Ping
Content
Ping
``Ping'' is one of the most useful network debugging tools available. It takes its name from a submarine sonar search - you send a short sound burst and listen for an echo - a ping - coming back. In an IP network, `ping' sends a short data burst - a single packet - and listens for a single packet in reply. Since this tests the most basic function of an IP network delivery of single packet!, it's easy to see how you can learn a lot from some `pings'. Ping is implemented using the re"uired I#$P %cho function, documented in &'# ()* that all hosts should implement. +f course, administrators can disable ping messages this is rarely a good idea, unless security considerations dictate that the host should be unreachable anyway!, and some implementations have (gasp) even been known not to implement all re"uired functions. ,owever, ping is usually a better bet than almost any other network software. $any versions of ping are available. 'or the remainder of this discussion, I assume use of -S. /0I1's ping, a freely available, full-featured ping available for many /0I1 systems. $ost P#-based pings do not have the advanced features I describe. 2s always, read the manual for whatever version you use. What Ping can tell you
•
• •
•
Ping places a uni"ue se"uence number on each packet it transmits, and reports which se"uence numbers it receives back. 3hus, you can determine if packets have been dropped, duplicated, or reordered. Ping checksums each packet it e4changes. 5ou can detect some forms of damaged packets. Ping places a timestamp in each packet, which is echoed back and can easily be used to compute how long each packet e4change took - the &ound 3rip 3ime &33!. Ping reports other I#$P messages that might otherwise get buried in the system software. It reports, for e4ample, if a router is declaring the target host unreachable.
What Ping can not tell you
•
•
Some routers may silently discard undeliverable packets. +thers may believe a packet has been transmitted successfully when it has not been. 3his is especially common over %thernet, which does not provide link-layer acknowledgments! 3herefore, ping may not always provide reasons why packets go unanswered. Ping can not tell you why a packet was damaged, delayed, or duplicated. It can not tell you where this happened either, although you may be able to deduce it.
•
Ping can not give you a blow-by-blow description of every host that handled the packet and everything that happened at every step of the way. It is an unfortunate fact that no software can reliably provide this information for a 3#P6IP network.
Using ping Ping should be your first stop for network troubleshooting. ,aving problems transferring a file with '3P7 .on't fire up your packet analy8er 9ust yet. :eave your 3.& in the bo4 for now. &ela4. Put on some 5anni. .on't even ``su'' - ping is a non-privileged command on most systems. Start one running and 9ust watch it for at least two minutes. 3hat's enough time for most periodic network problems to show themselves. +nce you've seen about a hundred packets, you should be getting a good feel for how this host is responding. 2re the round-trip times consistent7 Seeing any packet loss7 2re the 33: values sane7 Start pinging other hosts. 3ry the machine ne4t to you - the problem might be closer than you think. 3ry the last router - maybe the remote system is overloaded especially if it's a popular Internet site like this one!. .on't know what the last router is7 /se traceroute or guess - changing the last number in the IP address to ; usually gets you something interesting. #heck other sites with similar network topologies other remote :20 sites, or other Internet sites, or other sites using the same backbone!. Starting to learn something about how your network is responding7 <ood. 2nd - oh, yeah, go check that '3P. It's probably done by now. ,ere's a list of common -S. ping options, and when you might want to use them= -c count Send count packets and then stop. 3he other way to stop is type CNTL-C. 3his option is convenient for scripts that periodically check network behavior. -f 'lood ping. Send packets as fast as the receiving host can handle them, at least one hundred per second. I've found this most useful to stress a production network being tested during its down-time. 'ast machines with fast %thernet interfaces like SP2&#s! can basically shutdown a network with flood ping, so use this with caution. -l preload Send preload packets as fast as possible, then fall into a normal mode of behavior. <ood for finding out how many packets your routers can "uickly handle, which is in turn good for diagnosing problems that only appear with large 3#P window si8es. -n 0umeric output only. /se this when, in addition to everything else, you've got nameserver problems and ping is hanging trying to give you a nice symbolic name for the IP addresses. -p pattern Pattern is a string of he4adecimal digits to pad the end of the packet with. 3his can be useful if you suspect data-dependent problems, as links have been known to fail only when certain bit patterns are presented to them.
