Ping: How to use it, Why

Ping is a small utility working on the network layer. A tipical ping gives this type of information:

$ping www.google.com

PING www.l.google.com (66.249.93.99) 56(84) bytes of data.
64 bytes from 66.249.93.99: icmp_seq=1 ttl=246 time=39.2 ms
64 bytes from 66.249.93.99: icmp_seq=2 ttl=245 time=94.2 ms
64 bytes from 66.249.93.99: icmp_seq=3 ttl=246 time=72.3 ms

--- www.l.google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2008ms
rtt min/avg/max/mdev = 39.280/68.631/94.254/22.597 ms

Where 64 bytes are each packet size, 66.249.93.99 is the destination IP address, icmp_seq is the number of the packet sent (1=first), ttl is the time to live en time is the time the packet takes to  reach the server and come back (round trip delay). At the end, you've a statistics with average times, etc.

 
In fact, the delay can be devided in 4 parts:

• Nodal processing delay:
  
  Check bit errors & determine output link
  
  
• Queuing delay
  
  -Time waiting at output link for transmission
  -Depends on congestion level of router
  
  
• Transmission delay
  
  Time to send bits into a link, given by B/L, where B=link bandwith and L=packet length
  
  
• Propagation delay
  
  The propagation delay is given by d/s where d = length of physical link and  s = propagation speed in medium (~2x10^8 m/sec)

As you can see, transmission delay depends on the packet length. The bigger is a packet, the longer it will take to reach its destination. Moreover, a router will wait the entire packet before forwarding it: the partial packets are stored in the buffer of the router.

 In normal cases, we have the relation:

 dend-end = N(dproc +dqueue +dtrans + dprop )

 Where N are the number of hopes(intermediate routers). So, if you sum each delays, you obtain the end-to-end delay (total).

As you can imagine, the nodal processing delay is quite immediate, so we can neglect it. But we can do even better. Assume that we are sending very small packets (15 bytes for example), the router will not buffer them, because they are too small... as a result, we can write the relation:

 dend-end = N(dproc +dqueue + dprop ) + dtrans

Examples

 Let's have a try pinging the university of berkeley with different packets size (ping was tryed on a Sun):

 % ping -n -I 1 www.fbi.gov 10 6
PING www.fbi.gov (195.176.255.135): 10 data bytes
18 bytes from 195.176.255.135: icmp_seq=0. time=4.21 ms
18 bytes from 195.176.255.135: icmp_seq=1. time=4.05 ms
18 bytes from 195.176.255.135: icmp_seq=2. time=4.08 ms
18 bytes from 195.176.255.135: icmp_seq=3. time=4.08 ms
18 bytes from 195.176.255.135: icmp_seq=4. time=4.05 ms
18 bytes from 195.176.255.135: icmp_seq=5. time=4.06 ms

----www.fbi.gov PING Statistics----
6 packets transmitted, 6 packets received, 0% packet loss
round-trip (ms)  min/avg/max/stddev = 4.05/4.09/4.21/0.061

 % ping -n -I 1 www.fbi.gov 100 6
PING www.fbi.gov (195.176.255.135): 100 data bytes
108 bytes from 195.176.255.135: icmp_seq=0. time=4.34 ms
108 bytes from 195.176.255.135: icmp_seq=1. time=4.08 ms
108 bytes from 195.176.255.135: icmp_seq=2. time=4.09 ms
108 bytes from 195.176.255.135: icmp_seq=3. time=4.10 ms
108 bytes from 195.176.255.135: icmp_seq=4. time=4.09 ms
108 bytes from 195.176.255.135: icmp_seq=5. time=4.09 ms

----www.fbi.gov PING Statistics----
6 packets transmitted, 6 packets received, 0% packet loss
round-trip (ms)  min/avg/max/stddev = 4.08/4.13/4.34/0.10

 % ping -n -I 1 www.fbi.gov 500 6
PING www.fbi.gov (195.176.255.135): 500 data bytes
508 bytes from 195.176.255.135: icmp_seq=0. time=4.51 ms
508 bytes from 195.176.255.135: icmp_seq=1. time=4.27 ms
508 bytes from 195.176.255.135: icmp_seq=2. time=4.29 ms
508 bytes from 195.176.255.135: icmp_seq=3. time=4.28 ms
508 bytes from 195.176.255.135: icmp_seq=4. time=4.26 ms
508 bytes from 195.176.255.135: icmp_seq=5. time=4.27 ms

----www.fbi.gov PING Statistics----
6 packets transmitted, 6 packets received, 0% packet loss
round-trip (ms)  min/avg/max/stddev = 4.26/4.31/4.51/0.096

