How Ping Works -- THE PING PROCESS

The source host generates an ICMP protocol data unit.

The ICMP PDU is encapsulated in an IP datagram, with the source and destination IP
addresses in the IP header. At this point the datagram is most properly referred to
as an ICMP ECHO datagram, but we will call it an IP datagram from here on since
that's what it looks like to the networks it is sent over.
The source host notes the local time on it's clock as it transmits the IP datagram
towards the destination. Each host that receives the IP datagram checks the
destination address to see if it matches their own address or is the all hosts
address (all 1's in the host field of the IP address).
If the destination IP address in the IP datagram does not match the local host's
address, the IP datagram is forwarded to the network where the IP address resides.
The destination host receives the IP datagram, finds a match between itself and the
destination address in the IP datagram.
The destination host notes the ICMP ECHO information in the IP datagram, performs
any necessary work then destroys the original IP/ICMP ECHO datagram.
The destination host creates an ICMP ECHO REPLY, encapsulates it in an IP datagram
placing it's own IP address in the source IP address field, and the original
sender's IP address in the destination field of the IP datagram.
The new IP datagram is routed back to the originator of the PING. The host receives
it, notes the time on the clock and finally prints PING output information,
including the elapsed time.
The process above is repeated until all requested ICMP ECHO packets have been sent
and their responses have been received or the default 2-second timeout expired. The
default 2-second timout is local to the host initiating the PING and is NOT the
Time-To-Live value in the datagram.

Ping

The basic ping command syntax is "ping hostname". For example, "ping
visualroute.com" and the output might look like:

TTL reply: Ping sends an ICMP echo packet (with the TTL value set to the host
default) to the host listed on the ping command line. Ping expects back an ICMP
'echo reply' packet. The millisecond time displayed is the round trip time. The
"TTL=245" above says that the incoming ICMP echo reply packet has its TTL field set
to 245. Because this value was decremented by one at each hop on the way back, this
tells us that visualroute.com is probably setting the initial TTL value to 255.

TTL Expired in Transit: Most computers today initialize the TTL value of outgoing
IP Packets 128 or higher. If you ever see a reply above with a "TTL=5" (or some
other low TTL number) this tells you that the computer being pinged should most
likely have its default TTL value increased. Otherwise, anyone trying to
communicate with the computer that is at a hop count higher than the TTL will not
be able to communicate with the computer. For example, if you are 40 hops away from
www.xyz.com, and www.xyz.com sets TTL fields in IP packets that it sends out to 32,
the IP Packets will not reach you. They will 'expire in transmit' before they reach
you.

Discover your TTL: To discover the default TTL value of your computer, 'ping
localhost' and examine the TTL reply value. For older Windows machines this value
is 32. For newer Windows machines, this value is 128.

How Traceroute Works

Traceroute transmits packets with small TTL values. Recall that the TTL (Time To
Live) is an IP header field that is designed to prevent packets from running in
loops. Every router that handles a packet subtracts one from the packet's TTL. If
the TTL reaches zero, the packet has expired and is discarded. Traceroute depends
on the common router practice of sending an ICMP Time Exceeded message, documented
in RFC 792, back to the sender when this occurs. By using small TTL values which
quickly expire, traceroute causes routers along a packet's normal delivery path to
generate these ICMP messages which identify the router. A TTL value of one should
produce a message from the first router; a TTL value of two generates a message
from the second; etc.

How tracert works:Tracert sends out an ICMP echo packet to the named host, but with
a TTL of 1; then with a TTL of 2; then with a TTL of 3 and so on. Tracert will then
get 'TTL expired in transit' message back from routers until the desination host
computer finally is reached and it responds with the standard ICMP 'echo reply'
packet.

How Trace Route Works: TTLs --

TTL stands for Time To Live. When a TCP packet is sent, its TTL is set, which is
the number of routers (hops) it can pass through before the packet is discarded. As
the packet passes through a router the TTL is decremented until, when the TTL
reaches zero, the packet is destroyed and an ICMP "time exceeded" message is
returned. The return message's TTL is set by the terminating router when it creates
the packet, and decremented normally.

Trace Route works by setting the TTL for a packet to 1, sending it towards the
requested destination host, and listening for the reply. When the initiating
machine receives a "time exceeded" response, it examines the packet to determine
where the packet came from - this identifies the machine one hop away. Then the
tracing machine generates a new packet with TTL 2, and uses the response to
determine the machine 2 hops away, and so on.

Unfortunately not all TCP stacks behave correctly. Some TCP stacks set the TTL for
the ICMP "time exceeded" message to that of the message being killed. So if the TTL
is 0, the packet will be killed by the next machine to which it is passed. This can
have two effects on a trace. If the computer is an intermediate machine in the
trace, the entry will remain blank. No information is returned to the machine
conducting the trace because the "time exceeded" message never makes it back. If
the machine you are doing a trace to has this bug in its TCP stack, return packets
won't reach the originating machine unless the TTL is high enough to cover the
round trip. So Trace Route will show a number of failed connections equal to n (the
number of hops to the destination machine) minus 1.

How the Traceroute Command Works:

IP packets have a field in their header called TTL (time to live) which is a value
set when the packet is first sent, and decreases by one for each router it passes
through. This helps prevent routing loops, when a packet has reached a TTL of 0 it
will send a packet back to the sender stating it never reached its destination.

Say for example we have 3 locations, location1, location2, and location3 - to reach
location3 from location 1, we must go through location2. Traceroute takes advantage
of TTLs by setting them low. For exaple if you did a traceroute from location1 to
location3, traceroute would set the TTL to 1 to start with, and once the packet
reached location2 its TTL would be decreased to 0 and would be returned back to the
origin (location1) with a TTL expired error. Traceroute can continue finding the
path by incrementing the TTL, until it finally reaches its destination.

How Ping Works

THE PING PROCESS

The source host generates an ICMP protocol data unit.

The ICMP PDU is encapsulated in an IP datagram, with the source and destination
IPaddresses in the IP header. At this point the datagram is most properly referred
to as anICMP ECHO datagram, but we will call it an IP datagram from here on since
that's what it looks like to the networks it is sent over.
The source host notes the local time on it's clock as it transmits the IP datagram
towards the destination. Each host that receives the IP datagram checks the
destination address to see if it matches their own address or is the all hosts
address (all 1's in the host field of the IP address).
If the destination IP address in the IP datagram does not match the local host's
address, the IP datagram is forwarded to the network where the IP address resides.
The destination host receives the IP datagram, finds a match between itself and the
destination address in the IP datagram.
The destination host notes the ICMP ECHO information in the IP datagram, performs
any necessary work then destroys the original IP/ICMP ECHO datagram.
The destination host creates an ICMP ECHO REPLY, encapsulates it in an IP
datagramplacing it's own IP address in the source IP address field, and the
original sender's IPaddress in the destination field of the IP datagram.
The new IP datagram is routed back to the originator of the PING. The host receives
it, notes the time on the clock and finally prints PING output information,
including the elapsed time.
The process above is repeated until all requested ICMP ECHO packets have been sent
and their responses have been received or the default 2-second timeout expired. The
default 2-second timout is local to the host initiating the PING and is NOT the
Time-To-Live value in the datagram.