-R /se IP's &ecord &oute option to determine what route the ping packets are taking. 3here are many problems with using this, not the least of which is that the option is placed on the re"uest and the target host is under no obligation to place a corresponding option on the reply. #onsider yourself lucky if this works. -r -ypass the routing tables. /se this when, in addition to everything else, you've got routing problems and ping can't find a route to the target host. 3his only works for hosts that can be directly reached without using any routers. -s packet size #hange the si8e of the test packets. 3ry it - why not7 #heck large packets, small packets the default!, very large packets that must be fragmented, packets that aren't a neat power of two. &ead the manual to find out e4actly what you're specifying here - -S. ping doesn't count either IP or I#$P headers in packet size. -V >erbose output. 5ou see other I#$P packets that are not normally considered ``interesting'' and rarely are!. Sample ping sessions 3his ping session shows a ten packet e4change over the loopback interface. +ne line is printed for every reply received. 0ote that for each se"uence number, a single reply is received, and they are all in order. 3he IP 33: values are reported, as are the round-trip times. -oth are very consistent. 2t the end of the session, statistics are reported. Pinging the loop back interface is a good way to test a machine's basic network configuration, since no packets are physically transmitted. Any problems in such a test is cause for alarm.
meikro$ ping -c10 local host PING localhost (127.0.0.1): 5 !ata $ "#tes %rom 127.0.0.1: icm&'se()0 $ "#tes %rom 127.0.0.1: icm&'se()1 $ "#tes %rom 127.0.0.1: icm&'se()2 $ "#tes %rom 127.0.0.1: icm&'se()* $ "#tes %rom 127.0.0.1: icm&'se()$ $ "#tes %rom 127.0.0.1: icm&'se()5 $ "#tes %rom 127.0.0.1: icm&'se() $ "#tes %rom 127.0.0.1: icm&'se()7 $ "#tes %rom 127.0.0.1: icm&'se()+ $ "#tes %rom 127.0.0.1: icm&'se(), "#tes ttl)255 ttl)255 ttl)255 ttl)255 ttl)255 ttl)255 ttl)255 ttl)255 ttl)255 ttl)255
time)2 time)2 time)2 time)2 time)2 time)2 time)2 time)2 time)2 time)2
ms ms ms ms ms ms ms ms ms ms
--- localhost &i-. statistics --10 &ackets tra-smitte!/ 10 &ackets recei0e!/ 01 &acket loss ro2-!-tri& mi-3a0.3ma4 ) 23232 ms meikro$
3he ne4t session shows a more interesting e4ample - a router on the remote side of a medium speed ;*?@bps! link. 3he initial timings show consistent link behavior. ,owever, about AB seconds into the trace, we see greater fluctuations in the &33, which
approaches one minute for several packets. 'rom packet AC to AD, we see a factor of *E reduction in &33. -ut since reductions in &33 rarely cause problems, this is not as troublesome as the change from packet AD to AA, a factor of ( increase in &33. So what should the &33 be7 Fell, we're transferring AE data bytes, plus an ? byte I#$P header ED I#$P bytes!, plus a *B byte IP header - ?D byte packets. 2t ;*? kilobits per second, ?D bytes should re"uire about ?DG ?6;*?BBB! H E ms to transfer. Since the packet has to go both ways, we e4pect ;B-;A ms round-trip times. 0one of these values are that lowI clearly there are problems with this link. $ore than anything else, it is simply overcrowded.
