keep-alive pinging. Also the ppp lcp packets will terminate at the ppp-tunnels other side, so not go out to any further IP target. So while I have no idea whether the three ICMP targets make sense (for google dns I could imagine that an android device in the local network might issue tjose and depending wher you took the packet capture you just see your external IP address), PPP LCP does not seem to be your problem, and hence fiddling with the lac parameters is not going to help...

Hope that helps...

angelos · May 27, 2017, 6:00pm

Thank's moeller0.
So LCP doesn't use ICMP, that makes sense.

As for the log, the capture is in an "idle" state -if there is such a thing in network communications-, I mean only one PC connected to the router and without any opened apps like browsers etc. I'm monitoring traffic all day now, and I can't figure out why is this (icmp echo requests to 3 destinations) happening.

If anyone has an idea on that and on how to reduce the number of the requests, I'm all ears.
Thank's again!

fuller · May 29, 2017, 8:29pm

tcpdump on you lan interface to see if the packets originate from your computer.
otherwise maybe collectd-mod-ping on your router?

aside from that, it looks like 3pings/5sec ... should not be a problem

nietamten · May 30, 2017, 8:36am

It's hard to determine process sending ICMP.

I found that methods:

lsof -n | grep -i st=07

netstat -a -u -n -p

But both can fail easily because it's checking only trffic at moment of command execution.

If i was desperate i would install strace and htop then after running htop there should be list of about 25 processes.
After selecting suspected one, clicking 's' (strace) and 'f8' (autoscroll) some messages are visible, understanding of them is not necessary if they occurs same time when ICMP occurs... Unfortunetly message list can be flooded by unwanted ones.

angelos · May 30, 2017, 12:58pm

Thank's a lot guys!
htop helped me understand what is going on.

The mwan3 package is responsible for the ICMP requests, as it uses a 5 seconds interval...

So in order to solve this, you can change the interval in /etc/config/mwan3 OR completely disable multiwan if you only have one (1) wan connection and there is no need for it.

Greetings!

golialive · May 30, 2017, 1:33pm

Of course mwan uses a mechanism to check if a certain interface is still up. But you didn't say anything about mwan in the first place, and mwan is not part of any regular LEDE build, is it?

Did you install mwan by accident or for testing purposes or are you using a custom LEDE build that just comes with mwan?

Regards,
Stephan.

angelos · May 30, 2017, 2:11pm

I'm using the "official" 17.01.1 release and I have installed many packages I don't (currently) need, one of these is mwan3.

I just couldn't imagine mwan3 would cause that kind of behavior.
Anyway, it's all clear to me now.