Networks Horizon

How PING works?

Brief Intro

PING is a well known tool to check network connectivity between two IP hosts. It was created in 1983 by Mike Muuss who wrote an article about his tool " The Story of the PING Program" short before dying in 2000 in a car accident.

The origional PING command stood for Packet Internet Groper. PING is installed by default on Windows, Apple and Linux/Unix operating systems. It uses the ICMP protocol which has been created to check IP connectivity and get information about other machines in an IP network.ICMP is encapsulated in an IP packet, but is considered part of the IP or Internet layer. Like TCP and UDP, ICMP is a protocol within TCP/IP that runs over IP. Unlike TCP and UDP, ICMP comes with Network Layer protocol suite and not a Transport Layer protocol. Traceroute, PING(Packet Internet Gropper) are programs or application that works on ICMP which is residing at Layer 3.

The internet ping program works much like a sonar echo-location, sending a small packet of information containing an ICMP ECHO_REQUEST to a specified computer, which then sends an ECHO_REPLY packet in return. The IP address 127.0.0.1 is set by convention to always indicate your own computer. Therefore, a ping to that address will always ping yourself and the delay should be very short. This provides the most basic test of your local communications.

As already said, PING sends very small packets to an IP host who answers by sending packets back.The PING application uses ICMP messages to test the reachability, such ICMP messages are encapsulated in IP packets. The PING application uses two ICMP messages: the ICMP echo request message and the ICMP echo reply message. The ICMP packets sent to the host are called "echo_request" and the packets sent back is called "echo_response/reply".

So, we can say, PING relies on ICMP protocol which is used to diagnose transmission condistions. For this reason, it uses two types of protocol messages(out of the 18 offered by ICMP).

• Type 0: echo request message, sent by source machine/router
• Type 8: echo reply/response, sent by the target machine/router

================================
C:\Documents and Settings\PFSW1023\Desktop>ping www.cisconet.com

Pinging cisconet.com [174.132.145.99] with 32 bytes of data:

Reply from 174.132.145.99: bytes=32 time=331ms TTL=43
Reply from 174.132.145.99: bytes=32 time=335ms TTL=43
Reply from 174.132.145.99: bytes=32 time=336ms TTL=43
Reply from 174.132.145.99: bytes=32 time=341ms TTL=43

Ping statistics for 174.132.145.99:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 331ms, Maximum = 341ms, Average = 335ms
===============================

At regular intervals(by default, every second), the source machine(the one running the ping command) sends an echo request to the target machine. When the echo reply packet is received, the source machine displays a line containing certain information. If the reply is not received, a line staying "request timed out" will be shown.

If ICMP is blocked by network admin, you will see below:

===============================
C:\Documents and Settings\PFSW1023\Desktop>ping www.cisconet.com

Pinging cisconet.com [174.132.145.99] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 174.132.145.99:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

===============================

If a device called Geneva can ping another called Dallas, does it mean that the opposite, in other words Dallas can ping Geneva, is always true? The response is no. Request time out is caused by many reasons other than network problem between the devices. See below::

• In the first case, an external firewall blocks the ICMP requests. ICMP can be used as a first step in an attack because it can determine the alive hosts before attacking. In this case the network behind the firewall is hidden from the external world even it is well alive. Blocking ICMP messages is a first security recommendation to secure a network. The external firewall is more often used to secure professional network because it is expensive and requires advanced skills for configuring. 

As you can see above, you can have a firewall only preventing echo_request in a single direction. When Dallas pings Geneva, the ICMP echo_request is blocked on the firewall and Dallas receives no answer from Geneva.

• In the second case, the workstation has a personal firewall that blocks the ICMP message. A personal firewall is recommended for home computers for the same reasons mentioned above. 

• In the thrid case, the "pinged" machine is not connected to the IP network, for instance, because the network cable is unplugged. The echo_request message will be discarded on the last router of the layer 3 device before the remote host. 

• In the fourth case, the host is down or has its network card deactivated. Such as in the previous case, the echo_request message will die on the last router of the layer 3 device before the remote host. 