access , 5ping sl-stk-3-S17-128k.sprintlink.net PING sl-stk-*-617-12+k.s&ri-tli-k.-et (1$$.22+.202.1): 5 !ata "#tes $ "#tes %rom 1$$.22+.202.1: icm&'se()0 ttl)25$ time)*5. 5* ms $ "#tes %rom 1$$.22+.202.1: icm&'se()1 ttl)25$ time)2+.7,7 ms $ "#tes %rom 1$$.22+.202.1: icm&'se()2 ttl)25$ time)2+.55, ms $ "#tes %rom 1$$.22+.202.1: icm&'se()* ttl)25$ time)*,.5** ms $ "#tes %rom 1$$.22+.202.1: icm&'se()$ ttl)25$ time)2+. 21 ms $ "#tes %rom 1$$.22+.202.1: icm&'se()5 ttl)25$ time)2+.15, ms ... $ "#tes %rom 1$$.22+.202.1: icm&'se()50 ttl)25$ time)+$+.+10 ms $ "#tes %rom 1$$.22+.202.1: icm&'se()51 ttl)25$ time)+2+.57, ms $ "#tes %rom 1$$.22+.202.1: icm&'se()52 ttl)25$ time)75*.+ 5 ms $ "#tes %rom 1$$.22+.202.1: icm&'se()5* ttl)25$ time)77+.202 ms $ "#tes %rom 1$$.22+.202.1: icm&'se()5$ ttl)25$ time)2,.,1* ms $ "#tes %rom 1$$.22+.202.1: icm&'se()55 ttl)25$ time)220.,*1 ms $ "#tes %rom 1$$.22+.202.1: icm&'se()5 ttl)25$ time)17*. 1 ms $ "#tes %rom 1$$.22+.202.1: icm&'se()57 ttl)25$ time)1$$.,,0 ms $ "#tes %rom 1$$.22+.202.1: icm&'se()5+ ttl)25$ time)2+.520 ms ... access 10 5
What you might see Dropped packets 2 unfortunate fact of life. .etect them by noting when the se"uence numbers skip, and the missing number does not appear again later. 3his is probably caused by a router "ueueing packets for a relatively slow link, and the "ueue simply grew too large. %arly 3#P implementations dropped packets at a truly alarming rate, but things have gotten better. %ven so, there are common situations, typically involving crowded wide-area networks, in which even modern 3#P implementations can't operate steady-state without dropping packets. 3here's no reason to pull your out hair over this, since 3#P will retransmit missing data, but this won't make your network run faster. 2lso, if you have fast links that aren't showing much congestion, the cause of trouble may be elsewhere - link-level failures are the ne4t most common cause of packet loss. I'd suggest using the techni"ues mentioned above to narrow down as much as possible where packets are being dropped, and try to understand why this is happening, even if fi4ing it is beyond your control. Fluctuating Round Trip Times 2nother fact of life. Pretty much caused by the same things that cause packet loss. 2gain, not serious cause for alarm, but don't e4pect optimum performance from
3#P. &emember that 3#P generates an internal &33 estimate that affects protocol behavior. If the actual &33 changes too much, 3#P may never be able to make a satisfactory estimate. -oth dropped packets and &33 fluctuations may occur in a periodic nature - a batch of slow packets every CB seconds, for instance. If you see this symptom, check for routing updates or other periodic traffic with the same period as the problem. Poor network performance can often be traced to slow links being clogged with various kinds of automated updates. Connecti ity that comes and goes 2gain, look for periods between problems that are multiples of some common number - ;B and ;A seconds are good things to check. If a router is sending error messages when connectivity disappears, that router's the first place to start looking. ,owever, 9ust because you can always reach hop A, for instance, doesn't mean that your problem isn't hop C. ,op C's router may be erroneously timing out routing information for your target, but handling hop A's routing information 9ust fine. +f course, check hop A first if that's where your packets seem to check out but never leave. Ping !orks fine "ut T#$%#T&FTP&'ail&%e!s&((( doesn)t <ood news - it's probably! not a hardware problem. /se a packet tracer of some sort to see what 33: values are being generated by your hosts. If they're too low, you can see this kind of behavior. It could also be a software or configuration problem - can other machines connect to the offending host7 #an it talk to itself7 +n the other hand, it could be a hardware problem, if one of your links is showing data-dependent behavior. 3he telltale symptom is when '3P for e4ample! can transfer some files fine, but others always have problems. +nce you've found an offending file, trying breaking it into smaller and smaller pieces and see which ones don't work. If the pieces becomes too small to detect problems, duplicate them several times to get a larger file. +nce you've found a small pattern that you suspect is causing your grief, see if you can load it into ping packets -S. PI0<'s `-p' switch! and reproduce the trouble.
