Ping and How It Works PDF
Ping and How It Works PDF
By Mark E. Donaldson
"Ping" (Packet INternet Groper) is without a doubt the best-known network administration tool. It is
one of the simplest tools, because all it does is send packets to check if a remote machine is
responding and, by extension, if it is accessible over the network. The ping tool, then, is used to
diagnose network connectivity using commands of the type:
ping name.of.the.machine
Type 0, which corresponds to an "echo request" command, sent by the source machine;
Type 8, which corresponds to an "echo reply" command, sent by the target machine.
At regular intervals (by default, every second), the source machine (the one running the ping
command) sends an "echo request" to the target machine. When the "echo reply" packet is received,
the source machine displays a line containing certain information. If the reply is not received, a line
saying "request timed out" will be shown.
Among the various measurement packages is the original PING (Packet InterNet Groper) program
used over the last six years for numerous tests and measurements of the Internet system and its
client nets. This program contains facilities to send various kinds of probe packets, including ICMP
Echo messages, process the reply and record elapsed times and other information in a data file, as
well as produce real-time snapshot histograms and traces.
Mills, D. L; "Internet Delay Experiments"; RFC 889; Dec 1983.
This program is intended for use in network testing, measurement and management. It should be
used primarily for manual fault isolation. Because of the load it could impose on the network, it is
unwise to use ping during normal operations or from automated scripts...
Muuss, Mike; Ping source code comments; 7 August 1992.
Revised February 15, 2009
Page 1 of 12
The Internet Ping command bounces a small packet off a domain or IP address to test network
communications, and then tells how long the packet took to make the round trip. The Ping command
is one of the most commonly used utilities on the Internet by both people and automated programs for
conducting the most basic network test: can your computer reach another computer on the network,
and if so how long does it take?
Every second of the day there are untold millions of pings flashing back and forth between computers
on the Internet like a continuous shower of electronic neural sparks. The following subsections
provide information on how Ping was invented, how Ping works, how to use Ping, Ping web sites, and
info on the original Unix Ping version.
Page 2 of 12
Access. You can use Ping to see if you can reach another computer. If you can't ping a site at all,
but you can ping other sites, then it's a pretty good sign that your Internet network is fine and that
site is down. On the other hand, if you can't ping any site, then likely your entire network
connection is down -- try rebooting.
Time & distance. You can use the Ping command to determine how long it takes to bounce a
packet off of another site, which tells you its Internet distance in network terms. For example, a
web site hosted on your neighbor's computer next door with a different Internet service provider
might go through more routers and be farther away in network distance than a site on the other
side
of
the
ocean
with
a
direct
connection
to
the
Internet
backbone.
If a site seems slow, you can compare ping distances to other Internet sites to determine whether
it is the site, the network, or your system that is slow. You can also compare ping times to get an
idea of which sites have the fastest network access and would be most efficient for downloading,
chat, and other applications.
Page 3 of 12
Domain IP address. You can use the Ping command to probe either a domain name or an IP
address. If you ping a domain name, it helpfully displays the corresponding IP address in the
response.
Mike Muuss originally developed the ping command for the Unix system, with the options summarized
below:
ping [-q] [-v] [-R] [-c Count] [-i Wait] [-s PacketSize] Host
Option
Example
Definition
ping -c count
ping -c 10
Ping -d
ping -d
Ping -f
ping -f
Ping host
ping 121.4.3.2
ping -i wait
ping -i 2
ping -l preload
ping -l 4
Ping -n
ping -n
Ping -p pattern
ping -p ff00
Ping -q
ping -q
ping -r
ping -r
Ping -R
Ping -R
ping -s
PacketSize
ping -s 10
ping -v
ping -v
Depending on the operating system, the results of the ping may be displayed somewhat differently.
Here are the results of the command in GNU/Linux:
Page 4 of 12
You can run the ping command on a Windows computer by opening an MSDOS window and then
typing "ping" followed by the domain name or IP address of the computer you wish to ping. You can
list the available options for the Windows ping command with "ping -?".
The basic ping command syntax is "ping hostname". For example, "ping cisconet.com" from DOS
prompt and the output might look like:
C:\Documents and Settings\DOS>ping www.cisconet.com
Pinging www.cisconet.com [71.18.254.xxx] with 32 bytes of data:
Page 5 of 12
from
from
from
from
71.18.254.xxx:
71.18.254.xxx:
71.18.254.xxx:
71.18.254.xxx:
bytes=32
bytes=32
bytes=32
bytes=32
time=49ms
time=49ms
time=49ms
time=49ms
TTL=49
TTL=49
TTL=48
TTL=48
timed
timed
timed
timed
out.
out.
out.
out.
TTL reply
Ping sends an ICMP echo request packet that ICMP type is 8, code 0. (with the TTL value, default
128) . Ping expects back an ICMP 'echo reply' packet that ICMP type is 11, code 0. The round trip
time is displayed in millisecond.
