Softpanorama (slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

ping

Note:  material below is based on Wikipedia article and Solaris man page

Ping uses the Internet Control Message Protocol (ICMP) Echo function which is detailed in RFC 792. A small packet is sent through the network to a particular IP address. This packet contains 64 bytes - 56 data bytes and 8 bytes of protocol reader information. The computer that sent the packet then waits (or 'listens') for a return packet. If the connections are good and the target computer is up, a good return packet will be received. PING can also tell the user the number of hops that lie between two computers and the amount of time it took for a packet the round trip(tounf trip time). . Additionaly, an administrator can use Ping to test out name resolution. If the packet bounces back when sent to the IP address but not when sent to the name, then the system is having a problem matching the name to the IP address. Ping now also is used as a web (as in "ping the server") if it is up" The time it takes for the packet to get to the target computer and back again is known as If this takes an extended period of time, it is indicative that something may be wrong. (Sources: Netlingo site, Windows NT Help Menu, Connected: An Internet Encyclopedia site, Brown Computer Solutions site, Guide to Practical Linux by Mark G. Sobell,

The author of the initial version of the ping program used today was Mike Muss. Many other people have tweaked, rewritten, and extended the idea since then. Ping was named after the sound of a sonar tracking system. There is even a story claiming that a system administrator wrote a script that repeatedly pinged a host on the network and made an audible "pinging" alert for each success.

ping used to be a very good indicator of a machine's capability to receive and send IP packets in general. If you could ping a host, you could also make an FTP or HTTP connection. With the wider advent of packet filtering for security, this is becoming less true. Many firewalls explicitly disallow ICMP packets on two grounds:

1. People don't need to know what your internal network looks like.
2. Any protocol, even ICMP, can be used to launch an attack.

Deciding whether to let ICMP through your firewall is a tough call to make, but securitywise the return on investment of blocking it is negative. There are certainly attacks based on ICMP (such as the "ping of death," which uses oversized ping packets to overload the IP stack of the target, often with spectacular results. But if you choose to block ICMP into your network, make sure you've thought about the repercussions.

Additional flavors include fping command. The fping command was written to ping a range of addresses, and it is commonly used in network scanners and monitors such as  saint (see Monitoring Tools). Another variant is the Perl Net::ping module, which provides a Perl implementation of ping functionality that can easily be used from within a script without calling an external program. You might use it in a script like that shown below:

#!/usr/bin/perl -w

use strict;
use Net::ping;

my $host =$ARGV[0];

my $p =Net::ping->new("icmp ";

if ($p->ping($host)) {
  print "$host is alive.\n";
} else {
  print "$host is not reachable.\n ";
}

hping is another variant of the standard ping. It is actually a superset of ping, enabling you to ping hosts using non-ICMP protocols, elicit ICMP responses from UDP probes, and even craft your own packets to test for specific behavior. ping is most often used without additional arguments and shut off with a Ctrl+C:

Several useful options exist for the ping command:

root@cherry /root]# ping -c 10 -fq mango

It might be of some benefit to test larger packets; using ping -c10 -s 1024 -qf will send larger packets for you. This can be especially useful when you suspect problems with fragmented packets.

To see the route that your packets are traversing, you can use ping -c10 -R

If you have a host that isn't communicating with the other hosts on its network (for example, you can't ping it, nor can the host ping other boxes), looking in the arp cache is a quick check to see if the host is talking to the network or if there is already another host on the network with the same IP address.

If you are looking for an even more detailed explanation of Ping and also how to use it in detecting network problems, goto Heavy Ping Detail.

Looking for the source code for the first Ping program? Click the Ping Source Code (shell archive). Here is the source code on in html format Ping Source code (html format) For complete details on the options available with ping, please go to the FreeBSD Ping manual page. FreeBSD also has a Ping command that uses the ICMP6 ECHO_REQUEST datagram (as opposed to standard ICMP ECHO_REQUEST packets) that is called Ping6. Also, here is the Linux Ping manpage. In both FreeBSD and Linux, Ping is in Section 8 of the manpages. Here are the manpages for additional operating systems: NetBSD, OpenBSD and Plan 9 from Bell Labs

Cool web-based utilities that use ping include sites like  PingMePlease, Ping2Me.com and Just Ping where one can have their computer pinged from a remote site via a web browser.

