When you "ping", do you know the logic behind it?

[[262430]]

When we encounter a network outage, we all know to ping to check the network status.

Do you know the logic behind the "ping" command? Do you know how it is implemented?

1. What is the function and principle of the "ping" command?

In simple terms, "ping" is a command used to detect whether the local host is reachable to another host in the network. If the ping between the two hosts fails, it means that the two hosts cannot establish a connection. Ping is an important means of locating whether the network is accessible.

The ping command works based on the ICMP protocol. The full name of "ICMP" is Internet Control Message Protocol. The ping command sends an ICMP echo request message to the target host and waits for the target host to return an ICMP echo reply. Because the ICMP protocol requires the target host to return an ICMP reply message to the source host after receiving the message. If the source host receives the reply from the target host within a certain period of time, it means that the network between the two hosts is reachable.

Let's take an example to describe the working process of the "ping" command:

1. Suppose there are two hosts, host A (192.168.0.1) and host B (192.168.0.2). Now we want to monitor whether the network between host A and host B is reachable, so we enter the command on host A: ping 192.168.0.2
2. At this time, the ping command will construct an ICMP request data packet on host A (the contents of the data packet will be described in detail later), and then the ICMP protocol will pass this data packet and other information such as the target IP (192.168.0.2) to the IP layer protocol.
3. After the IP layer protocol obtains this information, it constructs an IP data packet by combining the source address (i.e. the local IP), the destination address (i.e. the destination IP: 192.168.0.2), and some other control information.
4. After the IP data packet is constructed, it is not enough, the MAC address needs to be added, so the MAC address corresponding to the target IP needs to be found through the ARP mapping table. After obtaining the MAC address of the target host and the local MAC, they are handed over to the data link layer, assembled into a data frame, and transmitted according to the media access rules of Ethernet.
5. When host B receives this data frame, it will first check whether its target MAC address is the local machine. If it is, it will receive and process it. After receiving it, it will check the data frame, take out the IP data packet in the data frame, and hand it over to the local IP layer protocol. After the IP layer protocol is checked, it will take out the ICMP data packet and hand it over to the ICMP protocol for processing. When this step is also processed, it will construct an ICMP reply data packet and send it back to host A.
6. If host A receives a response packet within a certain period of time, it means that the network between it and host B is reachable. If it does not receive a response packet within a certain period of time, it means that the network is unreachable. In addition to monitoring whether it is reachable, the delay time of the data packet can also be calculated by using the difference between the response time and the initiation time.

Through the ping process, we can find that the ICMP protocol is the basis of this process and is very important, so the ICMP protocol is explained in detail below.

2. What is ICMP?

We know that the ping command is implemented based on the ICMP protocol. If we look at the figure below, we can see that the ICMP protocol is sent through the IP protocol, that is, the ICMP message is encapsulated in the IP packet.

The IP protocol is a connectionless, unreliable data packet protocol. It cannot guarantee that the data will be delivered. If we want to ensure that the data is delivered, we need to use other modules to assist in this. The ICMP protocol is introduced here.

When an abnormality occurs in the transmission of an IP data packet, ICMP will encapsulate the abnormal information in the packet and then send it back to the source host.

If you break down the above picture further, you can see:

Continue to disassemble the ICMP protocol module:

As can be seen from the figure, the ICMP data packet consists of an 8-bit type field, an 8-bit code field, a 16-bit check field, and option data.

ICMP protocols can be roughly divided into two categories:

• Query message type
• Error message type

Query message type:

Query messages are mainly used for: ping query, subnet mask query, timestamp query, etc.

The ping command process mentioned above actually corresponds to a use of the ICMP protocol query message type. When host A constructs an ICMP request packet, the ICMP type field uses 8 (echo request), and when host B constructs an ICMP reply packet, the ICMP type field uses 0 (echo reply). For more type values, refer to the table above.

For an understanding of the query message type, please refer to the ping process mentioned at the beginning of the article, which will not be repeated here.

Error message type:

Error messages are mainly generated when data transmission is incorrect.

It includes: target unreachable (network unreachable, host unreachable, protocol unreachable, port unreachable, fragmentation prohibited, etc.), timeout, parameter problem, redirection (network redirection, host redirection, etc.), etc.

The error message usually contains the IP header of the first fragment of the IP data packet that caused the error, plus the first 8 bytes of the data part of the fragment.

When an error occurs in transmitting an IP data packet (for example, the host is unreachable), the ICMP protocol will encapsulate the error message and send it back to the source host, so that the source host knows how to handle it.

Does that mean that the error message type can only be used when an error occurs? Not necessarily.

Traceroute is an exception. Traceroute is a common tool used to detect the routing between the source host and the target host. The principle of Traceroute is to use ICMP rules to create some error events, and then evaluate the network routing situation based on the error events.

The specific approach is:

Traceroute sets a special TTL value to track the number of routes between the source host and the target host. First, it sends a UDP data packet with TTL=1 to the target host. Once this data packet encounters a router on the way, the TTL becomes 0 (the TTL rule is that it will be reduced by 1 every time it passes through a router). Because TTL=0, the router will discard this data packet and generate an ICMP data packet of the error type (timeout) to send back to the source host, which is an error packet. At this time, the source host has obtained the IP and related information of the first routing node.

Next, the source host sends a UDP data packet with TTL=2 to the target host, and the above process is repeated to obtain information such as the IP address and time consumption of the second routing node.

By repeating this process, Traceroute can obtain information about all routers between host A and host B.

But there is a problem. If the data packet reaches the target host, even if the target host receives an IP data packet with a TTL value of 1, it will not discard the data packet, nor will it generate a timed-out ICMP reply data packet, because the data packet has reached the destination. So how should we determine whether the data packet has reached the target host?

The Traceroute method is that when the source host sends a UDP data packet to the target host, it sets an impossible target port number (for example, a port number greater than 30000). Then when the data packet actually reaches the target host, the target host finds that there is no corresponding port number, so it generates an "unreachable port" error ICMP message and returns it to the source host.

It can be seen that the principle of Traceroute is indeed very clever and interesting.