Transport Level Passive Ping Monitoring Tool
Pollere believes the Internet community needs more passive diagnostic tools.
To that end,
we've been giving talks at the
Stanford Networking Seminar
to emphasize the fun and utility of extracting information
from real Internet traffic. In response to feedback at those
talks and to help
people new to passive network measurement get up to speed,
we coded and put out an open source example for others to
Measuring Round-Trip Delay in the Internet
Ping has been an essential tool for network engineers and
users from the beginning.
It computes the round-trip time to any host by sending it a packet
that requires a response and measuring the time until that
response is returned or "reflected" from the host.
This resemblance to active sonar gives ping its name.
Ping uses the lack of a response to determine reachability
and the measured reflection time to determine delay,
but only for the packets that it injects into a network.
Ping's key enabler, the ability to reflect a packet off a host,
was designed into IP's control message protocol, ICMP, for diagnostic
Similar packet "reflections" exist in other parts of the Internet
protocol stack notably, TCP ACKs are a receiver's reflection of a
sender's data packet. The ACK stream allows senders to continuously
estimate a connection's round-trip time, critical for efficient loss
This reflection mechanism only works for the sender and requires relatively complex
sequence number tracking. Another reflection mechanism was introduced
in RFC1323, a TCP "timestamp" option and this can be used by senders,
receivers and intermediaries to monitor connection behavior.
Passive Ping (pping)
When the timestamp option is used in a TCP connection,
it provides a naturally occurring reflected signal that
allows calculation of a "passive ping" (think of passive sonar)
that measures the round trip delay application packets experience
relative to any capture point on the connection's path.
Passive ping delays are collected per TCP connection with packets
of the connection's outbound (relative to the monitoring point) flow
providing the signal and
packets of the inbound flow the reflection.
The inbound flow IP source is the passively pinged host
and round trip times are reported relative to the packet capture point.
Unlike ping, pping measures the delay of two different round-trips from
the packets it monitors, i.e. the round-trip times to the applications at
both ends of a TCP connection. If pping is co-located with one of the
applications, it measures delay through the local protocol stack and the
application as well as the round-trip time to the communicating host.
If located along the path, e.g. at a WiFi router or a cable modem, delay
between the host endpoints can be bifurcated with respect to the location
of the packet capture.
Also unlike ping, pping captures all of the flows through it, giving
visibility to to the various Internet connections to the host.
Unlike some other passive metrics,
pping monitoring can start at any time in the lifetime of a connection,
i.e., it does not require SYN packets.
Our C++ code for a basic passive ping utility, pping, is
It can be utilized as-is or as a basis for other monitoring utilities
and works on end hosts as well as on in-network elements.
Further Information on Passive Monitoring at Pollere
Slides from a talk on passive monitoring that includes use of passive
ping deployed in a transparent bridge
can be found at Listening to Networks.
These include results from Pollere's
Transport Segment Delay Estimator (TSDE), developed under an
SBIR grant from the Department of Energy.
Other talks on measurements using TSDE and on passive monitoring are available
on our Presentations page.
Passive Monitoring with a Transparent Bridge
For more information, contact email@example.com.