WingNews logo WingNews
top | item 32257852

ICMP, Ping, and Traceroute – What I wish I was taught (2020)

199 points| twooster | 3 years ago |xkln.net

37 comments

order

tedd4u|3 years ago

Tip for tracerouters ... use mtr instead

brew install mtr

Try tapping 'd' twice to enable a stripchart

? for help

                             My traceroute  [v0.95]
  xxxxxxxx.local (172.16.0.2) -> news.ycombinator.com (50.1122022-07-27T23:37
  Keys:  Help   Display mode   Restart statistics   Order of fields   quit
                                     Packets               Pings
   Host                            Loss%   Snt   Last   Avg  Best  Wrst StDev
   1. 172.16.0.1                    0.0%    14   15.4  17.6  14.1  20.5   2.2
   2. (waiting for reply)
   3. 162.158.164.5                14.3%    14   34.4  71.1  16.5 145.4  47.3
   4. 198.41.160.6                  0.0%    14   32.9  36.0  30.2  43.9   3.4
   5. 198.41.140.95                 0.0%    14   61.9  45.0  35.3  64.7   9.8
   6. 99.83.70.192                  0.0%    14   40.7  36.7  33.1  49.6   4.4
   7. 150.222.214.101               0.0%    14   36.6  41.3  34.7  58.1   6.2
   8. 52.95.52.29                   0.0%    14   41.6  40.0  35.1  51.1   4.2
   9. (waiting for reply)

Aachen|3 years ago

Yeah I tried mtr again recently. After maybe 30 seconds of working fine, it'll exit with an error like "no route to host" (even though it was getting responses before). Yeah, packet loss is exactly why I'm opening mtr: to see where on the path it occurs... how in the world does that make it crash

neilv|3 years ago

    sudo apt install mtr-tiny

sim7c00|3 years ago

why?

Aachen|3 years ago

I'm interested in the topic so skimmed the whole thing but it's all just basics. Most people won't know them all, but so FYI: skip the lengthy article if you know how traceroute and ARP and ICMP work in general, what the difference is between connection times out and connection refused, and why sometimes traceroute returns more than one host for a given hop.

Hikikomori|3 years ago

I wouldn't call the details he goes into with traceroute "just basics", its common even for network engineers to come to the wrong conclusion based on traceroute output, or not realising that they need more information to truly know what is going on (traceroute from both sides).

herpderperator|3 years ago

> Further, the system that replies with a Destination host unreachable is the system which doesn’t have a path to the requested network - so you immediately know where to start looking.

No, that's "Destination net unreachable". Destination host unreachable means it didn't get an ARP response so it doesn't know the MAC address of the system with that IP.

atoav|3 years ago

Another thing that can be useful is to use tcpdump on the other side to see if the stuff sent to e.g. a TCP port is actually received:

  tcpdump -i any src port 5432 or dst port 5432
If it is now received you know you need to investigate on your receiving side, if it is not, the problem might be firewall or network.

justinsaccount|3 years ago

that is the same as

  tcpdump -i any port 5432

rtev|3 years ago

Great article, I learned more about these daily-use tools.

An easy trick I use a lot is host OS identification via ICMP. A TTL of around 64 is Linux, ~128 is windows.

pbardea|3 years ago

I love these types of practical approaches to networking. At least for me, I think it's the clearest way to learn about these things (rather than just read about them). Would have certainly made my university networkings course much more clear!

That's what made Crafting Interpreters[0] so compelling to me. Does anyone know any similar resources for networking?

[0] https://craftinginterpreters.com/

psim1|3 years ago

ping and traceroute used to be very useful tools. Then for a period of time -- maybe still ongoing -- sysadmins and some network security folks decided that by blocking ALL ICMP at their network edge, they were increasing security. (Wrong!) As a result, you get hanging traceroutes with one or two hops left and you can't use ping to verify a host is online. Worse, blocking all ICMP breaks things like MTU discovery along the path. Recently I have seen admins coming to their senses and unblocking ICMP, but it's still an old rule-of-thumb held by many.

Bluecobra|3 years ago

Once cool trick that most people don't know is that you can also ping IP addresses in octal, hex, and integer!

https://ma.ttias.be/silly-little-ip-tricks/

  >ping 0x08080808
  
  Pinging 8.8.8.8 with 32 bytes of data:
  Reply from 8.8.8.8: bytes=32 time=4ms TTL=58
  Reply from 8.8.8.8: bytes=32 time=4ms TTL=58
  Reply from 8.8.8.8: bytes=32 time=4ms TTL=58
  Reply from 8.8.8.8: bytes=32 time=4ms TTL=58

ketchup_057|3 years ago

Another common basic test for at-least windows clients that you should also add to the beginning is when you run a ping test and has the reply of your own host IP. I don’t know how many times I’ve had systems admins or engineers come to me saying there’s a network is but there NIC port is misconfigured. This usually happens due to two NICs being configured or they something else tuned incorrectly with vlan tagging at the nic under properties or the vswitch is incorrectly configured.

MauranKilom|3 years ago

So maybe I misunderstood the article, but I would expect that (assuming my router is on 192.168.0.123) that

  ping 192.168.0.123
followed by

  arp -a 192.168.0.123
should tell me the MAC address of the router. But instead I get "No ARP entries found." - what's going on here?

ianai|3 years ago

Telnet to the port sometime establishes connectivity too.

owlbynight|3 years ago

In lieu of telnet, you can use curl as well:

curl -v telnet://example.com:8000

dah00pl3|3 years ago

netcat?

nc example.com 8080 -v -w 60