``Ping'' is one of the most useful network debugging tools available. It takes its name from a submarine sonar search - you send a short sound burst and listen for an echo - a ping - coming back. In an IP network, `ping' sends a short data burst - a single packet - and listens for a single packet in reply. Since this tests the most basic function of an IP network delivery of single packet!, it's easy to see how you can learn a lot from some `pings'. Ping is implemented using the re"uired I#$P %cho function, documented in &'# ()* that all hosts should implement. +f course, administrators can disable ping messages this is rarely a good idea, unless security considerations dictate that the host should be unreachable anyway!, and some implementations have (gasp) even been known not to implement all re"uired functions. ,owever, ping is usually a better bet than almost any other network software. $any versions of ping are available. 'or the remainder of this discussion, I assume use of -S. /0I1's ping, a freely available, full-featured ping available for many /0I1 systems. $ost P#-based pings do not have the advanced features I describe. 2s always, read the manual for whatever version you use. What Ping can tell you
•
• •
•
Ping places a uni"ue se"uence number on each packet it transmits, and reports which se"uence numbers it receives back. 3hus, you can determine if packets have been dropped, duplicated, or reordered. Ping checksums each packet it e4changes. 5ou can detect some forms of damaged packets. Ping places a timestamp in each packet, which is echoed back and can easily be used to compute how long each packet e4change took - the &ound 3rip 3ime &33!. Ping reports other I#$P messages that might otherwise get buried in the system software. It reports, for e4ample, if a router is declaring the target host unreachable.
What Ping can not tell you
•
•
Some routers may silently discard undeliverable packets. +thers may believe a packet has been transmitted successfully when it has not been. 3his is especially common over %thernet, which does not provide link-layer acknowledgments! 3herefore, ping may not always provide reasons why packets go unanswered. Ping can not tell you why a packet was damaged, delayed, or duplicated. It can not tell you where this happened either, although you may be able to deduce it.
•
Ping can not give you a blow-by-blow description of every host that handled the packet and everything that happened at every step of the way. It is an unfortunate fact that no software can reliably provide this information for a 3#P6IP network.
Using ping Ping should be your first stop for network troubleshooting. ,aving problems transferring a file with '3P7 .on't fire up your packet analy8er 9ust yet. :eave your 3.& in the bo4 for now. &ela4. Put on some 5anni. .on't even ``su'' - ping is a non-privileged command on most systems. Start one running and 9ust watch it for at least two minutes. 3hat's enough time for most periodic network problems to show themselves. +nce you've seen about a hundred packets, you should be getting a good feel for how this host is responding. 2re the round-trip times consistent7 Seeing any packet loss7 2re the 33: values sane7 Start pinging other hosts. 3ry the machine ne4t to you - the problem might be closer than you think. 3ry the last router - maybe the remote system is overloaded especially if it's a popular Internet site like this one!. .on't know what the last router is7 /se traceroute or guess - changing the last number in the IP address to ; usually gets you something interesting. #heck other sites with similar network topologies other remote :20 sites, or other Internet sites, or other sites using the same backbone!. Starting to learn something about how your network is responding7 <ood. 2nd - oh, yeah, go check that '3P. It's probably done by now. ,ere's a list of common -S. ping options, and when you might want to use them= -c count Send count packets and then stop. 3he other way to stop is type CNTL-C. 3his option is convenient for scripts that periodically check network behavior. -f 'lood ping. Send packets as fast as the receiving host can handle them, at least one hundred per second. I've found this most useful to stress a production network being tested during its down-time. 'ast machines with fast %thernet interfaces like SP2&#s! can basically shutdown a network with flood ping, so use this with caution. -l preload Send preload packets as fast as possible, then fall into a normal mode of behavior. <ood for finding out how many packets your routers can "uickly handle, which is in turn good for diagnosing problems that only appear with large 3#P window si8es. -n 0umeric output only. /se this when, in addition to everything else, you've got nameserver problems and ping is hanging trying to give you a nice symbolic name for the IP addresses. -p pattern Pattern is a string of he4adecimal digits to pad the end of the packet with. 3his can be useful if you suspect data-dependent problems, as links have been known to fail only when certain bit patterns are presented to them.
