OSTU - hrPING QuickStart Part 2 (by Tony Fortunato & Peter Ciuffreda)

1,443 views
1,359 views

Published on

Tony Fortunato is a Senior Network Specialist with experience in design, implementation, and troubleshooting of LAN/WAN/Wireless networks, desktops and servers since 1989. His background in financial networks includes design and implementation of trading floor networks. Tony has taught at local high schools, Colleges/Universities, Networld/Interop and many onsite private classroom settings to thousands of analysts.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,443
On SlideShare
0
From Embeds
0
Number of Embeds
270
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Hello, It’s Tony Fortunato And Peter Ciuffreda from the Technology Firm In this session we are going to Examine hrPing in a bit more detail Enjoy
  • Why are we working on hrPing again? In this presentation I want to use Wireshark to show if hrPing’s options really work as advertised. I’m confused, why wouldn’t they? Well sometimes either software goes out with a bug, or the supporting documentation isn’t clear. I’m sure you know how it feels when you put a lot of time in writing something and the audience misunderstands. Trust me Tony, I know the feeling.
  • I guess we better setup Wireshark to capture our ICMP or ping packets. I can’t tell you how many times I see analysts hit the start button and then struggle through various display filters So what do you suggest we do to avoid that? Just a simple protocol filter. Type icmp in the capture filter area
  • The ping signature was pretty easy to see. Yeah, we basically looked at the Packet Bytes pane and there it was An application signature is something I always try to find to make application identification easier. We also noticed that Microsoft’s ping signature is the alphabet
  • This option truly controls the ICMP data payload size We have seen many applications that the size values are the IP payload size, not the ICMP payload. Be careful, some routers or firewalls may not let IP/ICMP fragments through.
  • In this case, the –L option controls the size of the IP payload So then 5,000 Bytes, isn’t really 5,000 Bytes is it? Nope
  • OK, I can see the packet isn’t fragmented the first example, then is fragmented in the second. What’s the big deal? Sometimes when network devices can’t transmit the entire packet, they fragment the packet. But only if fragmentation is allowed. I get it, so if you want to send a specific packet size and make sure it doesn’t get fragmented you can test for it, right? Yup
  • Now this one I understand. We can change the Time to live to see if the packet is traversing more routers or hops, right? Exactly. I also want to see if the ping works and then fails. What does that tell you If there are multiple routes, one router could be flapping causing an extra hop
  • Ok, so something finally failed. The –v option doesn’t work, right? Actually, the programmer had enough foresight or experience to check if the proper registry setting is in place to make this option work.
  • I see, now that you modified your registry, it works. Would you consider this a problem? Not really. Since the programmer pretty well told us exactly what to change, I think this is one of those options you need to pay attention to if you have an issue.
  • Why would you ever NOT want to count a packet? Sometimes due to excessive delay, ARP resolution, or congestion, you may want to ignore that first packet. So if the remaining ones come through ok, you would be fine with that? absolutely
  • Ok, Tony you have to explain why I would want to specify an ICMP ID number? The only scenario I can think of using this option is if there s a considerable amount of ICMP traffic on a link and you want to quickly pick out your packets.
  • Tony: Hope you enjoyed this tip Peter: Have a good day folks, bye for now.
  • OSTU - hrPING QuickStart Part 2 (by Tony Fortunato & Peter Ciuffreda)

