2

I've noticed a strange behaviour (at least, I can't get out).

Ping IP, specifying packet size:

ping -s 128 8.8.8.8

I get:

PING 8.8.8.8 (8.8.8.8) 128(156) bytes of data.
72 bytes from 8.8.8.8: icmp_req=1 ttl=43 (truncated)

Ping website, specifying packet size:

ping -s 128 www.google.com

I get:

PING www.google.com (173.194.35.19) 128(156) bytes of data.
136 bytes from mil01s16-in-f19.1e100.net (173.194.35.19): icmp_req=1 ttl=52 time=8.36 ms

So, why pinging pure IP packet size has been truncated?

From Ping man, I get:

-s packetsize: Specifies the number of data bytes to be sent. The default is 56, which translates into 64 ICMP data bytes when combined with the 8 bytes of ICMP header data.

Braiam
  • 35,991
Luca Davanzo
  • 313
  • 2
    In your example you are not talking to the same machine. 8.8.8.8 is a Google DNS server, but www.google.com will take you to a Google HTTP server which does not have that IP (notice "from 173.194.35.19"). So the second ping might as well use any domain what-so-ever. – goldilocks Jul 11 '14 at 14:18
  • @Velthune not a definitive answer but take a look here http://superuser.com/questions/369594/packet-sizes-for-ping-and-traceroute

    So I assume there is something related to the translation of the sites name to its ip.

     – vfbsilva Jul 11 '14 at 14:19
  • As goldilocks mentioned, you're not pinging the same host in both tests. Also, -s controls the size of the packet sent, not received. The other side can send whatever they want. – phemmer Jul 11 '14 at 14:25
  • You are not pinging the same IP address. If you try ping -s 128 173.194.35.19 you will get the same answer. In fact you can see that 8.8.8.8 is refusing to answer more than 72 bytes and only answering with 72 bytes (that's the "truncated" note in ping response) – Pablo Martinez Jul 11 '14 at 15:26
  • Different hosts. Different icmp packet sizes. –  Jul 11 '14 at 16:46
  • @Patrick The response to a ping is supposed to contain the same data that was sent. See the specification of in RFC 792 – Barmar Jul 11 '14 at 19:44

1 Answers1

4

It looks like this is simply a restriction imposed by the Google DNS servers. They apparently limit their responses to 72 bytes, regardless of the size of the packet that was sent. It may be a way to prevent their servers from being used in some kind of DOS attack, or to prevent them from overloading their uplinks with large ping responses.

See Ken Felix Security Blog. He writes:

Take google for example, there ipv4 dns servers which are probably ping every second by god only knows who. They have deployed icmp ( echo-reply ) rate controls because of this.

[example elided]

So my 200byte echo-request, only returned backed 72 bytes. They have to do this or if not, they would see even more icmp traffic outbound, and this would conflict with the whole object of the delivery of the DNS response or other business critical services.

Community
  • 1
Barmar
  • 9,927