The usefulness of ping in assisting the "diagnosis" of Internet connectivity issues was impaired from late in 2003, when a number of Internet Service Providers filtered out ICMP Type 8 (echo request) messages at their network boundaries. This was partly due to the increasing use of ping for target reconnaissance, for example by Internet worms such as Welchia that flood the Internet with ping requests in order to locate new hosts to infect. Not only did the availability of ping responses leak information to an attacker, it added to the overall load on networks, causing problems to routers across the Internet.

There are two schools of thought concerning ICMP on the public Internet: those who say it should be largely disabled to enable network 'stealth', and those who say it should be enabled to allow proper Internet diagnostics.

These two schools of thought merge when considering intranet/extranet networks within the same organization. An example would be an organization which maintains 'buffer' network(s) to shield said net from the raw internet, such a network is usually described as a DMZ (after the military designation 'demilitarized zone'). In such a scenario an organization would maintain both a network(s) that would allow ICMP packets to radiate within the internal (trusted network[s]), and disallow ICMP (ping) packets in a separated network that would more often than not include raw internet facing systems.

Old News ;-)

An Overview of ping By Pat Eyler

Ping is an diagnostic tool for verifying connectivity between two hosts on a network. It sends ICMP Echo Request packets to a remote IP address and watches for ICMP responses. The author of the initial version of the ping program that we use today was Mike Muss. Many other people have tweaked, rewritten, and variously abused ping since then.

The name ping itself is somewhat colorful. Some people will claim that it is an acronym standing for the Packet INternet Groper, this is not the case. Ping was named after the sound of a sonar tracking system. There is even a story claiming that a system administrator wrote a script which repeatedly pinged a host on the network and made an audible "pinging" alert for each success. The system administrator was then able to methodically go through his network checking BNC connectors until he found the dodgy connector that had been plaguing his network — when the noises stopped, he'd found his culprit.

Ping used to be a very good indicator of a machines ability to receive and send IP packets in general. If you could ping a host, you could also make an ftp or http connection. With the wider advent of packet filtering for security, this is becoming less true. Many firewalls explicitly disallow ICMP packets on the twin grounds that,

1) people don't need to know what your internal network looks like,

2) and, any protocol can be used to launch an attack, even ICMP.

Deciding whether to let ICMP through your firewall is a tough call to make. There are certainly good uses for ICMP, but there are also attacks based on ICMP (e.g., the "Ping of Death", which used oversized ping packets to overload the IP stack of the target — with often spectacular results). If you choose to allow ICMP into your network make sure you've thought about the repercussions.

There are additional flavors of the ping command that have been written for other purposes. Among the most common is the fping command. Which was written to ping a range of addresses, and is commonly used in network scanners and monitors like saint and mon (both of which are covered in this chapter). Another variation is the Net::Ping module, which provides a perl implementation of Ping functionality that can easily be used from within a script without calling an external program. You might use the script something like this:

Example 1. Using Net::Perl

#!/usr/bin/perl -w use strict; use Net::Ping; my $host = $ARGV[0]; my $p = Net::Ping->new("icmp"); if ($p->ping($host)) { print "$host is alive.\n"; } else { print "$host is not reachable.\n"; }

ping at Work

Ping is most often used without additional arguments and shut off with a Ctrl–c. The results look like this:

[pate@cherry pate]$ ping mango PING mango (192.168.1.1) from 192.168.1.10 : 56(84) bytes of data. 64 bytes from mango (192.168.1.1): icmp_seq=0 ttl=255 time=0.5 ms 64 bytes from mango (192.168.1.1): icmp_seq=1 ttl=255 time=0.3 ms 64 bytes from mango (192.168.1.1): icmp_seq=2 ttl=255 time=0.3 ms 64 bytes from mango (192.168.1.1): icmp_seq=3 ttl=255 time=0.3 ms 64 bytes from mango (192.168.1.1): icmp_seq=4 ttl=255 time=0.3 ms 64 bytes from mango (192.168.1.1): icmp_seq=5 ttl=255 time=0.3 ms --- mango ping statistics --- 6 packets transmitted, 6 packets received, 0% packet loss round-trip min/avg/max = 0.3/0.3/0.5 ms [pate@cherry pate]$

This output can split into three sections. The first section, the single line starting with the word "PING", shows an overview of the command. The second section, the lines beginning with "64 bytes" show a running tally of the responses received. The third section, everything after the line "--- mango ping statistics ---", shows a summary of the results. In this case, the results are good, none of the packets were dropped and they were all passed fairly quickly.

