What is the purpose of using a large ping packet?

Question

While analyzing some traffic logs, I noticed a node pinging its gateway with a large ping packet size, ranging from 700 bytes to 1 MB. It's a constant ping from node to gateway and the size per ping is rather high. Does anyone know why this might be happening or if there is a benefit (possibly for testing purposes) to manipulating the PING size?

score 49 · Accepted Answer · answered Jul 02 '14 at 15:01

49

It's to ensure that the path taken can handle the large packet, not all routes have the same MTU throughout. Having a good MTU will also prevent IP fragmentation.

answered Jul 02 '14 at 15:01

ratchet freak

2,854

score 48 · Answer 2 · answered Jul 02 '14 at 14:53

48

The only benefit of using a big load on a ping is to test the stability of the line. If a line fluctuates or goes offline with a high load, but not with a small load, a standard ping with just 32 bytes won't detect the problem.

answered Jul 02 '14 at 14:53

LPChip

66,193

score 17 · Answer 3 · answered Jul 03 '14 at 13:53

No one mentioned the PING OF DEATH??

A ping of death is a type of attack on a computer that involves sending a malformed or otherwise malicious ping to a computer. A correctly formed ping message is typically 56 bytes in size, or 84 bytes when the Internet Protocol [IP] header is considered. Historically, many computer systems could not properly handle a ping packet larger than the maximum IPv4 packet size. Larger packets could crash the target computer.

Generally, sending a 65,536-byte ping packet violates the Internet Protocol as documented in RFC 791, but a packet of such a size can be sent if it is fragmented; when the target computer reassembles the packet, a buffer overflow can occur, which often causes a system crash.

I don't think it's a widespread as it used to be, but if you want a purpose of a large ping packet, well, DDoS is one.

score 5 · Answer 4 · answered Jul 04 '14 at 17:23

Just to offer another (unlikely) possibility - I don't have any context as to who is generating the log, and I don't know how often you are seeing these pings, but because you can put whatever you want into the ICMP/ping packets, they are occasionally used a covert communication channel, i.e. an ICMP/ping tunnel. Presumably you'd see frequent large-sized pings going out from (and possibly returning to) a given node, if someone is using a ping tunnel for some reason.

Jonathan · Answer 5 · 2019-06-05T22:41:34.837

A bad router, even wired, can fail on large pings and succeed on small ones, until restarted, so it can be used for debugging issues like this one

Packet loss may be a result of a bad connection, and can't always be detected with a normal ping.

ping 208.67.222.222 -l 40096 -n 20 or on linux it's -s 40096

This pings a special server that allows large ping traffic, and looks for packet loss on the line. I had had packet loss on a wired line that prevented some traffic from going round trip.

What is the purpose of using a large ping packet?

5 Answers5