Page 6 of 12
5 ms 4 ms 4 ms 12.122.113.17
5 ms 5 ms 5 ms 12.86.111.22
6 ms 6 ms 6 ms ge-3-1-0-p170.msr2.re1.yahoo.com [216.115.108.69
5 ms 5 ms 6 ms gi1-23.bas-a2.re3.yahoo.com [66.196.112.55]
5 ms 5 ms 5 ms f1.www.vip.re3.yahoo.com [69.147.114.210]
Trace complete.
Total 16 hop to reach www.yahoo.com.
From DOS prompt, type ping -i 5 www.yahoo.com (it manually set TTL 5 on ICMP packet)
C:\Documents and Settings\DOS>ping -i 5 www.yahoo.com
Pinging www.yahoo-ht3.akadns.net [209.191.93.52] with 32 bytes of data:
Reply
Reply
Reply
Reply
from
from
from
from
192.135.72.201:
192.135.72.201:
192.135.72.201:
192.135.72.201:
TTL
TTL
TTL
TTL
expired
expired
expired
expired
in
in
in
in
transit.
transit.
transit.
transit.
As you can see above result, hop 5 192.135.72.201 device is responsed to you. Of cause TTL expired
in transit, b/c 192.135.72.201 is not final destination. So won't get echo reply.
from
from
from
from
127.0.0.1:
127.0.0.1:
127.0.0.1:
127.0.0.1:
bytes=32
bytes=32
bytes=32
bytes=32
time<1ms
time<1ms
time<1ms
time<1ms
TTL=128
TTL=128
TTL=128
TTL=128
Page 7 of 12
Literal
echo-reply
destination unreachable
code 0 = net unreachable
1 = host unreachable
2 = protocol unreachable
3 = port unreachable
4 = fragmentation needed and DF set
5 = source route failed
source-quench
redirect
6
8
9
10
11
12
13
14
15
16
17
18
31
32
The below chart shown possible output characters from the ping :
Character
!
.
U
Q
M
?
&
Description
Each exclamation point indicates receipt of a reply.
Each period indicates the network server timed out
while waiting for a reply.
A destination unreachable error PDU was received.
Source quench (destination too busy).
Could not fragment.
Unknown packet type.
Packet lifetime exceeded.
Page 8 of 12
The packet's time to live (TTL). The time to live (TTL) field shows how many routers the packet
went through as it travelled between the two machines. Each IP packet has a TTL field with a
relatively high value. Each time it goes through a router, the value is reduced. If this number ever
reaches zero, the router interprets this to mean that the packet is going around in circles, and
terminates it;
The round-trip delay field corresponds to the length of time in milliseconds of a round trip between
the source and target machines. As a general rule, a packet must have a delay no longer than 200
ms;
One network device sends a request for a reply to another device and records the time the request
was sent. The device receiving the request sends a packet back. When the reply is received, the
round-trip time for packet propagation can be calculated. The receipt of a reply indicates a working
connection. This elapsed time provides an indication of the length of the path. Consistency among
repeated queries gives an indication of the quality of the connection. With the above in mind, ping
answers two basic questions: "one, do I have a connection?" Two, "how good is that connection?"
Clearly, for the program to work, the networking protocol must support this query/response
mechanism. The ping program is based on Internet Control Message Protocol (ICMP), part of the
TCP/IP protocol. ICMP was designed to pass information about network performance between
network devices and exchange error messages which supports a wide variety of message types,
including query/response mechanism.
The normal operation of ping relies on two specific ICMP messages, ECHO_REQUEST and
ECHO_REPLY, but it may response to ICMP messages other than ECHO_REPLY when appropriate.
In theory, all TCP/IP-based network equipment should respond to an ECHO_REQUEST by returning
the packet to the source, but this is not always the case.
Interpreting Results
In different flavors of ping, results vary. However, for each packet we are given the size and source of
each packet, an ICMP sequence number, a Time-To-Live (TTL) counter, and the round-trip times. Of
course, the sequence number and round trip time are the most revealing when evaluating basic
connectivity.
When each ECHO_REQUEST packet is sent, the time the packet is sent is recorded in the packet.
This is copied into the corresponding ECHO_REPLY packet by the remote host. When an
ECHO_REPLY packet is received, the elapsed time is calculated by comparing the current time to the
time recorded in the packet, i.e., the time the packet was sent. This difference, the elapsed time, is
reported along with ECHO_REPLY packet is received that matches a particular sequence number,
that packet is resumed lost. The size and the variability of elapsed times will depend on the number
and speed of intermediate links as well as the congestion on those links.
It may seem that TTL field could be used to estimate the number of hops on a path. Unfortunately,
Revised February 15, 2009
Page 9 of 12
Options
-c: allow you to specify the number of packets you want to send.
-f: used to flood packets onto network. This option is to send as fast as the receiving host can
handle them which is useful for stress testing a link or to get some indication of the comparative
performance of interfaces. This is restricted to root.
-l: used to flood packets onto network. It takes a count and sends out that many packets as fast as
possible which eventually falls back to normal mode. This could be used to see how the router
handles a flood of packets. This is restricted to root.
-i: allows the user to specify the amount of time in seconds to wait between sending consecutive
packets.
