Embed Size (px)
DESCRIPTION
Tony Fortunato is a Senior Network Specialist with experience in design, implementation, and troubleshooting of LAN/WAN/Wireless networks, desktops and servers since 1989. His background in financial networks includes design and implementation of trading floor networks. Tony has taught at local high schools, Colleges/Universities, Networld/Interop and many onsite private classroom settings to thousands of analysts.
Citation preview
© 2009 www.thetechfirm.com
Examining hrPINGv2.39 with
Wireshark Part 2
Tony Fortunato, Sr Network SpecialistPeter Ciuffreda, Network Technician
The Technology Firm
© 2009 www.thetechfirm.com
-l size Send buffer size (ICMP payload size). How may bytes payload should be send? Remember that each packet is of the form: IP header (20 bytes) + ICMP header (8 bytes) + payload. You may only specify the payload size. Minimum is 0, maximum is 64k-1-20-8, i.e., 65507 bytes. Default is 64 bytes.
-L size Total IP datagram size (ICMP payload size + 28). Same as the above, only that this size here is the size for the total IP datagram.
-f Set Don't Fragment flag in packet. Set the "Don't fragment" bit in the IP header of the PING packet. Default is not set.
-i TTL Time To Live. Set the "Time To Live" value in the IP header of the PING packet. Default is 255.
-v TOS Type Of Service. Set the "Type Of Service" bits in the IP header of the PING packet. Default is 0.
-w timeout Timeout in milliseconds to wait for each reply. Maximum timeout to wait for a reply. This is almost only of use if you switch to non-overlapped (i.e., Windows PING like) mode. In overlapped mode, this time only applies when hrPING has stopped sending (because the count was exceeded or because you pressed CTRL-C) and is waiting for missing replies. Default is 2000 milliseconds.
-s time Interval in milliseconds between packets. This is the number of milliseconds between sending of two PING packets. hrPING will try to stick to this number very accurately. If sending took a little longer for one packet it will send out the next packet a little earlier. Default is 500 milliseconds. (You can use decimals for a very fine grained interval: -s5.4 will send a packet every 5400 microseconds, on average!)
-I Set ICMP id field to <id> Set the "Identification" IP header field to the value specified. It is possible that Windows erases or overwrites this field when sending the packet
-o Don't do overlapped send/receive. Use Windows PING like synchronous sending of one packet, waiting for the reply and so on. Off by default.
hrPING Options to review
In part 2 we use Wireshark to ensure that the various options work as advertised
© 2009 www.thetechfirm.com
Wireshark Setup To eliminate any background packets use the simple icmp protocol capture filter
© 2009 www.thetechfirm.com
hrPING PING Signature
• For this example the methodology was quite simple;• Start Wireshark with icmp capture filter• Ping a host• Review data via the View-> Packet Bytes menu option
est omnis divisa in partes tres, quarum unam incolunt Belhrping
© 2009 www.thetechfirm.com
hrPing -l size option
When we inspect the ICMP Data Payload we see that it is 500 Bytes, exactly what we typed in
When we type in 5000 Bytes and inspect the ICMP Data Payload we see that it consists of multiple packets, with the final one totaling 5,000 Bytes
This is evident since the ID values are all the same and the IP fragment bit is set
© 2009 www.thetechfirm.com
hrPing -L size option
When we inspect the IP Data Payload we see that it is 500 Bytes, so the 500 Bytes includes the ICMP header as part of the 500 Bytes
When we type in 5000 Bytes and inspect the ICMP Data Payload we see that it consists of multiple packets, but the total size is less than 5,000 Bytes This is evident since the ID values are all the same and the IP fragment bit is set
© 2009 www.thetechfirm.com
hrPing -f option
When we ping without the –f option you can clearly see that the do not fragment bit is not set
When we ping with the –f option you can clearly see that the do not fragment bit is set
© 2009 www.thetechfirm.com
hrPing --i TTL
When we ping without the –i option, you can see that the Time to Live is 255
When we ping with the –i 3 option, you can see that the Time to Live is 3
© 2009 www.thetechfirm.com
hrPing -v TOS When we ping without the –v option, you can see that the IP TOS is 0000
When we ping with the –v 1111 option, the Time to Live is unchanged, but hrPing gives the following warning;
To be able to set TOS, you need to set the following DWORD value to 0:HKLM\System\CurrentControlSet\Services\TCPip\Parameters\DisableUserTOSSetting
© 2009 www.thetechfirm.com
hrPing -v TOS … continued After modifying the registry, things look better. I used a TOS of 1111 just for an example
© 2009 www.thetechfirm.com
hrPING Timeout and Interval Options (-w, -o)
• Even though all 4 ICMP packets were received (Wireshark), only 3 were counted by hrPing, due to our –w 40 (40 ms) timeout criteria
• Be careful since this looks like a dropped packet, when in fact it is a packet exceeding our timeout value of 40 ms.
© 2009 www.thetechfirm.com
hrPING ICMP ID (-I)
• Couple of notes on this one;• All ICMP packets will have this sequence number, so using this to troubleshoot
out of sequence packets, makes things really difficult• The value after the –I is interpreted in hex, so if you type 15, the ID is f
• This is a great example of changing your Wireshark column layout to make this analysis easier. I added the ICMP and IP identifiers, so I can work from the Packet List screen
© 2009 www.thetechfirm.com
hrPING Examination
Tony Fortunato, Sr Network SpecialistPeter Ciuffreda, Network Technician
The Technology Firm
Thank you
© 2009 www.thetechfirm.com
For additional educational videos on Open Source Network Tools, please click on the following …
http://www.lovemytool.com/blog/ostu.html
LoveMyTool.com – Community for Network Tools
