Parallelized Ping Scanner
David Simmons
September 21, 1997
THE PROBLEM WITH PING
Ping, the ubiquitous internet utility, is often used to see if a host is alive on a TCP/IP network. Ping works by transmitting an ICMP "echo request" message to the machine in question. If the destination machine's TCP/IP software is working correctly, it will return an ICMP "echo reply" message to the original machine, indicating that the destination machine is alive and offering the round-trip time as a side bonus.
What if one wishes to ping multiple machines, to check on the status of an entire network? Using the ping program, one must check each machine in series, often waiting long, undefined lengths of time for a machine that does not respond, before deciding to abort the ping.
The task could be made slightly more bearable using a perl or expect script to automate the task of serial pinging, but it would still be a time-consuming process. Another approach would be to use a perl or expect script to fork multiple ping processes at once, but this could very quickly overwhelm a computer's process table, depending on the number of hosts being pinged.
HOW TO BUILD A BETTER PING
The ping program will only transmit ICMP Echo Request packets to a single host that is specified on the command line. What we would really like is a program that would send multiple echo request packets at a time, and make a note of which machines it received an echo reply from. By transmitting pings in parallel, such a program would be able to scan through an entire Class C network fairly quickly.
As an example of this concept, I wrote a program called pscan, whose source is referenced below. This program opens a raw ICMP socket and sends echo requests to all IP addresses within a Class C network. 16 requests are transmitted at a time, with a two second delay between them, followed by a six second pause to make sure all echo replies are received. The total running time is hence about 36 seconds, but it can be shortened considerably by using more aggressive alarm values in the ping16() function. It is also possible to modify the program to transmit many more than 16 echo requests at a time, if the network conditions and receive buffers are up to the task.
I have only run pscan under Linux, and it may need some tweaking to work with the network code of other operating systems. The program must be run as root in order to access the raw socket.
IMPROVEMENTS
The pscan program could be improved by adding arguments and command line options to make it more flexible. For example, it could be used to ping a specific set of machines instead of only a whole Class C network. Coupled with terser output, this program could be called from a perl script that needs to very quickly ping a group of servers to make sure they are alive. Another good improvement would be a "-n" option to supress the DNS lookups that could cause the process to unnecessarily pause.
ADDENDUM (2/27/2000)
D. Duccini <duck@backpack.com> has provided a modified version of pscan.c that will compile and link correctly under Solaris: pscan-solaris.c
REFERENCES