Tony Fortunato is a Senior Network Specialist with experience in design, implementation, and troubleshooting of LAN/WAN/Wireless networks, desktops and servers since 1989. His background in financial networks includes design and implementation of trading floor networks. Tony has taught at local high schools, Colleges/Universities, Networld/Interop and many onsite private classroom settings to thousands of analysts.
OSTU - hrPING QuickStart Part 2 (by Tony Fortunato & Peter Ciuffreda)
1. Examining hrPINGv2.39 with Wireshark Part 2 Tony Fortunato, Sr Network Specialist Peter Ciuffreda, Network Technician The Technology Firm
2. hrPING Options to review In part 2 we use Wireshark to ensure that the various options work as advertised -l size Send buffer size (ICMP payload size). How may bytes payload should be send? Remember that each packet is of the form: IP header (20 bytes) + ICMP header (8 bytes) + payload. You may only specify the payload size. Minimum is 0, maximum is 64k-1-20-8, i.e., 65507 bytes. Default is 64 bytes. -L size Total IP datagram size (ICMP payload size + 28). Same as the above, only that this size here is the size for the total IP datagram. -f Set Don't Fragment flag in packet. Set the "Don't fragment" bit in the IP header of the PING packet. Default is not set. -i TTL Time To Live. Set the "Time To Live" value in the IP header of the PING packet. Default is 255. -v TOS Type Of Service. Set the "Type Of Service" bits in the IP header of the PING packet. Default is 0. -w timeout Timeout in milliseconds to wait for each reply. Maximum timeout to wait for a reply. This is almost only of use if you switch to non-overlapped (i.e., Windows PING like) mode. In overlapped mode, this time only applies when hrPING has stopped sending (because the count was exceeded or because you pressed CTRL-C) and is waiting for missing replies. Default is 2000 milliseconds. -s time Interval in milliseconds between packets. This is the number of milliseconds between sending of two PING packets. hrPING will try to stick to this number very accurately. If sending took a little longer for one packet it will send out the next packet a little earlier. Default is 500 milliseconds. (You can use decimals for a very fine grained interval: -s5.4 will send a packet every 5400 microseconds, on average!) -I Set ICMP id field to <id> Set the "Identification" IP header field to the value specified. It is possible that Windows erases or overwrites this field when sending the packet -o Don't do overlapped send/receive. Use Windows PING like synchronous sending of one packet, waiting for the reply and so on. Off by default.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13. hrPING Examination Tony Fortunato, Sr Network Specialist Peter Ciuffreda, Network Technician The Technology Firm Thank you
14.
Editor's Notes
Hello, It’s Tony Fortunato And Peter Ciuffreda from the Technology Firm In this session we are going to Examine hrPing in a bit more detail Enjoy
Why are we working on hrPing again? In this presentation I want to use Wireshark to show if hrPing’s options really work as advertised. I’m confused, why wouldn’t they? Well sometimes either software goes out with a bug, or the supporting documentation isn’t clear. I’m sure you know how it feels when you put a lot of time in writing something and the audience misunderstands. Trust me Tony, I know the feeling.
I guess we better setup Wireshark to capture our ICMP or ping packets. I can’t tell you how many times I see analysts hit the start button and then struggle through various display filters So what do you suggest we do to avoid that? Just a simple protocol filter. Type icmp in the capture filter area
The ping signature was pretty easy to see. Yeah, we basically looked at the Packet Bytes pane and there it was An application signature is something I always try to find to make application identification easier. We also noticed that Microsoft’s ping signature is the alphabet
This option truly controls the ICMP data payload size We have seen many applications that the size values are the IP payload size, not the ICMP payload. Be careful, some routers or firewalls may not let IP/ICMP fragments through.
In this case, the –L option controls the size of the IP payload So then 5,000 Bytes, isn’t really 5,000 Bytes is it? Nope
OK, I can see the packet isn’t fragmented the first example, then is fragmented in the second. What’s the big deal? Sometimes when network devices can’t transmit the entire packet, they fragment the packet. But only if fragmentation is allowed. I get it, so if you want to send a specific packet size and make sure it doesn’t get fragmented you can test for it, right? Yup
Now this one I understand. We can change the Time to live to see if the packet is traversing more routers or hops, right? Exactly. I also want to see if the ping works and then fails. What does that tell you If there are multiple routes, one router could be flapping causing an extra hop
Ok, so something finally failed. The –v option doesn’t work, right? Actually, the programmer had enough foresight or experience to check if the proper registry setting is in place to make this option work.
I see, now that you modified your registry, it works. Would you consider this a problem? Not really. Since the programmer pretty well told us exactly what to change, I think this is one of those options you need to pay attention to if you have an issue.
Why would you ever NOT want to count a packet? Sometimes due to excessive delay, ARP resolution, or congestion, you may want to ignore that first packet. So if the remaining ones come through ok, you would be fine with that? absolutely
Ok, Tony you have to explain why I would want to specify an ICMP ID number? The only scenario I can think of using this option is if there s a considerable amount of ICMP traffic on a link and you want to quickly pick out your packets.
Tony: Hope you enjoyed this tip Peter: Have a good day folks, bye for now.