This example also shows another important point, you should not rely on a single packet to diagnose your network. A series of five or ten is much better, as you can count up to 40% data loss as congestion on a network, and even a single packet dropped can be attributed to a busy host on the other end.

There are several useful options to the ping command. These are summarized in the following table:

Table 1. Ping Command Options

Switch	Description
-c count	Stop sending and receiving packets after count packets.
-d	Set the SO_DEBUG on the socket used.
-f	Send the packets as fast as possible. (flood)
-i wait	Set an interval of wait seconds between packets.
-I 〈device〉	Sets the output interface.
-l preload	Sends preload packets as fast as possible, then drops back to normal mode.
-n	Don't look up hostnames, just give IP addresses. (numeric)
-p pattern	Specify up to 16 bytes of "pad data" to be sent with the packet.
-q	Output only summary lines. (quiet)
-r	Don't use routing tables to send the packet, just drop it out the local interface.
-R	Set the Record Route option.
-s packetsize	Set the number of data bytes sent to packetsize.
-T tsonly	Sends a ping with the timestamp option.
-T tsandaddr	Collects timestamps and addresses
-T tsprespec [host1 [host2 [host3 [host4]]]]	Collects timestamps and addresses from prespecified hops.

These options can be combined to make ping even more helpful. One thing that you cannot see is that the ping command used in the previous section is likely to take several seconds to run and report back. Using the -f switch will reduce the time spent waiting for the command. Combining this with the -c 10 and the -q switches will give you quick results and easier output to read:

[root@cherry /root]# ping -c 10 -fq mango PING mango (192.168.1.1) from 192.168.1.10 : 56(84) bytes of data. --- mango ping statistics --- 10 packets transmitted, 10 packets received, 0% packet loss round-trip min/avg/max = 0.2/0.2/0.9 ms [root@cherry /root]#

Note: The -f and -l switches can only be used by root, as they can cause serious network degradation if misused.

It might be of some benefit to test larger packets, using ping -c10 -s 1024 -qf will send larger packets for you. This can be especially useful where you suspect problems with fragmented packets.

To see the route that your packets are traversing, you can use ping -c10 -R. This command produces the following output:

PING tbr.nailed.org (206.66.240.72) from 192.168.1.10 : 56(124) bytes of data. 64 bytes from bigfun.whirlycott.com (206.66.240.72): icmp_seq=0 ttl=239 time=217.2 ms RR: 192.168.1.10 216.41.39.90 serial0.mmgw32.bos1.Level3.net (209.244.39.25) 208.218.130.22 166.90.184.2 so-6-0-0.mp2.NewYork1.level3.net (209.247.10.45) 137.39.52.10 180.ATM7-0.BR2.NYC9.ALTER.NET (152.63.22.229) lo0.XR2.NYC9.ALTER.NET (137.39.4.175) 64 bytes from bigfun.whirlycott.com (206.66.240.72): icmp_seq=1 ttl=239 time=1940.8 ms (same route) 64 bytes from bigfun.whirlycott.com (206.66.240.72): icmp_seq=2 ttl=239 time=250.6 ms (same route) 64 bytes from bigfun.whirlycott.com (206.66.240.72): icmp_seq=3 ttl=239 time=230.3 ms (same route) 64 bytes from bigfun.whirlycott.com (206.66.240.72): icmp_seq=4 ttl=239 time=289.8 ms (same route) 64 bytes from bigfun.whirlycott.com (206.66.240.72): icmp_seq=5 ttl=239 time=1261.4 ms (same route) 64 bytes from bigfun.whirlycott.com (206.66.240.72): icmp_seq=6 ttl=239 time=469.4 ms (same route) 64 bytes from bigfun.whirlycott.com (206.66.240.72): icmp_seq=7 ttl=239 time=1272.3 ms (same route) 64 bytes from bigfun.whirlycott.com (206.66.240.72): icmp_seq=8 ttl=239 time=353.1 ms (same route) 64 bytes from bigfun.whirlycott.com (206.66.240.72): icmp_seq=9 ttl=239 time=1281.1 ms (same route) --- tbr.nailed.org ping statistics --- 10 packets transmitted, 10 packets received, 0% packet loss round-trip min/avg/max = 217.2/756.6/1940.8 ms

Note: The record route option specified by the -R switch is not honored by all routers and hosts. Further, it contains only a limited space to hold router addresses, traceroute may be a better tool for identifying the path packets follow through a network.

