Tuesday, December 31, 2019

PING - Useful Tips


PING (Packet InterNet Groper) is a utility used for testing network connectivity between 2 systems. When we say system; this could be anything like a normal PC, server, switch, router etc. and works in Layer 3 of the OSI model.
Generally PING is used to verify if the specified address is Active or not; it is also used for recording the round-trip time and helps to record errors.
Here, we are going to review a few useful ping commands and its applications.
The PING command transmits a message through ICMP payload which encapsulates the IP header packet.














MTU: The largest number of bytes for packet (IP header, protocol headers in TCP or UDP, data payload etc.) that can be transmitted through the system. The headers can be combination of different headers. Generally set to 1500 bytes which could be increased or decreased depending upon the environment.
ICMP in the Data Link later would be having an additional 14 bytes for the Ethernet header.

Now, let’s dig deeper into the ICMP types and what it means.
As per RFC 792; below are the types of ICMP and the codes used.

Code
Type
0
Echo Reply
3
Destination Unreachable
4
Source Quench
5
Redirect
8
Echo Request.
11
Time Exceeded
12
Parameter Problem
13
Timestamp
14
Timestamp Reply
15
Information Request
16
Information Reply

Below is a snippet of a ICMP-type 3 in Wireshark:




The below diagram basically shows that representation of a client sending a ICMP Echo Request and a different client sending the Echo Reply.
Now, this can be done by a simple PING.



The below image shows the PING to the destination IP 10.1.1.190 which shows that the client is alive now. 
Did you notice that the response also contains the size and the TTL mentioned?


If you remember the first part of this article; I have mentioned that PING can also record the round-trip time and the errors.
Let’s take a closer look at this now.

The TTL is determined by the remote hosts. Common default TTL values set :
·       Router - 255
·       Windows - 128
·       Linux-Mac - 64

If you see the TTL for the above; it is showing as 63 which means that it crossed 1 network to get a response to you. In other words we can say that depending on how many networks it crosses to get back to you, the TTL is deducted by a value of 1. You can also perform a traceroute to confirm this.




Below snippet would give you more clarity.

Both the IP’s shown below are the IP’s of 2 different devices in the same network:


Now, let’s get back to my remote host server (linux) 

10.1.1.190 traffic capture to have a better understanding about the packet frames.

 Request:


Reply:



Below is a table showing the length of the packet and how it got 74 bytes.

Ethernet Header
IP Header
ICMP Header
ICMP Payload Size
Total
14 bytes
20 bytes
8 bytes
32 (default size)
74 Bytes

Now, that we have seen the packet frames of PING; we will move on to some ping commands that may come handy.

1.     Resolve IP to host name (DNS resolution)
      ping -a <IP address>



2.     If you see the above image; you can see the number of packets sent is 4 which is the default value. If you want to specify the number of packets you can use the command:
ping -n<space> <number of packets><space><Destination IP Address>



3.     Similarly, we can set the TTL value of the PING using the command shown below:
       ping -i <TTL value ><space><Destination IP Address>


If you see the traffic capture you can see the TTL as 12 below:





Do you have a question? Is it something like: “When I have mentioned 13 as the TTL; why does the TTL in traffic capture show as 12?”
Well, I would recommend you start reading from the beginning 😊.
Now, one other thing that you should know is no matter the request TTL is set to 13; the response TTL always depends on the default settings.

4.      Now, regarding the Payload of ICMP is set to 32 bytes by default.  What if we need to increase the payload size of ICMP? We can increase the Payload of ICMP as well. It can be done by using the command:
      ping -l <space><value><space><Destination IP Address>



Now, let’s look at the traffic capture with all the above commands:






Now, generally the network MTU is set to 1500 which in-turn means that the packet size it can handle 1500 bytes. If the size is more than it can relay the router would not allow to get this packet pass to the destination.
If you enable the fragmentation; the packets with the same payload size would be allowed. Here, the payload was set to 4086 bytes. The fragments is having an addition of 8 bytes which is the ICMP header which makes it a total of 4096 bytes.


Let’s look by disabling the fragmentation bit and pinging the destination.






PING - Useful Tips

PING (Packet InterNet Groper) is a utility used for testing network connectivity between 2 systems. When we say system; this...