-n: restricts output to numeric form which is useful if you have DNS problems.
-s: specifies how much data to send. If set too small, less than 8, there wont be space in the
packet for a time-stamp. Setting the packet size can help in diagnosing a problem caused by path
Maximum Transmission Unit (MTU) settings (the largest frame size that can be sent on the path)
or fragmentation problems. (Fragmentation is dividing data among multiple frames when a single
packet is too large to cross a link. It is handled by the IP portion of the protocol stack.) The general
approach is to increase packet sizes up to the maximum allowed to see if at some point you have
problems. When this option isnt used, ping defaults to 64 bytes, which may be too small a packet
to reveal some problems. Also, remember that ping does not count the IP or ICMP header in the
specified length so that your packets will be 28 bytes larger than you specify.
You could conceivably see MTU problems with protocols, such as PPP, that use escaped characters
as well. With escaped characters, a single character may be replaced by two characters. The
expansion of escaped characters increases the size of the data frame and can cause problems with
MTU restrictions or fragmentation.
-p: allows you to specify a pattern for the data included within the packet after the timestamp.
The above are not the entire list of options. As such, be sure to consult the documentation if things
dont work as expected.
Page 10 of 12
00
00
01
67
77
A0
3C
40
68
61
CC
82
08
69
62
63
47
00
6A
63
08
00
48
6B
64
1B
00
5C
6C
65
00
20
01
6D
66
40
01
00
6E
67
:
:
:
:
:
95
94
04
6F
68
49
C9
00
70
69
03
C0
61
71
5F
A8
62
72
08
01
63
73
00
20
64
74
45
C0
65
75
00
A8
66
76
[email protected]._..E.
.<.G.. ...... ..
[email protected]\....abcdef
ghijklmnopqrstuv
wabcdefghi......
and sent the ICMP echo request with the default of 32 bytes of data. The total length of the ping
packet is 74 bytes.
The packet can be broken into the following protocol elements:
Ethernet Header
IP Datagram
IP Header
IP Data
Ethernet Header
The network media is Ethernet. This means that the first 14 bytes are the Ethernet Header:
000000:
000010:
000020:
000030:
000040:
00
00
01
67
77
A0
3C
40
68
61
CC
82
08
69
62
63
47
00
6A
63
08
00
48
6B
64
1B
00
5C
6C
65
00
20
01
6D
66
40
01
00
6E
67
:
:
:
:
:
95
94
04
6F
68
49
C9
00
70
69
03
C0
61
71
5F
A8
62
72
08
01
63
73
00
20
64
74
45
C0
65
75
00
A8
66
76
[email protected]._..E.
.<.G.. ...... ..
[email protected]\....abcdef
ghijklmnopqrstuv
wabcdefghi......
Page 11 of 12
00
00
01
67
77
A0
3C
40
68
61
CC
82
08
69
62
63
47
00
6A
63
08
00
48
6B
64
1B
00
5C
6C
65
00
20
01
6D
66
40
01
00
6E
67
:
:
:
:
:
95
94
04
6F
68
49
C9
00
70
69
03
C0
61
71
5F
A8
62
72
08
01
63
73
00
20
64
74
45
C0
65
75
00
A8
66
76
[email protected]._..E.
.<.G.. ...... ..
[email protected]\....abcdef
ghijklmnopqrstuv
wabcdefghi......
IP Header
The IP datagram begins at byte 14, which means that the IP Header also starts at byte 14. The 0x45
value found there in interpreted to mean that the packet is an IPv4 packet and the IP Header length is
five(5) 32-bit words (14-33):
000000:
000010:
000020:
000030:
000040:
00
00
01
67
77
A0
3C
40
68
61
CC
82
08
69
62
63
47
00
6A
63
08
00
48
6B
64
1B
00
5C
6C
65
00
20
01
6D
66
40
01
00
6E
67
:
:
:
:
:
95
94
04
6F
68
49
C9
00
70
69
03
C0
61
71
5F
A8
62
72
08
01
63
73
00
20
64
74
45
C0
65
75
00
A8
66
76
[email protected]._..E.
.<.G.. ...... ..
[email protected]\....abcdef
ghijklmnopqrstuv
wabcdefghi......
IP Data
Forty (40) bytes of IP Data follow the IP Header (34-73):
000000:
000010:
000020:
000030:
000040:
00
00
01
67
77
A0
3C
40
68
61
CC
82
08
69
62
63
47
00
6A
63
08
00
48
6B
64
1B
00
5C
6C
65
00
20
01
6D
66
40
01
00
6E
67
:
:
:
:
:
95
94
04
6F
68
49
C9
00
70
69
03
C0
61
71
5F
A8
62
72
08
01
63
73
00
20
64
74
45
C0
65
75
00
A8
66
76
[email protected]._..E.
.<.G.. ...... ..
[email protected]\....abcdef
ghijklmnopqrstuv
wabcdefghi......
Of course, the IP Data in this case is, in fact, an ICMP Echo Request, including thirty-two (32) bytes of
Echo Data (42-73).
Page 12 of 12