The ping command is a very useful tool for your troubleshooting kit, and should not be overlooked.

This article is copyright 2000, Pat Eyler and New Riders Publishing. It is presented under the Open Publication License, with no additional terms applied. It is a draft version of a section of the book Networking Linux: A Practical Guide to TCP/IP, which will be published by New Riders Publishing in the winter.

Recommended Links

The Ping Page - Information About The Ping Utility

The Story of the PING Program

ping - Wikipedia, the free encyclopedia

The Ping Page - Information About The Ping Utility

FreeBSD Ping Manpage

Tutorial on Internet Monitoring and PingER at SLAC

Reference

/usr/sbin/ping host [timeout]
/usr/sbin/ping -s [-l| -U] [-adlLnrRv] [-A addr_family] [-c traffic_class] [-g gateway [-g gateway...]] [-F flow_label] [-I interval] [-i interface] [-P tos] [-p port] [-t ttl] host [data_size] [npackets]
 

The utility ping utilizes the ICMP (ICMP6 in IPv6) protocol's ECHO_REQUEST datagram to elicit an ICMP (ICMP6) ECHO_RESPONSE from the specified host or network gateway. If host responds, ping will print:

host is alive

on the standard output and exit. Otherwise, after timeout seconds, it will write:

no answer from host

The default value of timeout is 20 seconds.

When you specify the s flag, sends one datagram per second (adjust with -I) and prints one line of output for every ECHO_RESPONSE that it receives. ping produces no output if there is no response. In this second form, ping computes round trip times and packet loss statistics; it displays a summary of this information upon termination or timeout. The default data_size is 56 bytes, or you can specify a size with the data_size command-line argument. If you specify the optional npackets, ping sends ping requests until it either sends npackets requests or receives npackets replies.

When using ping for fault isolation, first ping the local host to verify that the local network interface is running.

OPTIONS

The following options are supported:

-A addr_family

Specify the address family of the target host. addr_family can be either inet or inet6. Address family determines which protocol to use. For an argument of inet, IPv4 is used. For inet6, IPv6 is used.

By default, if the name of a host is provided, not the literal IP address, and a valid IPv6 address exists in the name service database, ping will use this address. Otherwise, if the name service database contains an IPv4 address, it will try the IPv4 address.

Specify the address family inet or inet6 to override the default behavior. If the argument specified is inet, ping will use the IPv4 address associated with the host name. If none exists, ping will state that the host is unknown and exit. It does not try to determine if an IPv6 address exists in the name service database.

If the specified argument is inet6, ping uses the IPv6 address that is associated with the host name. If none exists, ping states that the host is unknown and exits.

-F flow_label

Specify the flow label of probe packets. The value must be an integer in the range from 0 to 1048575. This option is valid only on IPv6.

-I interval

Turn on the statistics mode and specify the interval between successive transmissions. The default is one second. See the discussion of the -s option.

-L

Turn off loopback of multicast packets. Normally, members are in the host group on the outgoing interface, a copy of the multicast packets will be delivered to the local machine.

-P tos

Set the type of service (tos) in probe packets to the specified value. The default is zero. The value must be an integer in the range from 0 to 255. Gateways also in the path can route the probe packet differently, depending upon the value of tos that is set in the probe packet. This option is valid only on IPv4.

-R

Record route. Sets the IPv4 record route option, which stores the route of the packet inside the IPv4 header. The contents of the record route are only printed if the -v and -s options are given. They are only set on return packets if the target host preserves the record route option across echos, or the -l option is given. This option is valid only on IPv4.

-U

Send UDP packets instead of ICMP (ICMP6) packets. ping sends UDP packets to consecutive ports expecting to receive back ICMP (ICMP6) PORT_UNREACHABLE from the target host.

-a

ping all addresses, both IPv4 and IPv6, of the multihomed destination. The output appears as if ping has been run once for each IP address of the destination. If this option is used together with -A, ping probes only the addresses that are of the specified address family. When used with the -s option and npackets is not specified, ping continuously probes the destination addresses in a round robin fashion. If npackets is specified, ping sends npackets number of probes to each IP address of the destination and then exits.

