What happens behind the scenes when the Ping command is issued?

01 Overview

[[274853]]

As for the ping command, I think all programmers know it, right? When we check the network status, the first command we use must be the ping command, right? Generally, we use ping to check the network status, mainly to check two indicators:

• The first is to see if it has timed out.
• The second one is to see if the delay is too high.

If it times out, then there must be a network problem (except when ping is disabled); if the delay is too high, then the network condition must be very bad.

So what is the principle of the ping command and how does ping check the network? Do you know this before? Next, let's follow the ping command and see how ping works.

02 Environment preparation and packet capture

Environment Preparation

Packet capture tool: Wireshark Prepare two computers and perform mutual ping operation:

1. Computer A (IP address: 192.168.2.135/ MAC address: 98:22:EF:E8:A8:87)
2. Computer B (IP address: 192.168.2.179/ MAC address: 90:A4:DE:C2:DF:FE)

Packet capture operation

Open Wireshark, select the specified network card to capture packets, perform a ping operation, and ping the IP address of computer B from computer A.

The captured packets are as follows:

Here is a brief introduction to the Wireshark control panel. This panel contains 7 fields, namely:

• NO: Number
• Time: timestamp of the packet
• Source: Source address
• Destination: Destination address
• Protocol:
• Length: Packet length
• Info: Additional information about the data packet

03 In-depth analysis

The captured packets 54-132 in the above figure show the whole process of the ping command. We know that the ping command is not based on the transport layer protocol such as TCP or UDP, but on the ICMP protocol. So what is the ICMP protocol? Here is a brief introduction:

Background of ICMP protocol

[RFC792] explains the reason why ICMP was created: Since communication between the Internet involves many gateways and hosts, the ICMP protocol was created to be able to report data errors. In other words, the ICMP protocol is designed to forward IP datagrams more efficiently and increase the chances of successful delivery.

Data format of ICMP protocol

According to the above figure, we know that the ICMP protocol header contains 4 bytes, and the header is mainly used to describe the type and verify the ICMP message. The figure below is a list of corresponding types and code interpretations, which we will use when analyzing the captured packets later.

After briefly introducing ICMP, what is the ARP protocol that appears during packet capture? Let's also briefly explain it:

ARP Protocol

We know that in a local area network, computer communication actually relies on MAC addresses for communication, so the role of ARP (Address Resolution Protocol) is to find the corresponding MAC address based on the IP address.

Ping Process Analysis

After understanding the above basic concepts, let's analyze the captured data. The process is as follows:

A computer (192.168.2.135) initiates a ping request, ping192.168.2.179

Computer A broadcasts an ARP request to query the MAC address of 192.168.2.179.

Computer B responds to the ARP request and initiates a one-way response to Computer A, telling Computer A that its MAC address is 90:A4:DE:C2:DF:FE

After knowing the MAC address, the actual ping request begins. Since computer B can know the source MAC address based on the request sent by computer A, it can respond based on the source MAC address.

The above request process is more intuitive when I draw it as a flowchart:

Friends who observe carefully may have found that after the 4 Ping requests and responses, there is another ARP request from computer B to computer A. Why is this? Here I guess there are two reasons:

Since ARP has a cache mechanism, in order to prevent ARP from expiring, the ARP cache is updated after the end to ensure that the next request can go to the correct path. If ARP expires, an error will occur, which will affect the accuracy of the test.

Since the response time of the ping command is calculated based on the timestamps of the request and response packets, an ARP process also consumes time. Here, caching the latest ARP result in advance saves the ARP time of the next ping.

To verify our guess, I will perform another ping operation and capture the packet to see if it is the same as our guess. At this point, the computer already has an ARP cache, so we execute ARP -a to see the cached ARP list:

Let's look at the second ping capture packet

We can see in the figure above that no ARP request is made before the actual ping operation, which means that the ARP in the cache is directly used for execution. In addition, before computer B responds, it still makes an ARP request to confirm whether the previous ARP cache is correct. Then after the ping operation is completed, it also sends an ARP request again to update its own ARP cache. This is basically consistent with our conjecture.

After understanding the ping process, let's analyze the ICMP data results explained earlier to see if they are consistent with the captured packets. Let's click on a ping request to see the ICMP protocol details

The red box in the figure shows the details of the ICMP protocol. Here, Type=8, code=0, the checksum is correct, and this is a request message. We click Responseframe:57 again, which shows that the response message is in sequence number 57. The details are as follows:

The response message in the figure above has Type=0, code=0. We know that it is the response message, and finally the response delay is calculated based on the timestamps of the request and response: 3379.764ms-3376.890ms=2.874ms.

04 Conclusion

We analyzed a complete ping request process. The ping command relies on the ICMP protocol. The ICMP protocol exists to more efficiently forward IP datagrams and increase the chance of successful delivery. In addition to relying on ICMP, the ping command also relies on the ARP protocol in the local area network. The ARP protocol can reverse the computer's MAC address based on the IP address. In addition, ARP has a cache. In order to ensure the accuracy of ARP, the computer will update the ARP cache.