Get IT Done: Troubleshooting network connections with Windows 2000's Pathping.exe

Windows 2000s Pathping.exe pinpoints where end-to-end packet loss occurs on your network.

If you’ve used Windows’ TCP utilities to troubleshoot your network’s connectivity, you’re probably familiar with the Ping and Tracert command-line tools. While you can use these utilities together to test IP network connectivity, measure packet latency and loss, and find route failures in the path between two hosts, they cannot tell you the answer to a very important question: Exactly where is packet loss occurring on the path?

Answering this question tells you where to begin looking for the telecom link or router hardware and software issues that can cause network problems. Fortunately, Windows 2000 operating systems come with a handy command-line utility called Pathping.exe, which pinpoints where end-to-end packet loss is occurring on your network.

In this article, we’ll show you how to use Pathping and explain why its reports can be more useful than those created with Ping or Tracert. We’ll also tell you how to read Pathping’s reports.

The trouble with Tracert and Ping
Tracert and Ping are both time-honored and useful tools for troubleshooting IP connectivity. Ping is particularly useful for testing IP connectivity between two hosts.

While Tracert does provide the list of routers that make up the path between a source host and a target host, it only provides you with the estimates of the latency of ICMP echo replies made from each router in the path to the source host. I’ve heard many a network technician complain that “Tracert doesn’t tell the whole story” and then suggest that the only way to properly troubleshoot a route for packet loss and latency is to Ping each router in the path to discover if packet loss occurs between the source host and the target router.

Unfortunately, even this methodology has problems, as using Ping to troubleshoot connectivity between a host and router can result in a false negative. This is because routers use different code paths to process ICMP echo requests and replies than the code path they use to forward packets. The ICMP code path often uses separate network and processor queues on the router, and a problem with these queues can cause ICMP echo reply packets to be dropped, showing packet loss to a Ping command even though no end-to-end packet loss is actually occurring.

Using Pathping
Pathping is part of the Windows 2000 TCP/IP utility suite and is available in all Windows 2000 operating systems. You use Pathping on the command line, much like Ping and Tracert. Type PATHPING /? to display command syntax and a list of available commands, shown here:
Usage: pathping [-n] [-h maximum_hops] [-g host-list] [-p period]
 [-q num_queries] [-w timeout] [-t] [-R] [-r] target_name
 -n Do not resolve addresses to hostnames.
 -h maximum_hops Maximum number of hops to search for target.
 -g host-list Loose source route along host-list.
 -p period Wait period milliseconds between pings.
 -q num_queries Number of queries per hop.
 -w timeout Wait timeout milliseconds for each reply.
 -T Test connectivity to each hop with Layer-2 priority tags.
 -R Test if each hop is RSVP aware.

When you execute Pathping with a target host (the target_name parameter), it will first produce a report that shows the list of nodes that make up the path between your source machine and the target host, shown as standard output on the console. At this point, what you get from Pathping is similar to what you would expect from Tracert. However, Pathping will pause standard output while it analyzes its diagnostic data, displaying the message Computing statistics for X seconds. The number appearing here is a best guess, so don’t hold your breath. Once Pathping has all of the data and has completed its analysis, it displays a list of nodes and links and the percentage of packets lost at each one.

Lines containing packet loss statistics for nodes end in the IP address of the node. Lines containing packet loss statistics for links between nodes end in a pipe symbol (|). I recommend using the command’s –n switch to forgo DNS lookups on all nodes in the path to the target host, thereby making Pathping’s standard output fit easily in a console window that is 80 characters wide. If you need to know the DNS name for a node in the routing list, you can use NSLOOKUP or Ping to find it later. For example, executing the command:
Pathping -n

will produce a report that looks something like this:
Tracing route to []
over a maximum of 30 hops:
Computing statistics for 275 seconds...
       Source to Here This Node/Link
Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address
 0/ 100 = 0% |
 1 0ms 0/ 100 = 0% 0/ 100 = 0%
 0/ 100 = 0% |
 2 0ms 1/ 100 = 1% 1/ 100 = 1%
 0/ 100 = 0% |
 3 49ms 1/ 100 = 1% 1/ 100 = 1%
 0/ 100 = 0% |
 4 41ms 1/ 100 = 1% 1/ 100 = 1%
 0/ 100 = 0% |
 5 52ms 0/ 100 = 0% 0/ 100 = 0%
 0/ 100 = 0% |
 6 61ms 2/ 100 = 2% 2/ 100 = 2%
 0/ 100 = 0% |
 7 54ms 0/ 100 = 0% 0/ 100 = 0%
 0/ 100 = 0% |
 8 66ms 2/ 100 = 2% 2/ 100 = 2%
 0/ 100 = 0% |
 9 59ms 0/ 100 = 0% 0/ 100 = 0%
 1/ 100 = 1% |
 10 116ms 1/ 100 = 1% 0/ 100 = 0%
 7/ 100 = 7% |
 11 128ms 8/ 100 = 8% 0/ 100 = 0%
Trace complete.
We show only private IP addresses here to protect the guilty!
Reading Pingpath’s reports
When you interpret Pingpath’s reports, you should be primarily focused on the third column, This Node/Link Lost/Sent=Pct and Address, and on lines that end with a pipe (|) symbol, as these show statistics for links between routers. Statistics shown for routers on lines ending with an IP address are similar to what you would see if you pinged the router directly.

In the sample Pathping output shown in the previous section, routers on hops 2, 3, 4, 6, and 8 show packet loss, but no loss is shown on their forwarding link. Packet loss on the router could indicate that the router’s processor is pegged. However, forwarding links on hops 9 and 10 show packet loss, indicating the possibility of link congestion.

Determining the path
Like Tracert, Pathping uses a little bit of trickery to identify the routers that create the path between the source and the target host. Pathping finds the IP addresses of the routers by sending ICMP echo requests (“pings”) with incremental TTL (Time To Live) values, starting with a value of 1, to the target host. When the first router receives the first ping with a TTL value of 1, it decrements the TTL to 0 and returns an ICMP Time Exceeded message because it can’t forward a packet with an expired TTL (a TTL value equal to zero).

Pathping extracts the first router’s IP from this message and adds it to the route list and then sends a second ping with a TTL value of 2. The first router receives the request and decrements the TTL value by 1, making it 1, and forwards it to the second router in the path. When the second router receives the ping with a TTL of 1, it decrements the TTL to 0 and returns the ICMP Time Exceeded message. Pathping then extracts the second router’s IP address and adds it to the route list.

Pathping continues this process, incrementing the TTL by 1 on each iteration, until the target host responds with an ICMP Time Exceeded message or until the TTL value reaches the maximum hop count (default is 30). Note that some routers simply drop packets with a TTL value of 0 and don’t return an error message of any kind. In this case, Pathping increments the TTL value until it reaches the next router, the target host, or the maximum hop count. However, routers that drop packets with a TTL of 0 will not appear in Pathping’s route list, just as they would not appear in Tracert’s route list.

Calculating packet loss
Pingpath sends a default of 100 ICMP echo requests to each router in its path. You can change this default value with Pingpath’s –q switch. Once Pingpath has received all of the ICMP echo replies to its requests or the requests have exceeded their timeout period, Pingpath analyzes the replies’ results. It does this by comparing the packet loss and latency that occurs when pinging each router as a target host to the packet loss and latency that occurs when pinging through that target host to routers beyond it in the path. This analysis allows Pingpath to accurately estimate which hosts and links are dropping packets.
If you'd like to share your opinion, start a discussion below or send the editor an e-mail.

Editor's Picks