-c traffic_class

Specify the traffic class of probe packets. The value must be an integer in the range from 0 to 255. Gateways along the path can route the probe packet differently, depending upon the value of traffic_class set in the probe packet. This option is valid only on IPv6.

-d

Set the SO_DEBUG socket option.

-g gateway

Specify a loose source route gateway so that the probe packet goes through the specified host along the path to the target host. The maximum number of gateways is 8 for IPv4 and 127 for IPv6. Note that some factors such as the link MTU can further limit the number of gateways for IPv6.

-i interface_address

Specify the outgoing interface address to use for multicast packets for IPv4 and both multicast and unicast packets for IPv6. The default interface address for multicast packets is determined from the (unicast) routing tables. interface_address can be a literal IP address, for example, 10.123.100.99, or an interface name, for example, le0, or an interface index, for example 2.

-l

Use to send the probe packet to the given host and back again using loose source routing. Usually specified with the -R option. If any gateways are specified using -g, they are visited twice, both to and from the destination. This option is ignored if the -U option is used.

-n

Show network addresses as numbers. ping normally does a reverse name lookup on the IP addresses it extracts from the packets received. The -n option blocks the reverse lookup, so ping prints IP addresses instead of host names.

-p port

Set the base UDP port number used in probes. This option is used with the -U option. The default base port number is 33434. The ping utility starts setting the destination port number of UDP packets to this base and increments it by one at each probe.

-r

Bypass the normal routing tables and send directly to a host on an attached network. If the host is not on a directly attached network, an error is returned. This option can be used to ping a local host through an interface that has been dropped by the router daemon. See in.routed(1M).

-s

Send one datagram per second and collect statistics.

-t  ttl

Specify the IPv4 time to live, or IPv6 hop limit, for unicast and multicast packets. The default time to live (hop limit) for unicast packets can be set with ndd(1M) using the icmp_ipv4_ttl variable for IPv4 and the icmp_ipv6_ttl variable for IPv6. The default time to live (hop limit) for multicast is one hop.

-v

Verbose output. List any ICMP (ICMP6) packets, other than replies from the target host.

 

OPERANDS

host

The network host

EXAMPLES

---

Example 1 Using ping With IPv6

This example shows ping sending probe packets to all the IPv6 addresses of the host london, one at a time. It sends an ICMP6 ECHO_REQUEST every second until the user interrupts it.

istanbul% ping -s -A inet6 -a london PING london: 56 data bytes     64 bytes from london (4::114:a00:20ff:ab3d:83ed): icmp_seq=0. time=2. ms     64 bytes from london (fec0::114:a00:20ff:ab3d:83ed): icmp_seq=1. time=1. ms     64 bytes from london (4::114:a00:20ff:ab3d:83ed): icmp_seq=2. time=1. ms     64 bytes from london (fec0::114:a00:20ff:ab3d:83ed): icmp_seq=3. time=1. ms     64 bytes from london (4::114:a00:20ff:ab3d:83ed): icmp_seq=4. time=1. ms     64 bytes from london (fec0::114:a00:20ff:ab3d:83ed): icmp_seq=5. time=1. ms     ^C     ----london PING Statistics----     6 packets transmitted, 6 packets received, 0% packet loss     round-trip (ms)  min/avg/max = 1/1/2

 

---

EXIT STATUS

The following exit values are returned:

0

Successful operation; the machine is alive.

non-zero

An error has occurred. Either a malformed argument has been specified, or the machine was not alive.

ATTRIBUTES

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWbip

SEE ALSO

ifconfig(1M), in.routed(1M), ndd(1M), netstat(1M), rpcinfo(1M), traceroute(1M), attributes(5), icmp(7P), icmp6(7P)

History

Ping was created by Mike Muuss (pronounced "moose") of the Army Research Laboratory in December 1983 in about a day in response to network difficulties he encountered. Mike died in a car accident on Interstate 95 near Havre de Grace, Maryland, USA at about 11 PM on Monday, November 20, 2000 at the age of 42. Mike accomplished much in his short life, but he will be best remembered for coding and giving away the source to ping. Read Mike Muuss' obituary from The Baltimore Sun, November 25. He serves as a lesson to all of us in the computer community that you are remembered not for how much you make, but how much you give away. Thank you Mike, for leaving a bit of yourself behind to help us in our computing journeys; we are going to miss you.

Mike account is available at The Story of the PING Program

Last modified: June 02, 2008