-R /se IP's &ecord &oute option to determine what route the ping packets are taking. 3here are many problems with using this, not the least of which is that the option is placed on the re"uest and the target host is under no obligation to place a corresponding option on the reply. #onsider yourself lucky if this works. -r -ypass the routing tables. /se this when, in addition to everything else, you've got routing problems and ping can't find a route to the target host. 3his only works for hosts that can be directly reached without using any routers. -s packet size #hange the si8e of the test packets. 3ry it - why not7 #heck large packets, small packets the default!, very large packets that must be fragmented, packets that aren't a neat power of two. &ead the manual to find out e4actly what you're specifying here - -S. ping doesn't count either IP or I#$P headers in packet size. -V >erbose output. 5ou see other I#$P packets that are not normally considered ``interesting'' and rarely are!. Sample ping sessions 3his ping session shows a ten packet e4change over the loopback interface. +ne line is printed for every reply received. 0ote that for each se"uence number, a single reply is received, and they are all in order. 3he IP 33: values are reported, as are the round-trip times. -oth are very consistent. 2t the end of the session, statistics are reported. Pinging the loop back interface is a good way to test a machine's basic network configuration, since no packets are physically transmitted. Any problems in such a test is cause for alarm.
meikro$ ping -c10 local host PING localhost (127.0.0.1): 5 !ata $ "#tes %rom 127.0.0.1: icm&'se()0 $ "#tes %rom 127.0.0.1: icm&'se()1 $ "#tes %rom 127.0.0.1: icm&'se()2 $ "#tes %rom 127.0.0.1: icm&'se()* $ "#tes %rom 127.0.0.1: icm&'se()$ $ "#tes %rom 127.0.0.1: icm&'se()5 $ "#tes %rom 127.0.0.1: icm&'se() $ "#tes %rom 127.0.0.1: icm&'se()7 $ "#tes %rom 127.0.0.1: icm&'se()+ $ "#tes %rom 127.0.0.1: icm&'se(), "#tes ttl)255 ttl)255 ttl)255 ttl)255 ttl)255 ttl)255 ttl)255 ttl)255 ttl)255 ttl)255
time)2 time)2 time)2 time)2 time)2 time)2 time)2 time)2 time)2 time)2
ms ms ms ms ms ms ms ms ms ms
--- localhost &i-. statistics --10 &ackets tra-smitte!/ 10 &ackets recei0e!/ 01 &acket loss ro2-!-tri& mi-3a0.3ma4 ) 23232 ms meikro$
3he ne4t session shows a more interesting e4ample - a router on the remote side of a medium speed ;*?@bps! link. 3he initial timings show consistent link behavior. ,owever, about AB seconds into the trace, we see greater fluctuations in the &33, which
approaches one minute for several packets. 'rom packet AC to AD, we see a factor of *E reduction in &33. -ut since reductions in &33 rarely cause problems, this is not as troublesome as the change from packet AD to AA, a factor of ( increase in &33. So what should the &33 be7 Fell, we're transferring AE data bytes, plus an ? byte I#$P header ED I#$P bytes!, plus a *B byte IP header - ?D byte packets. 2t ;*? kilobits per second, ?D bytes should re"uire about ?DG ?6;*?BBB! H E ms to transfer. Since the packet has to go both ways, we e4pect ;B-;A ms round-trip times. 0one of these values are that lowI clearly there are problems with this link. $ore than anything else, it is simply overcrowded.
