Defrag Tools #160 - Sysinternals PsPing

Sign in to queue

Description

In this episode of Defrag Tools, Chad Beeder and Andrew Richards discuss the PsPing command-line tool from Sysinternals - a more powerful replacement for the default "ping" command, which also adds additional capabilities such as bandwidth measurement.

Additional Resources:

PsPing 
ProcDump 
Debugging Tools for Windows (includes WinDbg)

Timeline:

[00:00] Introductions and overview.
[02:12] Plain vanilla "ping" command and its limitations
[05:15] PsPing allows you to ping a different port than the standard ICMP "ping" port
[08:35] Andrew's story about using PsPing to troubleshoot a network problem at home
[11:14] Demo: using PsPing to measure network bandwidth
[17:58] Using the -h switch to get a histogram of the bandwidth over various attempts
[18:15] Oh no! The program crashed!
[18:36] Installing ProcDump as the just-in-time debugger, to get a crash dump so we can debug it
[20:20] Using WinDbg to analyze the crash
[23:41] Questions? Email us at defragtools@microsoft.com

Embed

Download

Download this episode

The Discussion

  • User profile image
    CreateThread​Ex

    Hi guys, could you provide more internal windows internals shows :)? Some more obscure subjects like thread scheduling, exception handling (_try) or maybe IRQL? I know it's in the books but you guys tend to provide really nice overviews and also fun, daily work related, details as well :). All in all grate show, particular the procdump/WinDBG part :D!

  • User profile image
    ChadBeeder

    @CreateThreadEx: Thanks for the feedback, we'll think about doing some more of that kind of stuff. We did talk a little bit about thread scheduling in episode #156 a few weeks ago.

  • User profile image
    s3curity​Consult

    I love tuning in just to see what cHADBeeder is going to be wearing.  Fabulous!

    annoying debugging crash dumps on technical preview builds, it seems like the symbols and the sdks don't always match up for some reason.  I downloaded the new preview sdk for build 14291 on the wrong computer (its running 10586 Release preview build), now when I am trying to install it on the 14306 build laptop, I can't find the sdk to download, it keeps trying to download the 10586.144 build sdk version.  what a mess,

  • User profile image
    ChadBeeder

    @s3curityConsult: I'm glad you appreciate my fashion sense. :)

    Are the symbols for technical preview builds not available on the public symbol server? I believe if you just set your symbol path like this:

    srv*c:\symbols*https://msdl.microsoft.com/download/symbols

    It should work. (You can also type something like ".symfix c:\symbols" which should set this automatically.)

  • User profile image
    CreateThread​Ex

    @ChadBeeder Thank you for pointing out the #156 episode. Didn't saw that one. Lots of interesting info on analysis. But there has to be more :P (maybe KTHREAD/ETHREAD related magic?). If not then Fibers maybe?

  • User profile image
    bigtone58

    Hi guys. When you talk about using Sysinternals command line tools like PsPing, you have said to "just place it somewhere you can always get to it". Can you describe explicitly how you personally structure your directories and PATH statements to achieve this, or at least how you would recommend it be done. I support quite a few small business and home users (i.e.. no server environment) and I would like your advice as to how to best structure each desktop environment to use Sysinternals tools (more particularly the command line tools), keep them safe from nasties (i.e., malware  or PUPs), and update each tool easily when there is a new version.

    For instance, I always install Process Explorer and replace the Task Manager as follows:-

    - Download the zip file to "C:\Installs\Sysinternals\Process Explorer\" and rename it to include the version number (e.g. ProcessExplorer-16_04.zip).

    - Extract all files from the zip to "C:\Program Files\Microsoft\Sysinternals\Process Explorer\" and unblock the .chm file. I sometimes use "Program Files (x86)" but either way ProcExp is always present and is unlikely to be disturbed by non technical users.

    - I then start ProcExp, accept the EULA, set "Run at Logon", toggle "Replace Task Manager", and make some cosmetic changes to a few settings (to give me some visual recognition that I put this tool on this platform).

    - If I need to install a new version, the process is the same except that I toggle "Replace Task Manager" in the old version first and exit so that there are no copying issues.

    Please accept my apology if this is the wrong place to ask this question, but I thought it might be OK as it was this show (#160 = 0xA0) that triggered the question.

  • User profile image
    vinnyand3

    Great material guys! I love this show and have learned so much. Thank you! 

    In regards to the ICMP, isnt that technically not used over a port? I was always under the impression that ICMP was a transport layer protocol, under the session layer that ports are established? 

     I am a huge psping fan too. I cant stop using it. Something interesting to try is to measure throughput based on request size. For example, try running a b/w test using 500KB sizes, vs 1 MB, and watch how the network and storage systems can handle the smaller data chunks vs the larger ones. Obviously the larger ones do better, but it's interesting to see the difference in hard numbers, that are not vendor estimates, but LIVE stats from your own environment.

  • User profile image
    ChadBeeder

    @bigtone58: We've done some episodes on this topic... building your USB stick "lightsaber" populated with tools. See this: https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-131-Windows-10-SDK

  • User profile image
    ChadBeeder

    @vinnyand3: ICMP does run on top of IP, but it doesn't use TCP or UDP, so there isn't a port or socket associated with it, since these are TCP/UDP concepts.

    I think technically ICMP isn't considered a transport layer protocol, because, unlike TCP/UDP you can't really use it to transport any data. But it is similar to those so far as it runs directly over IP.

Add Your 2 Cents