Basic Networking || Ping Command

What is Ping?

I think there are a lot of definition for the “PING” command, I feel this is the most common and useful command used by everyone from techie to non-techie to verify that a particular IP address exists and can accept requests.Ping is used diagnostically to ensure that a host computer the user is trying to reach is actually operating. 

We can relate this to our what app chat :) , nowadays this line is quite common “hey you there” why we use it ? Because we want to get the attention of" or "to check for the presence of" another party online.

Ping works by sending an Internet Control Message Protocol (ICMP) Echo Request to a specified interface on the network and waiting for a reply. Ping can be used for troubleshooting to test connectivity and determine response time.

Why we use “Echo request or Echo response” word ,instead we can use simple request and response for any ICMP. To answer this lets first discuss the origination of ping command.

The name Ping comes from sonar terminology. In sonar, a ping is an audible sound wave sent out to find an object. If the sound hits the object, the sound waves will reflect, or echo, back to the source. The distance and location of the object can be determined by measuring the time and direction of the returning sound wave.

Similarly, the ping command sends out an echo request. If it finds the target system, the remote host sends back an echo reply. The distance (number of hops) to the remote system can be determined from the reply, as well as the conditions in-between (packet loss and time to respond).

Lets ping 8.8.4.4

ping 8.8.4.4

PING 8.8.4.4 (8.8.4.4): 56 data bytes

64 bytes from 8.8.4.4: icmp_seq=0 ttl=120 time=30.884 ms

64 bytes from 8.8.4.4: icmp_seq=1 ttl=120 time=30.831 ms

64 bytes from 8.8.4.4: icmp_seq=2 ttl=120 time=31.250 ms

64 bytes from 8.8.4.4: icmp_seq=3 ttl=120 time=29.844 ms

64 bytes from 8.8.4.4: icmp_seq=4 ttl=120 time=28.526 ms

64 bytes from 8.8.4.4: icmp_seq=5 ttl=120 time=27.953 ms

64 bytes from 8.8.4.4: icmp_seq=6 ttl=120 time=29.185 ms

64 bytes from 8.8.4.4: icmp_seq=7 ttl=120 time=32.893 ms

64 bytes from 8.8.4.4: icmp_seq=8 ttl=120 time=29.181 ms

64 bytes from 8.8.4.4: icmp_seq=9 ttl=120 time=36.605 ms

64 bytes from 8.8.4.4: icmp_seq=10 ttl=120 time=28.201 ms

Here we are going to test how ping command helps in identifying an alive host by Pinging host IP.

ping 8.8.4.4

From the given below image we can see a reply from the host; now notice a few more things as given below:

The default size of payload sent by source machine is 64 bytes request (since I am running it on linux machine for the windows it is 32 bytes)

The same size of payload received by source machine is 64 bytes from Destination machine (reply)

• TTL = 120 
• Since I did not set the count while running the ping command so it keeps running.However we can always set the count using the attribute of the ping command that we will discuss later in the post.

Before Jumping to the topic PING in more depth lets discuss few important points about ICMP.

>>ICMP Header

Type. 8 bits. Set to 8.

Code. 8 bits. Cleared to 0.

ICMP Header Checksum. 16 bits.

The 16-bit one's complement of the one's complement sum of the ICMP message, starting with the ICMP Type field. When the checksum is computed, the checksum field should first be cleared to 0. When the data packet is transmitted, the checksum is computed and inserted into this field. When the data packet is received, the checksum is again computed and verified against the checksum field. If the two checksums do not match then an error has occurred.

Identifier. 16 bits.

This field is used to help match echo requests to the associated reply. It may be cleared to zero.

Sequence number. 16 bits.

This field is used to help match echo requests to the associated reply. It may be cleared to zero.

Data. Variable length.

Implementation specific data.

>>ICMP Packet Overview

>>The echo request ("ping") is structured as follows:

>>The echo reply must include the exact payload received in the request:

The 1st packet is sent by source machine is ICMP echo request and if we look by the given below image, we will observe highlighted text is showing ICMP query code: type 8 echo ping request.

The ping command sends a 64-byte echo request if we don't use the -l option (this option we will discuss later in the post). Now the first question is why the sequence is keep getting increase, what does the meaning of length 88 and many more questions. We will discuss every point one by one.