access , 5ping sl-stk-3-S17-128k.sprintlink.net PING sl-stk-*-617-12+k.s&ri-tli-k.-et (1$$.22+.202.1): 5 !ata "#tes $ "#tes %rom 1$$.22+.202.1: icm&'se()0 ttl)25$ time)*5. 5* ms $ "#tes %rom 1$$.22+.202.1: icm&'se()1 ttl)25$ time)2+.7,7 ms $ "#tes %rom 1$$.22+.202.1: icm&'se()2 ttl)25$ time)2+.55, ms $ "#tes %rom 1$$.22+.202.1: icm&'se()* ttl)25$ time)*,.5** ms $ "#tes %rom 1$$.22+.202.1: icm&'se()$ ttl)25$ time)2+. 21 ms $ "#tes %rom 1$$.22+.202.1: icm&'se()5 ttl)25$ time)2+.15, ms ... $ "#tes %rom 1$$.22+.202.1: icm&'se()50 ttl)25$ time)+$+.+10 ms $ "#tes %rom 1$$.22+.202.1: icm&'se()51 ttl)25$ time)+2+.57, ms $ "#tes %rom 1$$.22+.202.1: icm&'se()52 ttl)25$ time)75*.+ 5 ms $ "#tes %rom 1$$.22+.202.1: icm&'se()5* ttl)25$ time)77+.202 ms $ "#tes %rom 1$$.22+.202.1: icm&'se()5$ ttl)25$ time)2,.,1* ms $ "#tes %rom 1$$.22+.202.1: icm&'se()55 ttl)25$ time)220.,*1 ms $ "#tes %rom 1$$.22+.202.1: icm&'se()5 ttl)25$ time)17*. 1 ms $ "#tes %rom 1$$.22+.202.1: icm&'se()57 ttl)25$ time)1$$.,,0 ms $ "#tes %rom 1$$.22+.202.1: icm&'se()5+ ttl)25$ time)2+.520 ms ... access 10 5
What you might see Dropped packets 2 unfortunate fact of life. .etect them by noting when the se"uence numbers skip, and the missing number does not appear again later. 3his is probably caused by a router "ueueing packets for a relatively slow link, and the "ueue simply grew too large. %arly 3#P implementations dropped packets at a truly alarming rate, but things have gotten better. %ven so, there are common situations, typically involving crowded wide-area networks, in which even modern 3#P implementations can't operate steady-state without dropping packets. 3here's no reason to pull your out hair over this, since 3#P will retransmit missing data, but this won't make your network run faster. 2lso, if you have fast links that aren't showing much congestion, the cause of trouble may be elsewhere - link-level failures are the ne4t most common cause of packet loss. I'd suggest using the techni"ues mentioned above to narrow down as much as possible where packets are being dropped, and try to understand why this is happening, even if fi4ing it is beyond your control. Fluctuating Round Trip Times 2nother fact of life. Pretty much caused by the same things that cause packet loss. 2gain, not serious cause for alarm, but don't e4pect optimum performance from
3#P. &emember that 3#P generates an internal &33 estimate that affects protocol behavior. If the actual &33 changes too much, 3#P may never be able to make a satisfactory estimate. -oth dropped packets and &33 fluctuations may occur in a periodic nature - a batch of slow packets every CB seconds, for instance. If you see this symptom, check for routing updates or other periodic traffic with the same period as the problem. Poor network performance can often be traced to slow links being clogged with various kinds of automated updates. Connecti ity that comes and goes 2gain, look for periods between problems that are multiples of some common number - ;B and ;A seconds are good things to check. If a router is sending error messages when connectivity disappears, that router's the first place to start looking. ,owever, 9ust because you can always reach hop A, for instance, doesn't mean that your problem isn't hop C. ,op C's router may be erroneously timing out routing information for your target, but handling hop A's routing information 9ust fine. +f course, check hop A first if that's where your packets seem to check out but never leave. Ping !orks fine "ut T#$%#T&FTP&'ail&%e!s&((( doesn)t <ood news - it's probably! not a hardware problem. /se a packet tracer of some sort to see what 33: values are being generated by your hosts. If they're too low, you can see this kind of behavior. It could also be a software or configuration problem - can other machines connect to the offending host7 #an it talk to itself7 +n the other hand, it could be a hardware problem, if one of your links is showing data-dependent behavior. 3he telltale symptom is when '3P for e4ample! can transfer some files fine, but others always have problems. +nce you've found an offending file, trying breaking it into smaller and smaller pieces and see which ones don't work. If the pieces becomes too small to detect problems, duplicate them several times to get a larger file. +nce you've found a small pattern that you suspect is causing your grief, see if you can load it into ping packets -S. PI0<'s `-p' switch! and reproduce the trouble.