TTL reply

Ping sends an ICMP echo request packet that ICMP type is 8, code 0. (with the TTL value, default is 128 for windows PC). PING expects back an ICMP echo reply packet that ICMP type is 11, code 0. The round trip time is displayed in millisecond.

TTL Expired in Transit/TTL Time Exceed


Most devices initialize 128 or higher TTL value of outgoing IP packets.  Outside of devices that are far away than TTL hop, those devices are not able to communicate with origin. For example, if you are 17 hops aways from website. www.cisco.com, set TTL 12 when you ping out to the site. The IP packets will not reach the site and in result "expire in trasmit" before they reach the site.

PING and Time to Live (TTL)


The TTL or Time-To-Live gives you an indication of the number of routers between the source and destination. The TTL is used to prevent an IP packet from looping inside an IP network and causing a network meltdown. The initial TTL packet value for an IP packet is 255 and then it is decremented by 1 each time it encounters a router. When this value reaches 0, the packet is discarded by a router. The TTL value is contained in each IP packet including ICMP packets. The TTL value given by the ping command is in fact the TTL value of an echo_response packet. By default, Windows will decrease the TTL by 128 and Linux by 192.


A few TTL examples with PING

Case 1:
When A pings B, it receives a TTL of 251 because the packets crossed 4 routers (-4).
TTL=255-4=251. 

ping B 

Pinging B [1.1.1.1] with 32 bytes of data:  Reply from 1.1.1.1: bytes=32 time=18 ms TTL=251  Reply from 1.1.1.1: bytes=32 time=21 ms TTL=251  Reply from 1.1.1.1: bytes=32 time=20 ms TTL=251  Reply from 1.1.1.1: bytes=32 time=33 ms TTL=251  Ping statistics for 1.1.1.1:        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),  Approximate round trip times in milli-seconds:        Minimum = 18ms, Maximum = 33ms, Average = 23ms

Case 2:
When A pings B, it receives a TTL of 124 because the packets crossed 3 routers (-3) and a Windows machine (-128).
TTL=255-3-128=124. 

ping B 

Pinging B [1.1.1.1] with 32 bytes of data:  Reply from 1.1.1.1: bytes=32 time=18 ms TTL=125  Reply from 1.1.1.1: bytes=32 time=21 ms TTL=125  Reply from 1.1.1.1: bytes=32 time=20 ms TTL=125  Reply from 1.1.1.1: bytes=32 time=33 ms TTL=125  Ping statistics for 1.1.1.1:        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),  Approximate round trip times in milli-seconds:        Minimum = 18ms, Maximum = 33ms, Average = 23ms

PING command output gives: 

IP address which corresponds to the name of the remote machine.

• The ICMP sequence number

• Packets TTL

TTL field shows how many routers the packet went through as it travelled between the two machines. Each IP packet has a TTL field with a relatively high value. Each time it goes through a router, the value is reduced. If this number ever reaches zero, the router interprets this to mean that packet is going around in circles, and terminates it.

• RTT/RTD (Round Trip Time/Delay)

Another very precious information provided by the Ping command is the time taken for a packet to reach the destination and come back.

This measure is called the RTT (Round Trip Time) or "response time" and is displayed in milliseconds.  it corresponds to the length of time in milliseconds of a round trip between the source and target machines. General rule is packet must have a delay no longer than 200 msecs.

• The number of lost packets.

The normal operation of ping relies on two specific ICMP messages, ECHO_REQUEST and ECHO_REPLY, but it may response to ICMP messages other than ECHO_REPLY when appropriate. At last, ping and traceroute are layer 3 terms and not supported in layer 2 switches or devices where ICMP is disable.



FPING
It is an alternative to PING. It is written by Roland Schemers of Stanford University. Fping extends ping to support multiple hosts in parallel. Typical output is shown in this example:
bsd1# fping 172.16.2.10 172.16.2.11 172.16.2.12 172.16.2.13 172.16.2.14
172.16.2.13 is alive
172.16.2.10 is alive
172.16.2.12 is alive
172.16.2.14 is unreachable
172.16.2.11 is unreachable