ping

最後更新: 2019-04-16

 

目錄


介紹

Packet Format

|IPv4 Header|ICMP Header|ICMP Payload|
| 20 bytes  | 8 bytes   | >=56 bytes |

ping packet is typically 56 bytes in size, or

  64 bytes when the ICMP header is considered,  and

  84 bytes including IPv4 header.

Ethernet IP Package

|Ethernet Frame|Ethernet MTU|

Ethernet MTU = IP MTU

 * Standard Ethernet supports an MTU of 1500 bytes

 * Internet IPv4 path MTU At least 68 bytes, max of 64 KiB

    (Every internet module must be able to forward a datagram of 68 octets without further fragmentation)

IPv4 Header

  • Protocol set to 1 (ICMP)
  • Type of Service set to 0

ICMP Header (Field)

  • Type of ICMP message (8 bits)
  • Code (8 bits)
  • Checksum (16 bits)
  • Header Data (32 bits)  (Identifier, Sequence Number)

ICMP Payload

 * may include a timestamp indicating the time of transmission

    (compute the round trip time in a stateless manner)

    (without needing to record the time of transmission of each packet)

 * returned reply should include the same payload

 


Installation

 

# Centos

yum install -y iputils

# Ubuntu Package

  • iputils-ping        # BSD. supports all the options available on inetutil s’ ping
  • inetutils-ping     # GNU

 

 


常用的 ping options

 

-n

Numeric output only

-i interval

Wait interval seconds between sending each packet. (Default 1 seconds)

-c count

Stop after sending count ECHO_REQUEST packets

-w deadline

 Specify a timeout, in seconds

-a

          Audible ping.

-f

Flood ping.

For every ECHO_REQUEST sent printed "."

For ever ECHO_REPLY received a backspace is printed.

outputs packets as fast as they come back

Example

root@home:~# ping -f 8.8.8.8

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
.^C
--- 8.8.8.8 ping statistics ---
1290 packets transmitted, 1289 received, 0% packet loss, time 4171ms
rtt min/avg/max/mdev = 2.995/3.139/4.093/0.098 ms, ipg/ewma 3.236/3.152 ms

root@home:~# ping -f 192.168.123.15

PING 192.168.123.15 (192.168.123.15) 56(84) bytes of data.
...................................................................^C
--- 192.168.123.15 ping statistics ---
67 packets transmitted, 0 received, 100% packet loss, time 791ms

-I interface address

Set  source address to specified interface address

-q

Quiet output. Nothing is displayed except the summary lines

 


Disable Linux the ping response

 

方法1: system

echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all

方法2: firewall

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

 


(DUP!)

 

server:~# ping r.r.r.r

PING r.r.r.r (r.r.r.r) 56(84) bytes of data.
64 bytes from r.r.r.r: icmp_req=1 ttl=111 time=16.4 ms
64 bytes from r.r.r.r: icmp_req=1 ttl=111 time=16.4 ms (DUP!)
64 bytes from r.r.r.r: icmp_req=1 ttl=111 time=16.4 ms (DUP!)

(DUP!) => Duplicate packets

Duplicate packets should never occur, and seem to be caused by inappropriate(不當) link-level retransmissions.

Duplicates may occur in many situations and are rarely (if ever) a good sign,

although the presence of low levels of duplicates may not always be cause for alarm.

 


ICMP

 

ICMP = Internet Control Message Protocol

Ping tool sends ICMP (type 8) message to the host and waits for the ICMP echo-reply (type 0).

Header

  • Protocol: ICMP (IP Header)
  • icmp-options (integer:integer)    # Matches ICMP "type:code" fields
     - ICMP Type: Type 8 = Echo, Type 0 = echo-reply
     - ICMP Code: 不是所有 ICMP Type 都有 "Code" field

i.e.

  • Type 8 — Echo => 0 (No Code)
  • Type 3 — Destination Unreachable => 0  (Net Unreachable), ... 15 (Precedence cutoff in effect)

ICMP 的 state

ICMP packets are far from a stateful stream,

  since they are only used for controlling and should never establish any connections.

NEW, ESTABLISHED

There are four ICMP types that will generate return packets however, and these have 2 different states.

States:

  • NEW
  • ESTABLISHED

ICMP types

  • Echo request and reply
  • Timestamp request and reply
  • Information request and reply
  • finally Address mask request and reply

The reply packet is considered as being ESTABLISHED, as we have already explained.

However, we can know for sure that after the ICMP reply, there will be absolutely no more legal traffic in the same connection.

For this reason, the connection tracking entry is destroyed once the reply has traveled all the way through the Netfilter structure.

ICMP requests has a default timeout of 30 seconds, which you can change in the /proc/sys/net/ipv4/netfilter/ip_ct_icmp_timeout entry.

RELATED

ICMP Host unreachable or ICMP Network unreachable 就會有 RELATED 狀態

TCP

Client -> SYN -> NEW -> ROUTER -> X

Client <- ICMP <- RELATED <- ROUTER

UDP

All ICMP messages sent in reply to UDP connections are considered as RELATED
 


iptables ping setting

 

 * 重要在於考慮了 OUTPUT

allow incoming ping

iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT

disable ping

iptables -A OUTPUT -p icmp --icmp-type 8 -j DROP

allow outgoing ping

iptables -A OUTPUT -p icmp --icmp-type 8  -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0  -j ACCEPT

 


Ping 的 Conntrack

 

grep 'type=8 code=0' /proc/net/nf_conntrack

ipv4 2 icmp 1 29 src=192.168.123.10 dst=192.168.123.251 type=8 code=0 id=16961
    src=192.168.123.251 dst=192.168.123.10 type=0 code=0 id=16961 mark=0 secmark=0 use=2

 * icmp 的 TTL default 是 30 秒 !!