 % ping -n -I 1 www.fbi.gov 1000 6
PING www.fbi.gov (195.176.255.135): 1000 data bytes
1008 bytes from 195.176.255.135: icmp_seq=0. time=4.74 ms
1008 bytes from 195.176.255.135: icmp_seq=1. time=4.52 ms
1008 bytes from 195.176.255.135: icmp_seq=2. time=4.50 ms
1008 bytes from 195.176.255.135: icmp_seq=3. time=4.50 ms
1008 bytes from 195.176.255.135: icmp_seq=4. time=4.49 ms
1008 bytes from 195.176.255.135: icmp_seq=5. time=4.49 ms

----www.fbi.gov PING Statistics----
6 packets transmitted, 6 packets received, 0% packet loss
round-trip (ms)  min/avg/max/stddev = 4.49/4.54/4.74/0.096

 % ping -n -I 1 www.fbi.gov 1492 6
PING www.fbi.gov (195.176.255.135): 1492 data bytes
1500 bytes from 195.176.255.135: icmp_seq=0. time=5.31 ms
1500 bytes from 195.176.255.135: icmp_seq=1. time=5.13 ms
1500 bytes from 195.176.255.135: icmp_seq=2. time=5.11 ms
1500 bytes from 195.176.255.135: icmp_seq=3. time=5.12 ms
1500 bytes from 195.176.255.135: icmp_seq=4. time=5.13 ms
1500 bytes from 195.176.255.135: icmp_seq=5. time=5.12 ms

----www.fbi.gov PING Statistics----
6 packets transmitted, 6 packets received, 0% packet loss
round-trip (ms)  min/avg/max/stddev = 5.11/5.15/5.31/0.076

Summary & Analysis 

 The average delays for each size of packets are:

 Of course, the more packets you sent, the righter will be the avergages. For this example, I've only sent 6 packets each time, but for best results, you've to send at least 50 packets.

You can notice that the last packet size is 1492+ICMP header = 1500 bytes so as not to exceed the MTU (1500 in this case). Moreover, when you try to ping some sites like google, the ICMP packet is truncated.

What is interesting is that for a small packet (aka 10B or 100B), we can neglect the transmission delay. For a 10 byte packet, the propagation delay is 4,09ms and the transmission delay for a 1500B packet is 5,15, so the difference between these delays gives the "variation delay" 5,15-4,09=1,06ms. If we divide the size of the larger packet (1500Bytes = 12000bits) by this delay, we obtain: 12000/0,00106 =1,13*10^7b/s ~= 11 Mb/s (the test was done in an university, so it is possible)!! We can explain this time by the fact that FBI is probably connected to a TIER-1, and I was connected to a TIER-2, so the transmission delay are very low.

We can also find out the "queuing delay", which is the biggest delay - the lowest delay (not very representative here, with only 6 packets).

We can also find out where these packets are slowing down, with another well-known utiliy called traceroute  .

 traceroute: Warning: www.fbi.gov has multiple addresses; using 195.176.255.135
traceroute to www.fbi.gov (195.176.255.135), 30 hops max, 40 byte packets
 1  c6.X.ch (1x.1y8.164.1)  0.548 ms  0.729 ms  0.321 ms
 2  c6-gigado-1-v100.X.ch (1x.1y.100.18)  0.478 ms  0.684 ms  0.422 ms
 3  c6-ext-v200.X.ch (1x.1y8.200.1)  0.452 ms  0.491 ms  0.347 ms
 4  192.33.209.33 (192.33.209.33)  0.707 ms  0.678 ms  0.640 ms
 5  swiLS2-10GE-1-2.switch.ch (130.59.36.69)  0.739 ms  0.727 ms  0.728 ms
 6  swiEZ2-10GE-1-1.switch.ch (130.59.36.206)  4.071 ms  4.117 ms  4.088 ms
 7  swiCS3-10GE-1-1.switch.ch (130.59.36.17)  4.113 ms  4.112 ms  4.086 ms
 8  swiCS5-G2-1.switch.ch (130.59.15.190)  4.183 ms  4.136 ms  4.102 ms
 9  a195-176-255-135.deploy.akamaitechnologies.com (195.176.255.135)  4.083 ms  4.096 ms  4.043 ms

 I put some x&y for my anonymity. There are only 9 switches between me and the FBI server !! Moreover,  between the 8th en 9th probe, we reach directly the FBI server (Swiss to US directly), it confirms that FBI.gov is connected to a TIER-1. Bold lines (5th & 6th) show us that is where the packet delay is the longer (a huge jump from 0,7 ms to 4,0 ms !). Note that the size of packets are 40 bytes long (small packets). If you try to traceroute your neighbour is not unusuall that you find out more that 15 routers between you and him. With this technique you can determine which countries are "near you" and sometimes understand why a web-page takes so long to be opened...