Analysis of PING

Ping is a very frequently used command to check the connectivity of devices. The first part of network troubleshooting would be to use ping to see if the device is connected to the network.

Few questions were left unanswered.

  1. Even though the target device is online, I still couldn’t ping. What could be the reason?
  2. How does it work?
  3. What’s TTL?
  4. What’s time?
  5. What’s the 32 bytes of data which is received?
  6. It’s totally 32 bytes or any extra information?
  7. Why 32? Can we increase/decrease it?

I did some research to find out the answers.

TLDR; Ping uses ICMP protocol, it doesn’t use any TCP / UDP port. Even though my destination [target] device is online, sometimes still I couldn’t ping the device. Usually, I would do it turn off the firewall and it’ll be alright. There is one part which plays a major role in ICMP.  “File and Printer Sharing (Echo Request – ICMPv4-In)”. By default, it will be disabled which blocks ping requests. If we enable it, then we can ping the target device. The below screenshot is taken from Windows Firewall with Advanced settings.

ICMP - Firewall

When we ping, usually there are two packets per ping, one request packet [32 bytes data] is the sent to the target, and one reply packet [32 bytes data] is the received from the target (We get reply only when the data reaches the source). Windows being user friendly shows only limited information.

By default, Windows sends 4 ping requests to the target device. What we see on the command prompt [below screenshot] is the reply from the target to the host.

Ping 172.20.10.1.png

A graphical representation looks like this, target (destination) is marked in orange, source in blue. The red lines indicates the request and the green represents the reply.

source_destination-Packet.jpg

To understand how it works, I used Wireshark.

Wireshark - 4 pings.png

We have quite lot of information considering above screenshot (taken from wireshark). Each line is a packet. One packet contains tonnes of information!

Host IP Address: 172.20.10.3 (Windows 10)

Target IP address: 172.20.10.1 (networking device)

Note: We can change the number of ping requests by using the following command: 

ping -n 10 192.168.1.1 

where 10 is the number of ping requests which can be changed.

TTL or Time To Live limits the timespan of the data on a network after which the data is discarded. From the above screenshot, TTL of the packet from source to the target is 128. And, TTL of the packet received from the target is 64 (This is what we see on the command prompt).

The time delta frame from previous captured frame is time (mentioned in command prompt screenshot), 0.004873000 seconds (4 milli seconds)!

time

The first line in the above screenshot says 74 bytes, but command prompt says 32 bytes. Both are correct. Upon deeper analysis of the packet, we can see that along with actual data [payload] – 32 bytes, there is  information like source, destination MAC Address, IP address etc which is added to the packet, combining all together it is 74 bytes of data. A packet can be split into various parts:

ICMP Frame
Payload: 32
Sequence No (LE/BE): 2
Identifier (LE/BE) : 2
Checksum: 2
Code: 1
Type: 1
Total: 40 bytes

IPv4:
Source IP Address: 4
Destination IP Address: 4
Header checksum: 2
Protocol: 1
TTL: 1
Flag: 2
Identification: 2
Total Length: 2
Differentiated Services Field: 1
Header: 1
Total: 20 bytes

Ethernet II:
Destination MAC: 6
Source MAC: 6
Type: 2
Total: 14 bytes

 Summing up everything 40+20+14 = 74 bytes

The actual data (payload) sent and received from the destination is abcdefghijklmnopqrstuvwabcdefghi which is 32 bytes.

Payload can be changed using the following command.

Ping -l 100 192.168.1.1

Where payload is 100, which can be between 0 and 65,500

Hope this clears the Ping questions! FYI, Ping stands for Packet INternet Groper. The analysis was done on a Windows 10 operating system, Other Operation System may give different results.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s