All of the Pings!

Ping is one of the most recognised network troubleshooting tools. It is used without thought and is considered so basic that to post about it seems pointless, however, pings aren’t pings!

Ping started as a small utility written by Mike Muuss who was working at the Ballistic Research Laboratory and needed a quick and easy way to troubleshoot the state of the network. Given the tools usefulness it has since been ported to many platforms.

Ping uses the Internet Control Message Protocol (ICMP) to send ICMP Echo Requests to the target host and listen for ICMP Echo Replies. If you want to learn more about ICMP, check out RFC 792

Ping is useful for the following reasons:

  • It can assist in detecting network reachability of a host (However it can be confusing if there are return path issues .. )
  • It is useful as a “yard stick” for network performance by looking at the Round Trip Time (RTT) (Latency), the degree that the RTT changes (i.e. Jitter) and the rate of packet drops (if any)
  • To discover devices on a network (nmap –sP –PN!)
  • To discover any MTU limitations and network performance issues that can result

Different platforms treat ping in different ways.

Windows Ping

The windows ping is great starting point for looking into potential network issues. The Windows ping shouldn’t be treated as a scientific tool but more of a rough guide of network performance.

The following switches are of interest:


This creates a continuous ping which is useful for monitoring a hosts reachability when doing maintenance, for example when rebooting a router it’s nice to monitor its reachability as it’s booting.

-l [size]

Windows considers the size to be the Data payload size of the ICMP Echo Response.

The default length parameter is 32 which would result in a Packet Length (Layer 3) of 60 bytes.

For example, -l 1000 will put a 1046 Byte Frame on the Wire (1028 Bytes Packet Length – Layer 3), because:

  • 1000 Data of (repeats of abc … w )
  • 8 bytes for the ICMP Header
  • 20 Bytes for the IP Header
  • 14 Bytes MAC Header
  • 4 Byte Frame Check Sequence

This means to test a full sized packet which is defined as 1500 bytes you actually need to specify –l 1472 (1500 – 8 – 20). The Interface Maximum Transmission Unit (MTU) is nominally 1500 bytes on Ethernet and can change depending on the medium.

Fragmentation can lead to poor network performance. The poor performance can be from the overhead of devices having to Fragment Frames and for the destination host to reassemble fragments or even in some cases the network will be configured to drop fragmented frames.


Set the Do Not Fragment Bit

Fragmentation is how an IP Network can handle over sized packets in a network; it enables a router to break the larger frame into smaller frames that can be transferred across the network. The MTU of an interface can be allocated and there are schemes such as Path MTU Discovery that can do away with intermediate devices having to fragment frames as they transit the network.

The DF bit is useful when trying to find the highest MTU that can be used in a network, as the DF bit will advise the device that performing the fragmentation that it should not be fragmented which will lead to one of two events:

  • The fragmenting device will send an ICMP Message – Datagram Too Big Message back to the sender
  • The frame will not be transmitted which relies on the sending host (be it TCP or the Application Logic) to time out. This can cause confusion as hosts are reachable with a regular ping but the app just appears to be broken (For example RDP)

Determining the highest MTU can be tedious to do using ping so I would suggest using an application like MTU Route to make your life a lot easier.

-w [timeout in msec]


This can be useful on network links with excessive latency; the default window is 1 second.

-i [ 1 – 255 ]

Time To Live (TTL)

This sets the maximum TTL for the ICMP Echo Request.

-r [ 1 – 9 ]

Record Route

This sets the IP Options field to record the specified number of hops that the IP Packet takes through the network.


This option resolves the name of the host

IOS Ping

IOS Ping has a number of options as well. You can specify options via the extended ping interface and in newer IOS versions you can specify commands with the ping EXEC command.

R1#ping ip dest_addr ?
 data specify data pattern
 df-bit enable do not fragment bit in IP header
 repeat specify repeat count
 size specify datagram size
 source specify source address or name
 timeout specify timeout interval
 validate validate reply data

Most of these options are self-explanatory and are similar to the Windows Options however the size option is of interest.


Default 100

The size specifies the entire Packet Size (i.e. The Payload as well as the IP header)

For example, -l 1500 will put a 1518 Byte Frame on the Wire, because:

  • 1472 Data of (repeats of abc … w )
  • 8 bytes for the ICMP Header
  • 20 Bytes for the IP Header
  • 14 Bytes MAC Header
  • 4 Byte Frame Check Sequence

Ping Sweep for MTU

Another useful tool in IOS for testing the Highest MTU is to use the extended ping with a df bit and the sweep option. To use the extended ping command you need to just enter ping as an EXEC command followed by enter, i.e.

Protocol [ip]:
Target IP address:
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]: y
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]: y
Sweep min size [36]: 1495
Sweep max size [18024]: 1505
Sweep interval [1]:
Type escape sequence to abort.
Sending 55, [1495..1505]-byte ICMP Echos to, timeout is 2 seconds:
Packet sent with the DF bit set
Success rate is 55 percent (6/11), round-trip min/avg/max = 12/22/48 ms

Each successful response (!) represents an increase in the Packet Size i.e. the first will be packet size 1495 and they are successful 6 times i.e. 1495 – 1500 at 1501 the packet cannot be fragmented by the interface and the packet is dropped. This can again be tedious to find the source of the drops without enabling icmp debugs and again something like MTU Route would be easier to use.

TCP Ping

Another useful ping to be aware of is TCP Ping. TCP Ping is useful for checking the network connectivity of devices that have been administratively firewalled to not allow ICMP.

TCP Ping uses a TCP SYN Packet to measure the round trip time and reachability of a service.

The Cisco ASA Command Reference Guide provides the below example:

hostname# ping
TCP [n]: yes
Interface: dmz
Target IP address:
Target IP port: 21
Specify source? [n]: y
Source IP address:
Source IP port: [0] 465
Repeat count: [5]
Timeout in seconds: [2] 5
Type escape sequence to abort.
Sending 5 TCP SYN requests to port 21
from starting port 465, timeout is 5 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

And remember,

All of the Pings

One thought on “All of the Pings!

Leave a Reply

Your email address will not be published. Required fields are marked *