Ping - A Detailed View

Ping sends very small packets to an IP host who will answer by sending packets back.
The ICMP packets sent to the host are called echo_request and the packets sent back echo_response. 

The ICMP header is composed of a:

- Type
- Code
- Header checksum
- ID
- Sequence 


Below, you can find some ICMP types.

Type	Description
0	Echo reply
3	Destination unreachable
4	Source quench
5	Redirect
8	Echo request
9	Router advertisement
10	Router solicitation
11	Time exceeded
12	Parameter problem
13	Timestamp request
14	Timestamp reply
15	Information request
16	Information reply
17	Address mask request
18	Address mask reply
30	Traceroute

Below, you can find the ICMP packet structure.



The TTL or Time-To-Live gives you an indication of the number of routers between the source and destination. 

The TTL is used to prevent an IP packet from looping inside an IP network and causing a network meltdown. 

The initial TTL packet value for an IP packet is 255 and then it is decremented by 1 each time it encounters a router. When this value reaches 0, the packet is discarded by a router. The TTL value is contained in each IP packet including ICMP packets. The TTL value given by the ping command is in fact the TTL value of an echo_response packet. 
By default, Windows will decrease the TTL by 128 and Ubuntu Linux by 192.

Let us study three scenarios where A pings B. B is a router (first case), a Microsoft Windows machine (case 2) and a Ubuntu Linux machine (case 3). 
The TTL value is initially 255 and then decreased as described as above. 

Case 1:
When A pings B, it receives a TTL of 251 because the packets crossed 4 routers (-4).
TTL=255-4=251. 

ping B 

Pinging B [1.1.1.1] with 32 bytes of data: Reply from 1.1.1.1: bytes=32 time=18 ms TTL=251 Reply from 1.1.1.1: bytes=32 time=21 ms TTL=251 Reply from 1.1.1.1: bytes=32 time=20 ms TTL=251 Reply from 1.1.1.1: bytes=32 time=33 ms TTL=251 Ping statistics for 1.1.1.1:       Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:       Minimum = 18ms, Maximum = 33ms, Average = 23ms

Case 2:
When A pings B, it receives a TTL of 124 because the packets crossed 3 routers (-3) and a Windows machine (-128).
TTL=255-3-128=124. 

ping B 

Pinging B [1.1.1.1] with 32 bytes of data: Reply from 1.1.1.1: bytes=32 time=18 ms TTL=125 Reply from 1.1.1.1: bytes=32 time=21 ms TTL=125 Reply from 1.1.1.1: bytes=32 time=20 ms TTL=125 Reply from 1.1.1.1: bytes=32 time=33 ms TTL=125 Ping statistics for 1.1.1.1:       Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:       Minimum = 18ms, Maximum = 33ms, Average = 23ms

Case 3:
When A pings B, it receives a TTL of 62 because the packets crossed 3 routers (-3) and an Ubuntu machine (-192).
TTL=255-3-192=60. 

ping B 

Pinging B [1.1.1.1] with 32 bytes of data: Reply from 1.1.1.1: bytes=32 time=18 ms TTL=60 Reply from 1.1.1.1: bytes=32 time=21 ms TTL=60 Reply from 1.1.1.1: bytes=32 time=20 ms TTL=60 Reply from 1.1.1.1: bytes=32 time=33 ms TTL=60 Ping statistics for 1.1.1.1:       Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:       Minimum = 18ms, Maximum = 33ms, Average = 23ms

How Trace Route Works: TTLs

TTL stands for Time To Live. When a TCP packet is sent, its TTL is set, which is the number of routers (hops) it can pass through before the packet is discarded. As the packet passes through a router the TTL is decremented until, when the TTL reaches zero, the packet is destroyed and an ICMP "time exceeded" message is returned. The return message's TTL is set by the terminating router when it creates the packet, and decremented normally.

Trace Route works by setting the TTL for a packet to 1, sending it towards the requested destination host, and listening for the reply. When the initiating machine receives a "time exceeded" response, it examines the packet to determine where the packet came from - this identifies the machine one hop away. Then the tracing machine generates a new packet with TTL 2, and uses the response to determine the machine 2 hops away, and so on.

Unfortunately not all TCP stacks behave correctly. Some TCP stacks set the TTL for the ICMP "time exceeded" message to that of the message being killed. So if the TTL is 0, the packet will be killed by the next machine to which it is passed. This can have two effects on a trace . If the computer is an intermediate machine in the trace, the entry will remain blank. No information is returned to the machine conducting the trace because the "time exceeded" message never makes it back. If the machine you are doing a trace to has this bug in its TCP stack, return packets won't reach the originating machine unless the TTL is high enough to cover the round trip. So Trace Route will show a number of failed connections equal to n (the number of hops to the destination machine) minus 1.
Machines running MacTCP display this bug . Open Transport handles TTLs correctly. The original distributions of 4.3 BSD had this error, so some UNIX machines display the problem.

The times in Trace Route are total round trip times in seconds. The Min/Avg/Max should increase from machine n to machine n+1, but they may not, for a variety of reasons. To start with, the times are based on the number of tests listed in the results column (generally 3 for a completed trace). Response times vary depending on network usage. Additionally, returning a "time exceeded" message requires more computational time than routing a packet onwards. Finally, packet paths may not be the same coming and going.