9

One might expect the sum of the tracert latencies to equal 267ms:

pingrt

Community
  • 1
pulsar
  • 193
  • 1
  • 2
  • 5
  • I've never noticed this, nor given it any thought. I would guess that it takes more time for a hop to determine that the TTL has expired and send an ICMP response back than it does to just pass an ICMP packet on to the destination. Furthermore - the latencies shown in tracert should not be added up for a total. The last hop latency should be around the same timing as a ping. You might want to try tracert -d, to prevent it from resolving the hostname of every hop along the way, and see if that makes any difference to the times. – Adam Thompson Mar 26 '14 at 10:58

3 Answers3

15

Traceroute involves sending UDP packets to each node along the way, and waiting for its timeout response (then moving on to the next node), whereas a ping is just forwarded. What you're seeing is the time it takes for each node to respond to the request instead of just forwarding a small packet.

This is a pretty nice explanation of the whole process, and the differences.

http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-121-mainline/12778-ping-traceroute.html

Have a look at the performance section, which explains also why ping isn't a particularly accurate method for determining latency.

NickW
  • 10,263
  • 1
  • 20
  • 27
  • Another thing that needs to be considered is that ICMP requests are often punted to the router's control plane, and as such are aw dependent on the relative CPU load of the router. "Normal" routed packets are forwarded in hardware, where there is orders of magnitude more capacity available. – EEAA Mar 26 '14 at 12:31
  • Yeah, they're both dealt with at the control plane, but a ping is dealt with by just one, whereas traceroute does it on every single router on the way there. The performance section of that cisco document has a pretty good description of why it is not a good indicator of latency (primarily due to it being an "out of band" bit of work that gets done when the router has time). – NickW Mar 26 '14 at 12:39
  • As EEAA notes, `tracert` uses ICMP, not UDP. – Gabe Mar 26 '14 at 18:48
  • @Gabe http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-121-mainline/12778-ping-traceroute.html#traceroute – NickW Mar 27 '14 at 09:20
  • This is what I expected. Thankyou for the confirmation and authoritive link. – pulsar Mar 27 '14 at 14:03
  • @NickW: Cisco's `traceroute` uses UDP (or at least does by default), but I just a `tracert` on Windows 7 (most likely what the OP is using) and a network sniff shows only ICMP. – Gabe Mar 27 '14 at 15:47
  • Well, it's up in the air, I've seen both UDP and ICMP listed, I put UDP because I found it more than one location.. here for example: http://en.wikipedia.org/wiki/Traceroute. This seems to clear up the issue, WIndows ICMP, *nix and BSD use UDP.. http://www.inetdaemon.com/tutorials/troubleshooting/tools/traceroute/definition.shtml – NickW Mar 27 '14 at 15:53
0

Routers tend to give timeouts and echo response handling lower priority than packet forwarding. This allows the switch to operate more efficiently as forwarding is much simpler to process than generating a new ICMP responce. As a result busier switches will take longer to generate the response.

Some switches may have ICMP generation disabled which makes diagnosing network issues with them diffficult. Other may occasionally get busy enough that they fail to respond.

If you use a tool which displays the IP address of the routers along the way, you will usually see the switches which are slower are core switches in major cities. My preference is mtr with running every 15 to 60 seconds.

BillThor
  • 27,737
  • 3
  • 37
  • 69
0

What do the numbers mean?

The times at each hop of a trace route is the Round Trip Time (RTT). In your ping test four echo requests each took 267ms to receive an echo reply from 220.181.111.85. In the tracert test three echo requests took 292ms to receive a reply.

Why the 25ms difference?

  1. The sample size is small. More tests should be run to improve the accuracy of the measured difference.

  2. tracert (or traceroute -I) has different sized payloads than ping. Use a packet sniffer to check the size of the payload your trace program uses. Set the size of the ping payload to that value with ping -l <size> or ping -s <size> depending on your ping program.

  3. An echo reply requires use of the CPU so a busy machine could have a large RTT standard deviation compared to one that is idle.

What else should I know?

Domain names can resolve to multiple IP addresses. Use the IP address in the command to ensure tests are traveling the same path.

mtr or WinMTR is another program for tracing a path that also calculates RTT standard deviation, loss, and other stats.

Wireshark is a popular packet analyzer for viewing the contents of packets sent and received.

J.Money
  • 126
  • 4