所以當有

iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

以下 Rule 不再有效

iptables -A INPUT -p icmp -m limit --limit  2/s --limit-burst 2 -j ACCEPT
iptables -A INPUT -p icmp -j DROP

測試 MTU


OS with RTT

 

Factors Influencing RTT(round-trip)

  • Distance (香港 -> 美國很遠, 所以 RTT 很大)
  • Network hops (Routers/Switchs 's process time)
  • Bandwidth & Traffic (congestion)
  • Server response time (process time)

Linux systems

use a unique identifier for every ping process,

and sequence number is an increasing number within that process

Windows systems

uses a fixed identifier, which varies between Windows versions,

and a sequence number that is only reset at boot time.

Payload: (32 bytes) 61 ... 7761 ... 69 (a~wa~i)

 


Ping until Response

 

[1]

IP=192.168.0.254

until ping -c1 $IP &>/dev/null; do echo "waiting"; done

P.S.

Ctrl+C 係 stop 唔到佢 !!

[2]

while true; do echo "waiting"; ping -c1 $IP &> /dev/null && break; done

P.S.

# until ssh port has response

until nc -vzw 2 $IP 22; do sleep 2; done

 


cksum incorrect

 

tcpdump

# Local IP: 192.168.88.150

tcpdump -nvvi eth0 port 80

Output

11:49:17.680826 IP (tos 0x0, ttl 128, id 29670, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.88.177.32580 > 192.168.88.150.80: Flags [S], cksum 0x1348 (correct), seq 530485004, 
        win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:49:17.680886 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.88.150.80 > 192.168.88.177.32580: Flags [S.], cksum 0x32bf (incorrect -> 0x208e), s
        eq 363619806, ack 530485005, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
11:49:17.682020 IP (tos 0x0, ttl 128, id 29671, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.88.177.32580 > 192.168.88.150.80: Flags [.], cksum 0xd16f (correct), seq 1, ack 1, win 513, length 0

原因

cksum incorrect 是因為 NIC 啟用了checksum offloading 而 tcpdump是從內核讀取包數據

NIC Layer
-------------------------- tcpdump capture
Device Driver Layer

Check Offload

ethtool -k eth0 | grep offload | grep on

tcp-segmentation-offload: on
udp-fragmentation-offload: off
generic-segmentation-offload: on
generic-receive-offload: on
tx-vlan-offload: on

 


Ping Package Size

 

-s packet_size

Default: 56 bytes

(which translates into 64 ICMP data bytes when combined with the 8 bytes of ICMP header data)

i.e.

ping -n -c 1 -s 1000 datahunter.org

PING datahunter.org (123.203.55.212) 1000(1028) bytes of data.
1008 bytes from 123.203.55.212: icmp_seq=1 ttl=56 time=5.00 ms

P.S.

Default 最大的 size: 1500 - 28 = 1472

PING drbd-b (10.0.0.2) 1473(1501) bytes of data.
ping: local error: Message too long, mtu=1500

找出 Path 的 MTU (Maximum Transmission Unit)

Implementation

For IPv4 packets, Path MTU Discovery works by setting the Don't Fragment (DF) flag bit in the IP headers of outgoing packets.

Then, any device along the path whose MTU is smaller than the packet will drop it,

and send back an Internet Control Message Protocol (ICMP) Fragmentation Needed (Type 3, Code 4) message containing its MTU,

allowing the source host to reduce its Path MTU appropriately.

The process is repeated until the MTU is small enough to traverse the entire path without fragmentation.

-M pmtudisc_opt       # Select Path MTU Discovery strategy

  • do   # prohibit fragmentation
  • want # do PMTU discovery
  • dont # do not set DF flag

ping -n -c 1 -M do -s 1400 datahunter.org

 


ICMP Timestamp

 

The ICMP timestamp request allows a system to query another for the current time.

The recommended value to be returned is the number of milliseconds since midnight, Coordinated Universal Time (UTC).

Check

hping3 --icmp --icmptype 13 MyServer

...
len=46 ip=R.R.R.R ttl=57 id=21706 icmp_seq=2 rtt=7.7 ms
ICMP timestamp: Originate=32965818 Receive=32964458 Transmit=32964458
ICMP timestamp RTT tsrtt=8

Originate=32965818   # 32 bit  <- The requestor fills in

Receive=32964458     # 32 bit  <- The replying system fills in the receive timestamp when it receives the request

Transmit=32964458    # 32 bit  <- The timestamp when it sends the reply
                                  (most implementations set the latter two fields to the same value.)

Block it

ICMP timestamp responses consists of ICMP Timestamp Request and ICMP Timestamp Reply

  • ICMP Timestamp Request message Type is 13
  • ICMP Timestamp Reply message Type is 14

iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP

iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP

Test again

ICMP Unreachable type=10 from ip=R.R.R.R name=UNKNOWN

 


Other

 

https://datahunter.org/win_ping

https://datahunter.org/mtr