Re: RTT times different between nping and other ping implementations

["Luis MartinGarcia." <luis.mgarc () gmail com>]

On 12/11/2012 08:45 PM, Fyodor wrote:
> On Tue, Dec 11, 2012 at 10:06 AM, Keith Christian <keith1christian () gmail com
> > wrote:
> >
> >
> > Windows ping yields 29 / 33 / 29 ms for min/max/avg, and nping yields
> > 47 / 31 / 34.4.  I'd be wiling to toss the min/max values, but why so
> > much difference in the mean?
> Hi Keith, that's a good observation.  And I get similar results against the
> Linux ping utility.  Here's what I got with normal ping:
>
> # ping -c50 scanme.nmap.org
> PING scanme.nmap.org (74.207.244.221) 56(84) bytes of data.
> [...]
> 50 packets transmitted, 50 received, 0% packet loss, time 49068ms
> rtt min/avg/max/mdev = 20.352/24.735/48.281/5.980 ms
>
> Then I tried the same with latest svn Nping:
>
> # nping/nping -c50 scanme.nmap.org
>
> Starting Nping 0.6.26SVN ( http://nmap.org/nping ) at 2012-12-11 11:07 PST
> [...]
> Max rtt: 134.212ms | Min rtt: 20.138ms | Avg rtt: 29.056ms
> Raw packets sent: 50 (1.400KB) | Rcvd: 50 (1.400KB) | Lost: 0 (0.00%)
>
> So Nping's max time was like triple the Linux-ping's max, and the Nping
> average took 4.3ms (17%) longer.
>
> I did some limited testing with tcpdump running during nping and it seemed
> to confirm the Nping-reported times in the small number of cases I
> examined. Next I tried using the Nping --send-ip option which uses "raw
> sockets" to send the packets rather than building and sending lower level
> ethernet frames:
>
> # nping/nping --send-ip -c50 scanme.nmap.org
>
> Starting Nping 0.6.26SVN ( http://nmap.org/nping ) at 2012-12-11 11:31 PST
> [...]
> Max rtt: 48.513ms | Min rtt: 19.738ms | Avg rtt: 24.019ms
> Raw packets sent: 50 (1.400KB) | Rcvd: 50 (1.400KB) | Lost: 0 (0.00%)
>
> Here the results are very similar to (and slightly better than) the normal
> Linux ping.  Our Nping max, min, and average are all within 1 ms of the
> Linux ping equivalent.
>
> So the answer to your question seems to be that Nping is a bit slower than
> OS provided ping utilities because it uses ethernet frame sending by
> default rather than raw sockets.  This might due to inefficiencies in our
> (Nmap/Nping) ethernet frame sending implementation, or it could be that the
> OS takes longer to handle sends this way.  I kind of suspect inefficiencies
> in our system, since it is apparently also slower on Windows.  It would be
> great if someone could figure out why our ethernet sends are slower, since
> improving that (if possible) could make Nmap faster too.
>
> But in the meantime, a workaround is to use --send-ip on Linux/BSD/Mac
> systems to get the most accurate times.  Unfortunately, this doesn't work
> on Windows since MS blocked raw sockets in Windows XP SP2.  I still hope
> they will revisit that mistake sometime.


Hi,

I've just tested the latest dev branch
(nmap-exp/luis/nmap-npingchanges/nping) on a Linux box and I don't see
any real difference between Nping and the traditional ping command.

luis@aberdeen
~/Desktop/repos/svn.nmap.org/nmap-exp/luis/nmap-npingchanges $ ping -c5
google.com
PING google.com (74.125.230.229) 56(84) bytes of data.
64 bytes from par08s10-in-f5.1e100.net (74.125.230.229): icmp_req=1
ttl=53 time=27.8 ms
64 bytes from par08s10-in-f5.1e100.net (74.125.230.229): icmp_req=2
ttl=53 time=29.3 ms
64 bytes from par08s10-in-f5.1e100.net (74.125.230.229): icmp_req=3
ttl=53 time=28.8 ms
64 bytes from par08s10-in-f5.1e100.net (74.125.230.229): icmp_req=4
ttl=53 time=28.7 ms
64 bytes from par08s10-in-f5.1e100.net (74.125.230.229): icmp_req=5
ttl=53 time=28.2 ms

--- google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 27.849/28.599/29.374/0.557 ms



luis@aberdeen
~/Desktop/repos/svn.nmap.org/nmap-exp/luis/nmap-npingchanges/nping $
sudo ./nping google.com

Starting Nping 0.6.20BETA1 ( http://nmap.org/nping ) at 2012-12-11 21:11 CET
SENT (0.0000s) IPv4[192.168.1.33 > 74.125.230.227 ttl=64 id=16727
iplen=28] ICMPv4[Echo request id=6476 seq=0]
RCVD (0.0280s) IPv4[74.125.230.227 > 192.168.1.33 ttl=53 id=53 iplen=28]
ICMPv4[Echo reply id=6476 seq=0]
SENT (1.0010s) IPv4[192.168.1.33 > 74.125.230.227 ttl=64 id=16728
iplen=28] ICMPv4[Echo request id=6476 seq=1]
RCVD (1.0290s) IPv4[74.125.230.227 > 192.168.1.33 ttl=53 id=54 iplen=28]
ICMPv4[Echo reply id=6476 seq=1]
SENT (2.0010s) IPv4[192.168.1.33 > 74.125.230.227 ttl=64 id=16729
iplen=28] ICMPv4[Echo request id=6476 seq=2]
RCVD (2.0280s) IPv4[74.125.230.227 > 192.168.1.33 ttl=53 id=55 iplen=28]
ICMPv4[Echo reply id=6476 seq=2]
SENT (3.0000s) IPv4[192.168.1.33 > 74.125.230.227 ttl=64 id=16730
iplen=28] ICMPv4[Echo request id=6476 seq=3]
RCVD (3.0270s) IPv4[74.125.230.227 > 192.168.1.33 ttl=53 id=56 iplen=28]
ICMPv4[Echo reply id=6476 seq=3]
SENT (4.0000s) IPv4[192.168.1.33 > 74.125.230.227 ttl=64 id=16731
iplen=28] ICMPv4[Echo request id=6476 seq=4]
RCVD (4.0270s) IPv4[74.125.230.227 > 192.168.1.33 ttl=53 id=57 iplen=28]
ICMPv4[Echo reply id=6476 seq=4]

Raw packets sent: 5 (140B) | Rcvd: 5 (140B) | Lost: 0 (0.00%)
Max rtt: 28.777ms | Min rtt: 27.672ms | Avg rtt: 28.102ms
Tx time: 4.00001s | Tx bytes/s: 35.00 | Tx pkts/s: 1.25
Rx time: 4.11501s | Rx bytes/s: 34.02 | Rx pkts/s: 1.22
Nping done: 1 IP address pinged in 4.24 seconds


Even when I force Ethernet, I only get slightly higher RTTs.

luis@aberdeen
~/Desktop/repos/svn.nmap.org/nmap-exp/luis/nmap-npingchanges/nping $
sudo ./nping google.com -send-eth

Starting Nping 0.6.20BETA1 ( http://nmap.org/nping ) at 2012-12-11 21:14 CET
[...]
Raw packets sent: 5 (210B) | Rcvd: 5 (140B) | Lost: 0 (0.00%)
Max rtt: 31.366ms | Min rtt: 27.979ms | Avg rtt: 28.863ms
Tx time: 3.99992s | Tx bytes/s: 52.50 | Tx pkts/s: 1.25
Rx time: 4.12500s | Rx bytes/s: 33.94 | Rx pkts/s: 1.21
Nping done: 1 IP address pinged in 4.30 seconds


As soon as I test it on Windows, I'll let you know how it goes. Note
that this version of Nping that I tested it on is not the current SVN
trunk, but a Dev branch that is to be merged soon..

Regards,

Luis MartinGarcia.







_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/