    1. 1. Examining hrPINGv2.39 with Wireshark Part 2 Tony Fortunato, Sr Network Specialist Peter Ciuffreda, Network Technician The Technology Firm
    2. 2. hrPING Options to review In part 2 we use Wireshark to ensure that the various options work as advertised -l size Send buffer size (ICMP payload size). How may bytes payload should be send? Remember that each packet is of the form: IP header (20 bytes) + ICMP header (8 bytes) + payload. You may only specify the payload size. Minimum is 0, maximum is 64k-1-20-8, i.e., 65507 bytes. Default is 64 bytes. -L size Total IP datagram size (ICMP payload size + 28). Same as the above, only that this size here is the size for the total IP datagram. -f Set Don't Fragment flag in packet. Set the &quot;Don't fragment&quot; bit in the IP header of the PING packet. Default is not set. -i TTL Time To Live. Set the &quot;Time To Live&quot; value in the IP header of the PING packet. Default is 255. -v TOS Type Of Service. Set the &quot;Type Of Service&quot; bits in the IP header of the PING packet. Default is 0. -w timeout Timeout in milliseconds to wait for each reply. Maximum timeout to wait for a reply. This is almost only of use if you switch to non-overlapped (i.e., Windows PING like) mode. In overlapped mode, this time only applies when hrPING has stopped sending (because the count was exceeded or because you pressed CTRL-C) and is waiting for missing replies. Default is 2000 milliseconds. -s time Interval in milliseconds between packets. This is the number of milliseconds between sending of two PING packets. hrPING will try to stick to this number very accurately. If sending took a little longer for one packet it will send out the next packet a little earlier. Default is 500 milliseconds. (You can use decimals for a very fine grained interval: -s5.4 will send a packet every 5400 microseconds, on average!) -I Set ICMP id field to <id> Set the &quot;Identification&quot; IP header field to the value specified. It is possible that Windows erases or overwrites this field when sending the packet -o Don't do overlapped send/receive. Use Windows PING like synchronous sending of one packet, waiting for the reply and so on. Off by default.
    3. 3. Wireshark Setup <ul><li>To eliminate any background packets use the simple icmp protocol capture filter </li></ul>
    4. 4. hrPING PING Signature <ul><li>For this example the methodology was quite simple; </li></ul><ul><ul><li>Start Wireshark with icmp capture filter </li></ul></ul><ul><ul><li>Ping a host </li></ul></ul><ul><ul><li>Review data via the View-> Packet Bytes menu option </li></ul></ul>est omnis divisa in partes tres, quarum unam incolunt Bel hrping
    5. 5. hrPing -l size option <ul><li>When we inspect the ICMP Data Payload we see that it is 500 Bytes, exactly what we typed in </li></ul><ul><li>When we type in 5000 Bytes and inspect the ICMP Data Payload we see that it consists of multiple packets, with the final one totaling 5,000 Bytes </li></ul><ul><li>This is evident since the ID values are all the same and the IP fragment bit is set </li></ul>
    6. 6. hrPing -L size option <ul><li>When we inspect the IP Data Payload we see that it is 500 Bytes, so the 500 Bytes includes the ICMP header as part of the 500 Bytes </li></ul><ul><li>When we type in 5000 Bytes and inspect the ICMP Data Payload we see that it consists of multiple packets, but the total size is less than 5,000 Bytes This is evident since the ID values are all the same and the IP fragment bit is set </li></ul>
    7. 7. hrPing -f option <ul><li>When we ping without the –f option you can clearly see that the do not fragment bit is not set </li></ul><ul><li>When we ping with the –f option you can clearly see that the do not fragment bit is set </li></ul>
    8. 8. hrPing --i TTL <ul><li>When we ping without the –i option, you can see that the Time to Live is 255 </li></ul><ul><li>When we ping with the –i 3 option, you can see that the Time to Live is 3 </li></ul>
    9. 9. hrPing -v TOS <ul><li>When we ping without the –v option, you can see that the IP TOS is 0000 </li></ul><ul><li>When we ping with the –v 1111 option, the Time to Live is unchanged, but hrPing gives the following warning; </li></ul><ul><li>To be able to set TOS, you need to set the following DWORD value to 0: </li></ul><ul><li>HKLMSystemCurrentControlSetServicesTCPipParametersDisableUserTOSSetting </li></ul>
    10. 10. hrPing -v TOS … continued <ul><li>After modifying the registry, things look better. </li></ul><ul><li>I used a TOS of 1111 just for an example </li></ul>
    11. 11. hrPING Timeout and Interval Options (-w, -o) <ul><li>Even though all 4 ICMP packets were received (Wireshark), only 3 were counted by hrPing, due to our –w 40 (40 ms) timeout criteria </li></ul><ul><li>Be careful since this looks like a dropped packet, when in fact it is a packet exceeding our timeout value of 40 ms. </li></ul>
    12. 12. hrPING ICMP ID (-I) <ul><li>Couple of notes on this one; </li></ul><ul><ul><li>All ICMP packets will have this sequence number, so using this to troubleshoot out of sequence packets, makes things really difficult </li></ul></ul><ul><ul><li>The value after the –I is interpreted in hex, so if you type 15, the ID is f </li></ul></ul><ul><li>This is a great example of changing your Wireshark column layout to make this analysis easier. I added the ICMP and IP identifiers, so I can work from the Packet List screen </li></ul>
    13. 13. hrPING Examination Tony Fortunato, Sr Network Specialist Peter Ciuffreda, Network Technician The Technology Firm Thank you
    14. 14. <ul><li>For additional educational videos on Open Source Network Tools, please click on the following … </li></ul><ul><li>http://www.lovemytool.com/blog/ostu.html </li></ul>LoveMyTool.com – Community for Network Tools

    ×