Troubleshooting with the Ping Command

Transmission Control Protocol/Internet Protocol (TCP/IP) is the acronym identifying a suite or stack of protocols developed by the U.S. Department of Defense in the 1970s to support the construction of worldwide internetworks. TCP/IP are the two best-known protocols in the suite.

The TCP/IP stack also includes the Internet Control Message Protocol (ICMP) that is designed to help an administrator manage and control the operation of a TCP/IP network. Every now and then a gateway device, such as a router, or possibly the destination host, will communicate with a source host to report an error in datagram processing. As a tool in the troubleshooting process, ICMP is used.

ICMP is sometimes called an umbrella protocol because it contains many sub-protocols and provides a wide variety of information about a network’s health and operational status. Unique ICMP messages are sent in several situations such as:

  • when a datagram cannot reach its destination
  • when the gateway does not have the buffering capacity to store and then forward a datagram
  • when the gateway can redirect the host to send traffic through a more optimal route

IP is not able to provide reliable delivery on its own; some datagrams may be undelivered without any report of their loss back to the sending device. The higher level protocols that use IP must implement their own reliability procedures if reliable communication is required. For instance, many upper-layer protocols, such as HTTP, require the use of a TCP header containing acknowledged sequence numbers to provide reliable delivery. Other higher-level protocols, such as Trivial File Transfer Protocol (TFTP), contain code that provides reliable delivery by the application itself.

It is important to understand that the purpose of ICMP control messages is to provide feedback about problems in the communication environment, not to make IP reliable. With ICMP, there are still no guarantees that a datagram will be delivered or a control message will be returned. The ICMP messages typically report errors in the processing of datagrams. And, fortunately, to avoid an infinite regress of messages about messages etc., no ICMP messages are sent about ICMP messages.

ICMP, which is documented in RFC 792, is a required protocol that is tightly integrated with IP. ICMP messages, delivered in IP packets, are used for out-of-band messages related to network operation. As a paradox, since ICMP uses IP, ICMP packet delivery is, in itself, considered unreliable. As a result, hosts cannot always count on receiving ICMP packets for all network problems. Some of ICMP’s functions are to:

  • Announce network errors
  • Announce network congestion
  • Assist troubleshooting
  • Announce timeouts

One of these functions, Assisting Troubleshooting, is referred to as a ping. ICMP provides an Echo function, which sends a packet on a round-trip between two hosts. The ICMP Ping function transmits a series of packets to a destination device and measures the average round-trip times and computes loss of packet percentages. (As an aside, the ICMP ping function is also commonly referred to as the Packet Internet Groper.)

As some of you may have guessed, ping was named after the pulses of sound made by a sonar device, since its operation is analogous to active sonar in submarines. With a sonar system, an operator issues a pulse of energy toward a target – a ping – which then bounces back from the target and is received by the operator. As the name implies, the pulse of energy in sonar is analogous to a network packet in a ping message.

The ping function was developed in December 1983, as a tool for troubleshooting odd behavior on an IP network. It has been hailed over the years as a critical tool in assisting the diagnosis of Internet connectivity issues. However, the usefulness of ICMP ping was reduced in late 2003. With the growth of the World Wide Web, a group of Internet Service Providers began filtering out ICMP Type 8 Echo request messages at their network boundaries.

Unfortunately, this action was necessary because of the increasing use of ping functionality for target reconnaissance using Internet worms such as Welchia. These worms flood the Internet with ping requests to locate new hosts to infect. Not only did the availability of Ping responses leak information to an attacker, it added to the overall load on networks, which caused problems for routers across the Internet.

In addition, although RFC1122 prescribes that any host must accept an echo-request and issue an echo-reply in return, this is now considered a security risk. Thus, hosts that no longer follow this standard are becoming more prevalent on the public Internet and cannot be pinged.

Author: David Stahl

In this article

Join the Conversation