Ping

The ping tool can do more than basic connectivity testing. This chapter goes through several ping command examples and analyzes the output. Running tools is easy. Understanding what the tools are telling you requires more skill.

Learning Objectives

You should be able to:

  • Describe the Internet Control Message Protocol (ICMP)
  • Use advanced ping features
  • Evaluate ping output

Video Walkthrough

Use this video to follow along with the steps in this lab.

Internet Control Message Protocol

The Internet Control Message Protocol (ICMP) is part of the Internet Protocol definition. Every device connected to the internet can choose to report successes or failures to communication requests. ICMP defines many messages, including:

  • Destination network unreachable
  • Destination host unreachable
  • Destination host unknown

When troubleshooting networks, administrators can find useful ICMP messages in log files. ICMP is a network-layer protocol, so it does not use a specific port.

Ping

The ping utility implements the ICMP echo request and echo reply messages. It is commonly used for connectivity testing but has some more advanced uses. This section will walk through several ping commands, and the output will be evaluated. The ping utility exists on Windows, Linux and Mac. The Windows ping utility works nearly the same as its Mac and Linux counterparts. One difference is that by default, Windows will ping four times before exiting automatically, while on Linux, ping will ping forever until canceled (unless told otherwise).

  • Open a command line interface (either on Linux or Windows).
  • Run the following command to ping an IP address on the internet. In this case, the IP address is a public DNS server hosted by Google. Pinging a known IP address is a good way to test basic internet connectivity. If using Linux, press control+c to stop the ping after about 4 replies. By default, Linux will ping forever until you stop it.
ping 8.8.8.8

Evaluate the output.

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=109 time=46.3 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=109 time=45.4 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=109 time=45.9 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=109 time=45.8 ms

--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3021ms
rtt min/avg/max/mdev = 45.447/45.845/46.317/0.312 ms
  • The first line shows the IP address being pinged. 56 is the amount of data being sent. The ICMP header adds 8 bytes, so that is why "64 bytes" is seen in the subsequent lines. The IP header adds additional information for a total of 84 bytes. This example ping uses the default values for packet size. The size of the packet can be increased manually. In the past, some computers did not expect a very large ping packet and would crash if the packet was too large. This attack was known as the ping of death.
  • Lines 2-4 show successful replies. 64-byte ping packets were received from 8.8.8.8.
  • The icmp_seq field shows the order in which the replies came. If a sequence number is missing, packets might be dropped from the network.
  • The ttl field is 109. When a packet first starts its journal on the internet, a time to live (TTL) field is set in the IP header. Every time the packet goes through a router, the TTL value is decreased by one. If a router receives a packet with a TTL of 0, the packet is dropped. The initial TTL defaults differ depending on your operating system. The defaults are typically 64, 128, or 255. Usually, you can get anywhere on the internet within 12-20 hops maximum, so even 64 hops give a lot of room for navigating the internet.
  • The time field shows latency--the time it took to send and receive a reply. It is usually measured in milliseconds. The lower the number, the faster your connection. Generally, we want consistent numbers. You might be unsatisfied with your network if you had 10 packets with really low latency and 10 packets with really high latency. Especially for gaming, low latency is important. The time number does not evaluate bandwidth, but it is a decent heuristic for evaluating the network connection between two devices.
  • You can ping a domain name to test connectivity. (Again, press control+c to stop the ping after about 4 replies.)
ping google.com

Evaluate the output.

PING google.com (142.250.191.174) 56(84) bytes of data.
64 bytes from ord38s30-in-f14.1e100.net (142.250.191.174): icmp_seq=1 ttl=109 time=47.7 ms
64 bytes from ord38s30-in-f14.1e100.net (142.250.191.174): icmp_seq=2 ttl=109 time=53.2 ms
4 bytes from ord38s30-in-f14.1e100.net (142.250.191.174): icmp_seq=3 ttl=109 time=47.2 ms
64 bytes from ord38s30-in-f14.1e100.net (142.250.191.174): icmp_seq=4 ttl=109 time=54.4 ms
^C
--- google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3008ms
rtt min/avg/max/mdev = 47.167/50.630/54.422/3.214 ms
  • The results show that DNS is successfully resolving Google's IP address. The first line shows the IP address being pinged. Lines 2-4 show a different domain. A DNS reverse lookup was used to determine the domain associated with the IP address. Because a single server might host multiple domains, the domain you ping and the domain in the reverse lookup may not always match.
  • In Linux, you can specify the number of pings with the -c (count) option.
ping -c 4 8.8.8.8
  • In Windows, you can specify the number of pings with the -n option.
ping -n 5 8.8.8.8
  • See if netflix.com is up.
ping -c 4 netflix.com

Evaluate the output.

PING netflix.com (54.160.93.182) 56(84) bytes of data.

--- netflix.com ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3081ms

The output shows that the netflix.com domain name was successfully resolved--that's good. But there was 100% packet loss. 4 packets were transmitted, and 0 were received. Check your web browser and see if netflix.com can be loaded (it probably can). So what is happening? Likely, netflix.com simply does not respond to ping requests. The network engineers at Netflix decided to block ICMP requests.

The ping command is a foundational command for basic network connectivity testing. It is important to understand how to use it and what it is telling you. If you run networks, you have the choice of blocking ICMP requests. You might choose to block incoming ICMP requests on a firewall (a device that filters packets based on rules).

Challenge

  • In the Linux terminal, run man ping to read about different ping features. For example, you can find out how to change the packet size.
    • Press q to quit the manual.
  • In Windows, run ping -? to see the help documentation.
  • Read about a new way to use the ping command using either Linux or Windows.
  • Run the new ping command you learned. What information does the command tell you?

Reflection

  • If you ran a web server on the internet, would you block ICMP requests?
  • How would you find additional ways to use the ping utility?

Key Terms

  • ping: A network utility tool used to test the reachability of a host on an IP network. It works by sending Internet Control Message Protocol (ICMP) Echo Request messages to the target host and waiting for an Echo Reply. The tool measures the round-trip time for messages sent from the source to the destination and back, helping diagnose network connectivity issues.
  • ICMP (Internet Control Message Protocol): A network layer protocol used by network devices to diagnose network communication issues. ICMP is primarily used for sending error messages and operational information, such as indicating that a requested service is not available or that a host or router could not be reached. It is an integral part of the IP suite and is used by tools like ping and traceroute.