Ping

Ping was written in 1983 by the late Michael John Muuss at the Ballistic Research Laboratory (BRL), later known as the Army Research Laboratory (ARL). I was a long time friend and coworker of Mike, and was around when he wrote ping (and ttcp). It is often said that ping stands for "Packet InterNet Grouper", but this is not the case. It was named after the "ping" sound that SONAR makes, since ping sends out an ICMP ECHO_Request and waits for an ICMP ECHO_Reply to come back. See Mike's story of ping for more history.

Ping Example

% ping sgi.com
PING sgi.com (192.48.153.65) from 192.12.65.23 : 56(84) bytes of data.
64 bytes from SGI.COM (192.48.153.65): icmp_seq=0 ttl=241 time=66.092 msec
64 bytes from SGI.COM (192.48.153.65): icmp_seq=1 ttl=241 time=54.753 msec
64 bytes from SGI.COM (192.48.153.65): icmp_seq=2 ttl=241 time=55.036 msec

--- sgi.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/mdev = 54.753/58.627/66.092/5.279 ms

Note that some pings start with sequence number 0 while others start with sequence number 1

How many bytes are in a ping packet?

+--------------------+--------+----------------//---------------+
|      20 IPv4       | 8 ICMP |   (-s## payload, default = 56)  |
+--------------------+--------+----------------//---------------+
                               ^^^^^^^^
                               First 8 bytes are the timestamp

The default user payload is 56 bytes (can be changed with -s count). Along with the 8 byte ICMP header this makes up the "64 bytes" that ping says it received (i.e. the IP payload was 64 bytes). Including the 20 byte IP header, it sent/received 84 bytes. If this was on ethernet there was another 14 bytes of ethernet header, so your packet sniffer will probably say 98 bytes captured. There was also a 4 bytes CRC trailer on ethernet for a total of 102 bytes, but they are usually thrown away after checking them.

What's in those data bytes?

Ping fills the payload with bytes counting from 0 to 255 (0xff) and repeats. The first 8 bytes of the ICMP payload are overwritten with a UNIX timeval which has the current time in seconds (4 bytes) and microseconds (4 bytes) since January 1 1970. If the payload is less than 8 bytes, no round trip time will be given. The first byte after the timeval will be 0x08 etc.

UDP vs. ICMP for measurements

Why do some network measurement tools use ICMP and some use UDP? One key reason to use UDP is so that you can play with the Time To Live (TTL) field. When the TTL reaches zero, an ICMP TTL_Exceeded message is returned to the sender. This will not happen for ICMP packets (like ping packets) since you are not allowed to send ICMP messages in response to ICMP packets. Thus tools like traceroute use UDP with different TTL settings and depend on getting an ICMP Port_Unreachable reply back from the final destination address (last hop).

P. Dykstra, phil@sd.wareonearth.com, Dec 2001