1 |
Hello, |
2 |
|
3 |
On Tue, 20 Sep 2016, Grant wrote: |
4 |
[..] |
5 |
>> $ ping -n -c 1 -M dont -s 1465 www.dslreports.com |
6 |
>> PING www.dslreports.com (64.91.255.98) 1465(1493) bytes of data. |
7 |
>> 1473 bytes from 64.91.255.98: icmp_seq=1 ttl=51 time=137 ms |
8 |
>> |
9 |
>> 1 packets transmitted, 1 received, 0% packet loss, time 0ms |
10 |
>> rtt min/avg/max/mdev = 137.888/137.888/137.888/0.000 ms |
11 |
>> |
12 |
>> ==== corresponding tcpdump -n -i eth0 icmp ==== |
13 |
>> 15:47:07.983484 IP 192.168.178.11 > 64.91.255.98: ICMP echo request, id 3595, seq 1, length 1472 |
14 |
>> 15:47:07.983494 IP 192.168.178.11 > 64.91.255.98: icmp |
15 |
>> 15:47:08.121308 IP 64.91.255.98 > 192.168.178.11: ICMP echo reply, id 3595, seq 1, length 1472 |
16 |
>> 15:47:08.121343 IP 64.91.255.98 > 192.168.178.11: icmp |
17 |
>> ==== |
18 |
>> |
19 |
>> |
20 |
>> Two packets sent and received for 1493 bytes packet size / 1465 bytes |
21 |
>> ping-payload. |
22 |
>> |
23 |
>> Try with e.g. 'ping -c 4 -M dont -s 1472 www.dslreports.com' for |
24 |
>> yourself to see, that you'll send/recv 2 packets for each ping-packet |
25 |
>> (and 1472 bytes is the ping-payload that just fits into the standard |
26 |
>> 1500 bytes MTU). |
27 |
> |
28 |
> |
29 |
>Strangely, I'm able to ping with that command even with a very high -s value: |
30 |
> |
31 |
>$ ping -c 4 -M dont -s 9999 www.dslreports.com |
32 |
>PING www.dslreports.com (64.91.255.98) 9999(10027) bytes of data. |
33 |
>10007 bytes from www.dslreports.com (64.91.255.98): icmp_seq=1 ttl=54 |
34 |
>time=331 ms |
35 |
>10007 bytes from www.dslreports.com (64.91.255.98): icmp_seq=2 ttl=54 |
36 |
>time=329 ms |
37 |
>10007 bytes from www.dslreports.com (64.91.255.98): icmp_seq=3 ttl=54 |
38 |
>time=329 ms |
39 |
>10007 bytes from www.dslreports.com (64.91.255.98): icmp_seq=4 ttl=54 |
40 |
>time=329 ms |
41 |
> |
42 |
>4 packets transmitted, 4 received, 0% packet loss, time 3003ms |
43 |
>rtt min/avg/max/mdev = 329.159/329.877/331.612/1.158 ms |
44 |
|
45 |
Look again! You're just looking at the _PING_ packets, not the ICMP/IP |
46 |
packets actually going over the interface! You'll need to run |
47 |
'tcpdump icmp' in parallel! "My ping" also just reports 1 packet, but |
48 |
there's two IP packets actually going over the interface, due to the |
49 |
ping-packet being too large and being fragmented. |
50 |
|
51 |
Start the tcpdump in another (x)term before running the "ping" ... |
52 |
|
53 |
If you use '-M do', you should get the |
54 |
|
55 |
"Frag needed and DF set (mtu = NNNN)" |
56 |
|
57 |
error from ping. "-M dont" explicitly allows fragmentation, which you |
58 |
can then see with tcpdump. E.g. a with my MTU of 1492, a |
59 |
|
60 |
==== ping -n -c 1 -M dont -s 9999 192.168.178.1 ==== |
61 |
PING 192.168.178.1 (192.168.178.1) 9999(10027) bytes of data. |
62 |
10007 bytes from 192.168.178.1: icmp_seq=1 ttl=64 time=2.79 ms |
63 |
|
64 |
--- 192.168.178.1 ping statistics --- |
65 |
1 packets transmitted, 1 received, 0% packet loss, time 0ms |
66 |
rtt min/avg/max/mdev = 2.795/2.795/2.795/0.000 ms |
67 |
==== |
68 |
|
69 |
results in |
70 |
|
71 |
==== tcpdump -n -i eth0 icmp ==== |
72 |
17:40:11.901583 IP 192.168.178.11 > 192.168.178.1: ICMP echo request, id 11363, seq 1, length 1472 |
73 |
17:40:11.901597 IP 192.168.178.11 > 192.168.178.1: icmp |
74 |
17:40:11.901599 IP 192.168.178.11 > 192.168.178.1: icmp |
75 |
17:40:11.901600 IP 192.168.178.11 > 192.168.178.1: icmp |
76 |
17:40:11.901602 IP 192.168.178.11 > 192.168.178.1: icmp |
77 |
17:40:11.901603 IP 192.168.178.11 > 192.168.178.1: icmp |
78 |
17:40:11.901605 IP 192.168.178.11 > 192.168.178.1: icmp |
79 |
17:40:11.903762 IP 192.168.178.1 > 192.168.178.11: ICMP echo reply, id 11363, seq 1, length 1480 |
80 |
17:40:11.903779 IP 192.168.178.1 > 192.168.178.11: icmp |
81 |
17:40:11.903984 IP 192.168.178.1 > 192.168.178.11: icmp |
82 |
17:40:11.903997 IP 192.168.178.1 > 192.168.178.11: icmp |
83 |
17:40:11.904227 IP 192.168.178.1 > 192.168.178.11: icmp |
84 |
17:40:11.904241 IP 192.168.178.1 > 192.168.178.11: icmp |
85 |
17:40:11.904338 IP 192.168.178.1 > 192.168.178.11: icmp |
86 |
==== |
87 |
|
88 |
Yes, that is just the _one_ ping packet. |
89 |
|
90 |
Read up on the links I gave you about fragmentation and IP(v4) in |
91 |
general a bit ;) It's much better described there than I could ATM. |
92 |
|
93 |
Which does not mean not to ask for stuff that's unclear. |
94 |
|
95 |
HTH, |
96 |
-dnh, who seems to have a knack for translating "techese" to normal |
97 |
language ... Actually, I guess fragmentation can be explained |
98 |
quite nicely by comparing to real-life packets ;) You'd get an |
99 |
basically unlimited supply of courier boys, but you can get just |
100 |
so many incoming and outgoing through the doors ;) |
101 |
|
102 |
*grepping out the appropriate sig for that* |
103 |
|
104 |
-- |
105 |
No trees were destroyed in the sending of this message, however, a |
106 |
significant number of electrons were terribly inconvenienced. |