[j-nsp] Identifying pfe icmp throttled traffic

[Richard A Steenbergen]

Is there any way to log/view some of the ICMP packets being handled by
the pfe processor? I've got a router which is being hit by what appears
to be a large amount of TTL expiring packets (either someones traceroute
run amuck, a DoS, or a forwarding loop I suppose), but without being
able to see the packets there isn't much way to tell.

A "clear pfe statistics ip icmp" followed by a show immediately after
shows the pfe is throttling icmp generation at a pretty good rate.

ICMP Statistics:
       11025 requests
           0 network unreachables
        1983 ttl expired
           0 ttl captured
           0 redirects
           0 mtu exceeded
           0 icmp/option handoffs

ICMP Errors:
           0 unknown unreachables
           0 unsupported ICMP type
           0 unprocessed redirects
           0 invalid ICMP type
           0 invalid protocol
           0 bad input interface
        8952 throttled icmps
           0 runts

ICMP Discards:
           0 multicasts
          42 bad source addresses
           0 bad dest addresses
           0 IP fragments
           0 ICMP errors

But since this is TTL exceed being handled entirely by the PFE none of
these packets are making it to the lo0 filter to be logged. It's not
breaking "much", just traceroute for that router hop, but it'd be really
nice if there was a way to find the source of the problem packets and
plug it. Any ideas?

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)