Length of frame is 88 as explained in the below table:

Ethernet Header IP Header ICMP Header ICMP Payload Size MTU (1500)

14 bytes     20 bytes 8 bytes        46           88

The default size of ICMP payload is 32 bytes and the maximum is 1472 (MTU -IP header +ICMP header which is 1500-(20+8)=1472)if the size of the payload packet is greater than 1472 then packet gets fragmented into small packets.

The Identifier and Sequence Number is used by the client to match the reply with the request that caused the reply. In practice, most Linux systems use a unique identifier for every ping process, and sequence number is an increasing number within that process (we can see that the sequence number is keep increasing from the above capture).

One more important is what is BE and LE which we can see in the capture?

The BE is big endian and LE is called little endian.The sequence number field is simply being displayed in both big endian (BE) and little endian (LE) formats to make it easier to follow when those sequence numbers are incrementing from one ICMP echo request/reply to the next. The reason both formats are shown is because sometimes those fields are populated in big endian format and sometimes they are populated in little endian format, and there is no definitive way to tell which format it's in from the contents of the packet.

>>Similarly given below image is showing details of 2nd packet i.e. Echo reply, we can observe that the highlighted text is showing ICMP query code: type 0 echo ping reply.  

There are also few error code in ICMP:

Error: The error statement messages reports problem which a router or a destination host may generate.

For example: given below message types are some of the ICMP error codes:

• Type 3 = Destination Unreachable
• Type 4 = Source Quench
• Type 5 = Redirect
• Type 11 = Time Exceeded
• Type 12 = Parameter Problems

When we ping an IP sometimes we don’t get echo ping reply from the host machine, instead of that, we get some reply such as destination unreachable or time exceeded this is known as ICMP error reporting message. There are so many reasons behind such kind of error message, possibly a host in a network is down or firewall is blocking your ping request.

Can we customize the ping command with different factors like customized payload size per ICMP request, number of count so on? So the answer is yes, we can do that, we are going to discuss each attributes which can be used to customize the ping.

By default, a ping sends 4 packets of the request and receives the same number of the packet as a reply from the host. We can increase or decrease this number of the packet by using given below command.

ping –n 2 192.168.0.105

-n: Number of echo requests to send

As we had set -n as 2 packets of request hence we got two packets as a reply.

Similarly, we can also set TTL (Time to Live) for echo request packet, by default 4 packet of request query are sent from source machine at the rate of 1 millisecond per packet. Suppose we want to give TTL between two packets, set -i as 5ms so that after the first packet is delivered the second packet is sent after 5ms.

ping –i 5 192.168.0.105

-i TTL: Time To Live

Let’s verify TTL for a packet sent from source to destination through Wireshark. Now if we observe by the given below image we will notice that every echo ping request packet has TTL 5 but every echo reply has default TTL value i.e.128.

As we have discussed above default size of ICMP payload is 32 bytes and the maximum is 1472 if the size of the payload packet is greater than 1472 then packet gets fragmented into small packets.From the given below image, we can observe source has pinged the host which carries default 32 bytes size payload.  

You can reset the size of payload using the following command that will carry echo ping request from a source to destination.

ping -l 33 192.168.0.105

We can see that the length of the frame is 75 now which is (14 (Ethernet Header) + 20 (IP header) + 8 (ICMP header) + 33 (ICMP Payload) )

Now we are sending the maximum size of payload using the following command.From the given below image, we can see a reply from the host machine.

According to MTU if the size of the payload is set to 1472 then frame size will become 1514 as explain above, let’s verify it from Wireshark. From given below image we can read length of the frame is 1514 and highlighted text is showing data of 1472 bytes payload.

When the size of the payload is greater than 1472 or too large for a network to hold and reach a router, the router breaks it into smaller packets (fragments).

ping -l 1473 192.168.0.105

From the given image we can confirm that when the payload is more than 1472 ICMP packet it gets fragmented as per below table:

If we separate Ethernet header and IP header the size of payload will be 1480 bytes as shown below.

Using –f option with ping command will not allow packet fragmentation in the network.

ping –f –l 1472 192.168.0.105

-f: Set Don’t Fragment flag in the packet

From the given below image we can observe remote host has set (don’t) fragment flag which will not allow the router to fragment the payload packets. Moreover, 1472 bytes payload didn’t need fragmentation by the router. 

If the packet size 1473 is set with (don’t) fragment flag with ping, the router will reject the packet and will display an ICMP message that the packet needs to be fragmented because of MTU size limit of 1500 bytes