Jaycee's Networking

April 23, 2009

Ping

Filed under: Information, IOS — Tags: — Jaycee @ 9:04 am

1. Ping is used to verify:

a. Network connectivity b/w 2 endpoints
b. Round-trip delay in communicating with the host
c. Packet loss

2. Ping works by sending an ICMP (Internet Control Message Protocol) Echo Request message and waiting for the ICMP Echo Reply packets.

3. Round-trip time is important for proper functioning of some real-time applications:

a. VoIP has a maximum of 300ms
b. Citrix has a maximum of 250ms for acceptable performance

4. Ping uses ICMP traffic, whereas most of the user traffic consists of TCP or UDP. Ping can potentially produce inaccurate results:

a. Timeout value

1) Default timeout value for Windows ping is 1 second (1000 ms). This can cause inaccurate results on slower links such as satellite-based connections.

2) use -w to change the default timeout value: ping -w 5000 ip-address

b. MTU (Maximum transmission unit)

1) On an Ethernet network, MTU is 1500 bytes.

2) If DF (Don’t Fragment) bit in the IP header of the datagram is set, the router cannot fragment the datagram.
=> Router drops the bigger packets and sends an ICMP Destination Unreachable, fragmentation needed and DF set message to the source.

3)  MTU-related issues are common in IPSec-based VPN. IPSec encapsulates the original IP datagram with an IPSec header, thus making the packet larger:

i) IP Fragmentation and MTU Path Discovery with VPN

ii) IPSec can make fragmentation problems worse, because it lengthens each IP packet by one, or possibly two, IP headers. These added headers vary in length by choice of IPSec protocols (and whether IntraPort’s “NAT transparency” is also in use), but empirically they do not exceed 80 bytes per packet.

iii) A good technique (the best technique, really) of avoiding fragmentation with IPSec is reducing the interface MTU that applications and the IP protocol stack see on both ends of the TCP connection. If the applications and the IP protocol stack think the interface MTU is 1420 bytes or less, they will not emit packets that need to be fragmented after IPSec encapsulation for transport through Ethernet-size-capable routers and links.

5. Windows-based of ping:

a. Default ping packet is 56 bytes; IP header is 28 bytes.

b. If 1272 byte is the biggest size that can get replys, then the actual MTU size is 1272 + 28 = 1300 bytes.

c. -f sets the DF bit; -l buffer-size specifies the data payload size; -t for continuous ping; -a for Name Resolution; -r records route for count hops; -w sets timeout in ms for each reply; -n sets the number of echo requests to send; Ctrl-Break to view the summary without stopping.

ping -f -l 1500 ip-address

6. Linux-based of ping:

a. Default ping packet is 56 bytes; IP header is 28 bytes.

b. -M do sets the DF bit; -M dont to not set the DF bit; -s specifies the number of bytes of data; -i sets timeout in ms for each reply; -I specifies the source address; -c sets the number of echo requests to send.

ping -c 4 -M do -s 1272 ip-address

7. IOS-based of ping:

a. Default ping packet is 100 bytes:

b. Use “Record” IP header option – informs the hops that the Echo Request went through and the hops it visited on the return path. traceroute command dont get information about the path that the Echo Reply takes.

c. Use “ip name-server ip-address-of-DNS-server” command

d. use “no ip directed-broadcast” command to prevent the ICMP flooding attack. DDoS attacks usethe directed broadcast of ICMP packets to flood the target network with broadcast replies, such as Smurf.

*An IP directed broadcast is an IP packet whose destination address is a valid broadcast address for some IP subnet, but which originates from a node that is not itself part of that destination subnet.

A router that is not directly connected to its destination subnet forwards an IP directed broadcast in the same way it would forward unicast IP packets destined to a host on that subnet. When a directed broadcast packet reaches a router that is directly connected to its destination subnet, that packet is “exploded” as a broadcast on the destination subnet. The destination address in the IP header of the packet is rewritten to the configured IP broadcast address for the subnet, and the packet is sent as a link-layer broadcast.

The ip directed-broadcast interface command controls the explosion of directed broadcasts when they reach their target subnets. The command affects only the final transmission of the directed broadcast on its ultimate destination subnet. It does not affect the transit unicast routing of IP directed broadcasts.

If directed broadcast is enabled for an interface, incoming IP packets whose addresses identify them as directed broadcasts intended for the subnet to which that interface is attached will be exploded as broadcasts on that subnet. If an access list has been configured with the ip directed-broadcast command, only directed broadcasts that are permitted by the access list in question will be forwarded; all other directed broadcasts destined for the interface subnet will be dropped.

If the no ip directed-broadcast command has been configured for an interface, directed broadcasts destined for the subnet to which that interface is attached will be dropped, rather than being broadcast.

8. Other OS-Based of ping:

a. fping: can test multiple hosts simulataneously

http://www.fping.com

b. hping: provides additional capability to use TCP, UDP, RAW-IP for testing remote host connectivity, has a traceroute mode, the ability to send files between a covered channel, and many other features.

http://www.hping.org

  • Firewall testing
  • Advanced port scanning
  • Network testing, using different protocols, TOS, fragmentation
  • Manual path MTU discovery
  • Advanced traceroute, under all the supported protocols
  • Remote OS fingerprinting
  • Remote uptime guessing
  • TCP/IP stacks auditing
  • hping can also be useful to students that are learning TCP/IP.

c. SmokePing: provide detailed graphic records of network performance

http://people.ee.ethz.ch/~oetiker/webtools/smokeping

9. ICMP traffic is often assigned a lower priority on the routers. If the router CPU utilization is high, the ping process might not respond.

10. Troubleshooting steps:

a. Ping the loopback address of the source device
=> confirm local TCP/IP Stack

b. Ping the external network interface of the source device
=> confirm local NIC is working and ethernet link is up

c. Ping the default gateway of the source device
=> confirm connectivity and routing b/w host and default gateway

d. Ping the destination device
=> confirm connectivity b/w host and destination


Advertisements

2 Comments »

  1. Very nice site! is it yours too

    Comment by John796 — May 28, 2010 @ 3:12 am

  2. Very nice site!

    Comment by John1114 — June 9, 2010 @ 3:25 am


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: