The Ping Fallacy

Many people (even specialists) use ping to measure speed. But it measures network latency, a completely different property that should not be confused with with bandwidth, throughput, or surfing speed.

Bandwidth

The maximum amount of raw data that can be transmitted per second. It's a fixed property, calculated rather than measured. In a network the bandwidth is the highest speed of the slowest component.

Throughput

The actual data that is transmitted per second. Only the payload data is counted, not any overhead such as start/stop bits, TCP/IP, or HTTP overhead. Throughput depends on things like bandwidth, latency, payload size, packet size, network load, number of hops, and others.

Latency

The minimum time a network needs to send the smallest possible amount of data. Latency depends on things like line speed and the receive and retransmit delay in routers and modems. A low latency indicates a high network efficiency.

Ping was originally developed to probe a target machine and see if the network towards it is functioning correctly. It will send a very small ICMP packet (usually 8 bytes, plus the standard TCP/IP and ICMP overhead) to the target, which responds with a similarly minimal packet. The target and the network do not have to do much work, so the round-trip usually takes mere milliseconds. When you receive the reply you know that both the target and the network are alive and well. Ping will measure the time it takes for the round-trip. A pure latency measurement would only measure the one-way delay, ping measures there-and-back delays together.

Traffic on the internet is much larger (kilobytes and more) than ping traffic, is often split in several chunks, servers must perform real work (like fetching an image from harddisk), and the protocols are quite different (HTTP, SMTP, FTP, etc.). Many providers have optimized their routers for Ping, which obviously doesn't do anything for regular internet traffic. Another difference, more subtle, is that users jump all over the place. The internet is a complex collection of fast and slow networks, so ping measurements between two points say nothing about other stretches on the information highway.

So why is everybody using Ping? Well, Ping has been around for a long time and everybody knows it. It's very easy to use, just a single command. Ping has been ported to just about every operating system and is included as a standard component, so it's free and it's readily available. Building Ping into other programs is almost trivial, it's very small and basic. Other programs for measuring the speed of the internet exist but are more difficult to get, install, use, and understand.

Traceroute is a derivative of Ping and uses the same technology. It was developed as a tool for network administrators to pinpoint problems in a network. Traceroute will send ping-packets to all the individual routers between the source and the target. The replies are listed and show exactly which router is causing problems. Measurements based on Traceroute do exactly the same as Ping, they simply measure round-trip times. Tabulated and averaged this provides valuable information for network administrators, but is most definitely not a speed measurement.

In Memoriam

Ping was written by Mike Muuss in december 1983. Sadly, Mike was killed in an automobile accident on US route 95 in Maryland, on November 20, 2000. His homepage is still available, a testament to his intellect and indomitable spirit.

Homepage of Mike Muuss
The Story of the PING Program by Mike Muuss

Ping technology

Quoted from the Ping manual:

Ping uses the ICMP protocol's mandatory ECHO_REQUEST datagram to elicit an ICMP ECHO_RESPONSE from a host or gateway. ECHO_REQUEST datagrams ('pings') have an IP and ICMP header, followed by a 'struct timeval' and then an arbitrary number of 'pad' bytes used to fill out the packet.

An IP header without options is 20 bytes. An ICMP ECHO_REQUEST packet contains an additional 8 bytes worth of ICMP header followed by an arbitrary amount of data. When a packetsize is given, this indicated the size of this extra piece of data (the default is 56). Thus the amount of data received inside of an IP packet of type ICMP ECHO_REPLY will always be 8 bytes more than the requested data space (the ICMP header).

If the data space is at least eight bytes large, ping uses the first eight bytes of this space to include a timestamp which it uses in the computation of round trip times. If less than eight bytes of pad are specified, no round trip times are given.

Ping slang

Quoted from "The on-line hacker Jargon File, version 4.2.2, 20 AUG 2000".

Ping [from the submariners' term for a sonar pulse]

1. n. Slang term for a small network message (ICMP ECHO) sent by a computer to check for the presence and alertness of another. The Unix command ping(8) can be used to do this manually (note that ping(8)'s author denies the widespread folk etymology that the name was ever intended as acronym for `Packet INternet Groper'). Occasionally used as a phone greeting. See ACK, also ENQ.
2. vt. To verify the presence of.
3. vt. To get the attention of.
4. vt. To send a message to all members of a mailing list requesting an ACK (in order to verify that everybody's addresses are reachable). "We haven't heard much of anything from Geoff, but he did respond with an ACK both times I pinged jargon-friends."
5. n. A quantum packet of happiness. People who are very happy tend to exude pings; furthermore, one can intentionally create pings and aim them at a needy party (e.g., a depressed person). This sense of ping may appear as an exclamation; "Ping!" (I'm happy; I am emitting a quantum of happiness; I have been struck by a quantum of happiness). The form "pingfulness", which is used to describe people who exude pings, also occurs. (In the standard abuse of language, "pingfulness" can also be used as an exclamation, in which case it's a much stronger exclamation than just "ping"!). Oppose blargh.

Ping of death

Quoted from "The on-line hacker Jargon File, version 4.2.2, 20 AUG 2000".

Ping O' Death n.

A notorious exploit that (when first discovered) could be easily used to crash a wide variety of machines by overunning size limits in their TCP/IP stacks. First revealed in late 1996. The open-source Unix community patched its systems to remove the vulnerability within days or weeks, the closed-source OS vendors generally took months. While the difference in response times repeated a pattern familiar from other security incidents, the accompanying glare of Web-fueled publicity proved unusually embarrassing to the OS vendors and so passed into history and myth. The term is now used to refer to any nudge delivered by network wizards over the network that causes bad things to happen on the system being nudged. For the full story on the original exploit, see www.insecure.org/sploits/ping-o-death.html. Compare with 'kamikaze packet,' 'Finger of Death' and 'Chernobyl packet.'

Ping storm n.

A form of DOS (Denial Of Service) attack consisting of a flood of ping requests (normally used to check network conditions) designed to disrupt the normal activity of a system. This act is sometimes called `ping lashing' or `ping flood'. Compare with 'mail storm', 'broadcast storm'.