Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1721
Views
5
Helpful
4
Replies

monitoring network Latency

Go to solution
raindrop18
Level 1
Level 1

‎07-18-2011 07:48 AM

I want to write a script using "fping" to monitor my network latency and packet loss. since on the server I am running the script don't have root permission I can't use ICMP the other option I have TCP or UDP depend on available open port on router/switch . my question is there any draw back using TCP or UDP ping in terms of result quality and traffic? I am really appreciate fyour feedback. thanks. paul

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee

‎07-18-2011 02:10 PM

TCP and UDP "ping" typically rely on port 7 being open on the target devices.  This is almost never the case these days.  You can enable the UDP and TCP echo services on IOS devices with the command "service {udp|tcp}-small-services" but many consider them a security hole.  What would be best is if you can convince your admin to setuid the fping executable to root (i.e. chmod 4555 fping).  This way fping will be able to open raw sockets to produce ICMP traffic.  You are certainly more likely to have this work than relying on the echo service being available.

Another alternative is to procure a small IOS device and run IP SLA on it.  With IP SLA you can test simple ICMP echo, or use more advanced probes such as TCP, UDP, jitter, HTTP, DHCP, and DNS.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee

‎07-18-2011 02:10 PM

TCP and UDP "ping" typically rely on port 7 being open on the target devices.  This is almost never the case these days.  You can enable the UDP and TCP echo services on IOS devices with the command "service {udp|tcp}-small-services" but many consider them a security hole.  What would be best is if you can convince your admin to setuid the fping executable to root (i.e. chmod 4555 fping).  This way fping will be able to open raw sockets to produce ICMP traffic.  You are certainly more likely to have this work than relying on the echo service being available.

Another alternative is to procure a small IOS device and run IP SLA on it.  With IP SLA you can test simple ICMP echo, or use more advanced probes such as TCP, UDP, jitter, HTTP, DHCP, and DNS.

0 Helpful

Go to solution
raindrop18
Level 1
Level 1
In response to Joe Clarke

‎07-18-2011 02:32 PM

thank you so very much Joe. I like the idea of "setuid" for fping. I will talk with my admin. the same time I have tested using fping using tcp port 22 to ping the routers.since port 22 already open for ssh and appears to be working just fine . but I am not sure if this is method has any draw back either on security or reliability. do you have any comments about this? or  I should stick with "setuid" Thanks again for your time

0 Helpful

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to raindrop18

‎07-18-2011 04:22 PM

I assume fping uses TCP echo to verify TCP.  If it behaves like IP SLA's TCP operation, then it could be timing the TCP three-way handshake to any port.  In which case, verification of something like tcp/22 is fine.  The only drawback to that is that AAA servers may falsely assume someone is trying to compromise your device by seeing a lot of TCP connections to port 22 with no login.

Go to solution
raindrop18
Level 1
Level 1

‎07-18-2011 07:46 PM

Thanks! Good to know about AAA drawback

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents