Link to home
Start Free TrialLog in
Avatar of Sheldon Livingston
Sheldon LivingstonFlag for United States of America

asked on

Ping and real time


I set up a "ping" session in which I pinged Google using the -t switch.  I did this for about 21 hours capturing the results in a text file.

I'd like to now analyze this file and determine, as close as possible, what time Google could not be reached.

My file started at 7:16:05 AM in the morning.

The file out put look like:

Pinging [] with 32 bytes of data:
Reply from bytes=32 time=44ms TTL=40
Reply from bytes=32 time=42ms TTL=40
Reply from bytes=32 time=34ms TTL=40
Reply from bytes=32 time=36ms TTL=40
Reply from bytes=32 time=43ms TTL=40
Reply from bytes=32 time=37ms TTL=40
Reply from bytes=32 time=40ms TTL=40
Reply from bytes=32 time=37ms TTL=40
Reply from bytes=32 time=49ms TTL=40

I actually sent 78,376 packets.  Is there a way, perhaps using the "ms", to calculate the time?

Avatar of John Tsioumpris
John Tsioumpris
Flag of Greece image

You could import them to Excel ,delimit them and filter them to get what you need.
Avatar of Sheldon Livingston


I've actually already have them in Excel, etc.  If I assume that 1,000 ms equals one second and I add up all the "ms" in my 78,376 packets I get a total of 8,813,724.  Dividing by 1.000 equals 8,813.724.  Dividing by 60 gives me 146.8954 minutes... this isn't correct as I ran this for 21 hours.

I also need to account for the 386 packets that resulted in "Request timed out." or "Destination host unreachable."  For these I was using 1 second, or 1,000 milliseconds.
Excel is the tool I would use for this. Ping will tell you it succeeded or did not succeed and does not really tell you why.

See if you can sort by no connect and see there is a time frame where this occurs.
Avatar of John
Flag of Canada image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
John... are you basically saying that with the file/info I have there is not a way to do this?
Probably its easier to search for "timeout" keyword
Ping will not tell you why you get the results you do. The only thing (I see) you could do is sift out the no connect timeouts, collect them together and see if there is a time frame common to the timeouts.

For one computer, for one long file, I use DU Meter set to graphical mode and look for dropouts.
I don't care, in this case, why it is timing out.  I started this process at 7:16:05 AM.  I ended up with a file with 79,000 lines in it.  Can a time be calculated using the data in the file?

Reply from bytes=32 time=36ms TTL=40
Reply from bytes=32 time=43ms TTL=40
Reply from bytes=32 time=37ms TTL=40
Reply from bytes=32 time=40ms TTL=40
Reply from bytes=32 time=37ms TTL=40
ping -t seems that it doesn't run continuosly...i just made a simple experiment...30 seconds actual -t to a known packets send 31...avegare 32 992 ms but the experiment lasted 30 seconds...
As I mentioned, those times will not not add up to a total because of ping turnaround time or dead time.

I really would look for a network monitoring tool . Resource Monitor in Windows Admin tools will help you. Network tab.
I would recommend getting a ping utility that actually does timestamping. Here's an article naming a few for you:
Thanks folks... just trying to figure out if I have a useless file here.  Sounds like the consensus is yes.
As you have it, the file will not likely provide any useful information.
Thank you... how should I wrap this up?  Delete the question or award someone(s) points?  

The correct answer to the original question is "No".
How you wrap up is your decision. I think we helped you to a conclusion but you may see it differently .
I'm curious what your purpose is.  'ping' (ICMP) will tell you whether you have a network connection.  It will Not tell you if any other services like a web server on port 80 is running.  In addition, I wouldn't be surprised if the destination started dropping your pings for using too much of their bandwidth.  'ping' is a low priority service in any case and will be dropped simply because the server is busy with other things.
By default, on windows, ping is sent every second (when exactly icmp echo is received is irrelevant)...

So, basically
number of pings * 1 second = total time
Default timeout for ping is 4 seconds - if icmp echo is not received in 4 seconds ... you will get message - "Request timed out"

Again, just count numbers of pings without response - pings were still sent every second... make sum of all of those (timeout is irrelevant) although this is not relevant, ping was lost somewhere - the reason is not known (downtime was maybe just few milliseconds)... Consequent unresponded pings can be counted together as downtime...

On the other hand, even single lost packet can create problems in some circumstances (web page freeze, video stuck etc).

From my experience, Google DNS never drops ping, but ... who knows...
Dave... to answer your question.  We are experiencing some times when the Internet is lost.  So, I set up a computer to ping our server, firewall, cable modem and Google.

I pinged these things for 21 hours.

The server ended up losing 22 packets, the firewall 32, the cable modem 289 and Google 386.

My assumption is that the server and firewall are not the issue.
Predrag... I had assumed one second per ping.  I know the time that I started all four pings (within seconds of each other).  I also ended them all at the same time.  If I start the start times and add the pings I end up to too staggered end times.  Doesn't work.

The server had 79,830 packets sent
Firewall had 78,681
Cable modem had 78,912
and Google had 78,376
I would check with your cable company and see if there are any issues involving signal. Have you also checked the cables?
Beside blaming ISP (might be the reason for your problems), did you check errors on your network devices interfaces (output and input errors)?
Some time ago we had issues with Vpn...we had some drops that caused file corruption during syncing....i tried several things but finally i switched modem and the situation was resolved...
Your question was more about measuring network activity with Ping which is not a good way / tool to do this.

If you are having problem with your ISP and dropouts, connect your computer directly to the modem, turn on Resource Monitor (Network tab) and download a long file. Make a note of dropout time and length and ask your ISP.

Doing this also eliminates your router and cabling while you do the test.
If you are having problem with your ISP and dropouts, connect your computer directly to the modem, turn on Resource Monitor (Network tab) and download a long file. Make a note of dropout time and length and ask your ISP.
Let's make assumption that Author works in company of 4k people and have this issue...
            "Sorry everyone, you can go home, I need to test WAN we have occasional drops..."
Testing like that can be done in home or home office, but not on production network.
The server ended up losing 22 packets, the firewall 32, the cable modem 289 and Google 386
With such small ping loses it is typically hard to find root cause. Even if everything is working perfectly with PC directly connected to WAN result will not eliminate WAN or LAN as root cause. It is just not the same type and amount of traffic.
Predrag Jovic... not sure how to test network devices.  We have cable ISP and just put 200 wireless devices on the network (when we had 60 or so).  Now we are experiencing the issues.  Had a 5 up 70 down plan now have 20 up, 300 down.

I inherited this problem and am trying to determine if we simply have too many devices for our bandwidth.  There is nothing we can do about bandwidth... no fiber.

20/300 is best speed cable can provide.

The new devices are NOT hitting youtube, etc.  They are managed devices... we are not allowing FB, etc.

So, I was looking to determine issue via ping... like, perhaps, firewall bottleneck.  But, to me, it looks like the firewall isn't an issue.
Then where are the devices connecting to and what is the issue that you are seeing?
Have you tried any tools to check for congestion internally? But also, have you tried something such as Speedtest to see if latency happens to be high at a given moment going out to the internet?

It sounds like this is a one location site, in which case does make John's suggestion of testing with a machine directly attached to the modem a practical one as long as it were to be off hours or something like that.

But if you absolutely want to use ping in your troubleshooting, you're going to need a ping tool that uses timestamps during operation. The build in one will not accomplish that, no matter how hard you try.

At this point, there isn't enough data to eliminate anything. You can test the things we've named, but you're also probably going to watch to get your modem and signal tested.
So its more a bandwidth problem than a dropout problem...can you please clarify this...
If its a bandwidth the 1st thing to do is to examine why and where your bandwidth is consumed...if for example all your devices are connected to cloud services probably you can't do anything and maybe you need to host some of these on your premises...
If its critical to have no dropout i guess you have to do some more checks with your equipment and your  ISP to short this out...Logically there should be one more ISP so you could add a 2nd line to give redundancy and stability
This location is a school...  I did this same ping test over a weekend and packet loss was negligible.  Def an issue when school is in session.
So then the likelihood is a bandwidth issue.

There is nothing we can do about bandwidth... no fiber. ....  20/300 is best speed cable can provide.

Can you add another supplier for student devices, leaving staff devices on the main network.
If its a school then probably you could benefit by a proxy with caching functionality so that the clients don't get to request the same thing over and over...take a look here  
The problem MAY be bandwidth. Is the network divided into VLANs? If so, are there any bandwidth restrictions for the wireless side? Get a tool like PRTG or Wireshark to help internally. 200 devices is a lot to have on a network. What type of environment is this if you don't mind my asking, a school?
This is a school... no vlans.
John Tsioumpris... I'll check out Squid... thanks.
We are getting off topic and I should close this.  Thanks all for helping.
You'll definitely want to get VLANs into play. Then you'll be able to start restrict bandwidth utilized by each one. Otherwise you have no choice but to get an additional internet line.
Well, you need a way to monitor how your traffic is getting used and what machines are using it. Proxy would help. Maybe even putting in something like packet shaping. If you're not going to up the bandwidth (I know you said it isn't an option), then you'll have to manage it.
You can be surprised how people are creative to get what is forbidden.

The first step - check interfaces are there packets drop inbound or outbound. Errors will most likely mean bad cables and drops typically mean overloaded interfaces.
If you can implement network monitoring, that is the best chance that you have do find root cause.

If you don't have VLANs you can suffer from occasional broadcast storms (even bad network card can broadcast storm).
You should implement VLANs to limit broadcast (but that is future network design).
Predrag Jovic... what would you use for network monitoring?  I installed Spiceworks on the server but I think it caused more issues.
For your size, consider Nagios for network monitoring
I have written a short .bat file that will ping away at a specified IP address and will keep track of the number of consecutive missed pings.  When the specified number of missed pings is reached, it runs a traceroute and logs the results.  
That way you can tell when it happened and where it happened.
Here is a version of the script that I'm currently using:
SET drive_letter=%1
IF "%1"=="" (SET drive_letter=c:)
echo Drive letter = %drive_letter%
REM ***************************SETUP***********************
SET Machine=%2
IF "%2"=="" (SET Machine=
echo Machine = %Machine%
SET testname=QWEST
SET /a faillimit=3
SET pinginterval=600
SET pingtimeout=500
SET single_ping_delay=16.3
REM ***************No changes below*****
SET /a pings=%pinginterval%/%single_ping_delay%
@Echo pings = %pings%
SET fileloc=%drive_letter%\Users\public\probes\ping
SET pinglog=%fileloc%\%testname%_pinglog.txt
SET tracelog=%fileloc%\%testname%_tracelog.txt
SET pingtemp=%fileloc%\%testname%_pingtemp.txt
SET temptxt=%fileloc%\%testname%_temptxt.txt
REM **************************END SETUP********************
cd \
cd \
md users
cd users
md public
cd public
md probes
cd probes
md ping
cd ping

REM initialize counts and limits
SET /a pingcount=0
REM Zeros the contiguous ping failure count
SET /a failcount=0
REM Initializing TRACE then return to :PING
goto :TRACE

REM echo %time%
REM Delay between pings using ping -w [blank]
for /L %%a In (0 1 %pings%) do (
ping -n 1 -w > nul
REM @ECHO add ping output to %pingtemp%
ping -w %pingtimeout% -n 1 %Machine% >%pingtemp%

REM @ECHO Find "reply" and reset fail counter
(find /I "reply"   %pingtemp%>%pinglog%) && (set /a failcount=0 & goto :PING)

REM @ECHO Finding "request timed out" and increment fail counter
(find /I "request" %pingtemp%>%pinglog%) && set /a failcount=%failcount%+1

REM @ECHO Finding "unreachable" and increment fail counter
(find /I "unreachable" %pingtemp%>%pinglog%) && set /a failcount=%failcount%+1

REM @ECHO Check failcount
if %failcount% geq 1 echo failcount %failcount% Pings have failed  %date% %time%
if %failcount% geq 2 echo failcount %failcount% Pings have failed  %date% %time%>>%tracelog%
if %failcount% geq %faillimit% goto :TRACE
goto :PING


REM @ECHO Reset failcount to zero
set /a failcount=0

ECHO Trace Started
@ECHO Trace Started>>%tracelog%
@ECHO %DATE%>>%tracelog%
@ECHO %TIME%>>%tracelog%
TRACERT -d -h 30 %machine% >>%tracelog%
@ECHO Trace ended >>%tracelog%
@ECHO %DATE% >>%tracelog
@ECHO %TIME% >>%tracelog
@ECHO Trace ended

REM This GOTO cuts out the pathping

ECHO pathping
@ECHO %DATE%>>%tracelog%
@ECHO %TIME%>>%tracelog%
pathping %machine% >>%tracelog%
REM ECHO Trace ended >>%tracelog%
ECHO pathping ended
@ECHO %DATE%>>%tracelog%
@ECHO %TIME%>>%tracelog%



REM Program will loop until CTRL+C is pressed or window is closed.


Open in new window

Typically it does not matter which monitoring you will use, it is just difference in how mush details it can analyze (what are supported options) and do you like output etc.... Monitoring should not make big increase in network traffic. If adding network monitoring is adding issues, most likely you have congestion in your network.
In monitoring you can see (depending on support on your device and monitoring tool) top talkers, how much interfaces are utilized, device health etc...
You are currently most interesting in interface utilization (WAN interface, links between devices) if interfaces are 100% utilized most likely traffic is dropped.
Long thread so not sure if this was mentioned...

I would just press CTRL+BREAK to display the summary

User generated image
Shaun Vermaak... the spirit of the tread was to try and determine at what time a break occurred given a known start time and file with ping information.
Thanks classnet
I might add re: the script I posted, the script command prompt window can be observed so you can see how many pings are missed and when recent traceroutes have occurred.  Then you can look at the trace log to see the results.  Date, time, servers at each hop.  It starts by logging a traceroute so you will know what's "normal" and can compare with abnormal traces to see which hop disappeared if any.

And, to use it, you may want to adjust the ping times as described here:
Using the ping file that I captured, for 8 hours, will not give me the data that I desire.  Although a few suggestions were posted for tools to help me get the info I desire, it is clear that my current file is of no use.

Thank you all.
Thank you for following up.