Pinging Over a Remote Network

This study contains an analysis of ping, a tool that is commonly used to test connections to hosts. It focuses on pinging google.com, which is a well-known website. The goal is to explore how it works and briefly mention the concepts that are used.

The analysis was done on a MacOS host, so the network interface names and other host specific values may differ on other operating systems.

Table of Contents

• What is ping?
• The Tip of the Iceberg
• Chapters
• Conclusion

What is ping?

Like it is mentioned above, ping is a Unix tool that is used to test a connection to a host.

One of the important things about ping is that it uses Internet Control Management Protocol (ICMP) packets to test the connection. This protocol lives on L3 of the TCP/IP model (Network/Internet Layer), which allows our analysis to focus purely on the connection, unlike L4 protocols such as HTTP/HTTPS or FTP. Since ICMP lives on L3, it does not use TCP or UDP to function. It is encapsulated in a IPv4 packet.

ICMP is mainly used to understand the state of the transmitted packet. Based on the status of the remote location, ICMP can return messages like:

• Time-to-live Exceeded (TTL)
• Destination Unreachable
• Request Timed Out

---

PS: ICMP being on L3 does not make ping a L3 application. ping works at L4 (Application Layer) of TCP/IP model.

---

Using ping is pretty straightforward. Here is an example call that will be analyzed:

# -c1 is used to ping only once, there are no limits by default on Unix.
ping -c1 google.com

Please note that ping can be also used to test the TCP/IP configuration on a host's NIC by using a loopback address (commonly known as localhost):

ping -c1 127.0.0.1

Keep in mind that using the loopback address does not create a packet that traverses the network.

The Tip of the Iceberg

First, let's see the case in action. Here is what we see if we ping google.com:

ping -c1 google.com

# PING google.com (172.217.169.206): 56 data bytes
# 64 bytes from 172.217.169.206: icmp_seq=0 ttl=56 time=26.257 ms
#
# --- google.com ping statistics ---
# 1 packets transmitted, 1 packets received, 0.0% packet loss
# round-trip min/avg/max/stddev = 26.257/26.257/26.257/nan ms

Here is a summary of the output above:

• We successfully pinged google.com once,
• We can see the TTL of the ICMP packet coming back from an IP address,
• We have 1 packet transmitted with 0% packet loss,
• There are also additional metrics regarding the round-trip duration.

Based on the output we can say that the operation is pretty straightforward, we send a packet to google.com, and an IP address sends us a packet back. Therefore we can say that we can successfully connect to it.

Is this all what's happening though? As you probably guessed, there is A LOT that happens behind the scenes.

So if you are ready for an adventure, let us begin.

Chapters

Since the analysis is a bit long, I divided it into chapters - you can find them below:

• Step 1: The Local Network
• Step 2: DNS Is Only For Humans
• Step 3: How Is an IP Configured?
• Step 4: Where Does an IP Belong?
• Step 5: The Journey of a Packet - Part 1 (Host)
• Step 6: The Journey of a Packet - Part 2 (Gateway)
• Step 7: The Journey of a Packet - Part 3 (Hops)
• Step 8: Here Comes the ICMP Response
• Step 9: The Journey Ends Here

Conclusion

Now you will never be able to see ping like before! With that said, we can conclude our analysis. It was a quite fun ride to gather all these topics in one place. I would like to encourage you to try all the commands that are used in here. Also to see some of the protocols with your own eyes, I would recommend installing Wireshark to analyze your own network. It is a popular package analyzer tool and it is what I have been using throughout my own networking journey.