A Ping issued but what happens in the Network? Part-1

Ping

is a standard utility program available on most computers. A ping utility sends test messages from the computer to a remote device over a TCP/IP network. Besides determining whether the remote computer is currently online, ping also provides indicators of the general speed or reliability of network connections.

Everybody knows that the ping utility is used to check network connectivity between two hosts, but what happens when a user issues a ping? This article is designed to explain the basics of what happens on a network when a ping is issued. Imagine the following scenario;

You have PC-A in subnet 192.168.1.0/24, PC-B in subnet 192.168.2.0/24 and a router connected to both subnets. You need to check if PC-A can connect to PC-B.

IP addresses and MAC addresses to state with examples:

PC-A
192.168.1.10 MAC Address 00:00:00:00:00:10 
Default Gateway 192.168.1.15

Router Interface E0 
192.168.1.15 MAC Address 00:00:00:00:00:15

Router Interface E1 
192.168.2.20 MAC Address 00:00:00:00:00:20

PC-B 
192.168.2.25 MAC Address 00:00:00:00:00:25
Default Gateway 192.168.2.20

A user on PC-A types in “ping 192.168.2.25”

The first thing happens ICMP creates data (an alphabet). IP on PC-A creates a packet containing Destination IP Address 192.168.2.25, the Source IP Address 192.168.1.10, the data, and a protocol field. The protocol field informs the receiving host where to pass the data to, in this example the protocol field would be set to 0x1h to indicate ICMP. (0x indicates that the following is an hexadecimal number).

Once the packet been created ARP (Address Resolution Protocol) is then used to identify the MAC address of the destination host. This can happen in a number of ways, the first to happen is that ARP checks it’s cache to see if it has a match to the Destination IP Address. If not then ARP sends out an ARP broadcast to the Ethernet MAC broadcast address (FF:FF:FF:FF:FF:FF).

“Who has 192.168.2.25? Please tell **********”?
You will notice that PC-A is asking for replies to be sent to the MAC address. This is because computers communicate only with MAC addresses on LANs (Local Area Networks)

If no response is received by PC-A, then ARP & IP assume that 192.168.2.25 is on a remote subnet and therefore would require routing. At this point the IP address and the MAC address of the default gateway is required. In a Windows machine the registry is consulted in order to get the IP address of the default gateway (192.168.1.15). ARP then consults it’s cache to see if it has match to the IP address of the default gateway, if not then another ARP broadcast is sent.

“Who has 192.168.1.15? Please tell **********”?
Because this is a broadcast ALL hosts on the 192.168.1.0/24 sub-net will receive this frame. The router interface E0 will read the frame and identify itself as the interface with the requested IP address. The router will then reply.
“I have 192.168.1.15. MAC address is **********”
As the request asked for a reply direct to PC-A the frame sent from the router will be directed towards PC-A and not sent as a broadcast. The router will also cache the MAC address of PC-A, which it received via the broadcast sent by ARP to locate the MAC address of the router.

Once IP at PC-A as received the message from the router interface it will pass the packet created earlier and the MAC Destination address down to the Data Link Layer.

The Data Link Layer creates a frame containing the Destination MAC address, the Source MAC address, A FCS (Frame Check Sequence, used to verify the data has not been corrupted) and an Ether_Type field, in this example the field will be set to 0x8 to indicate IP. This Frame encapsulates the packet passed down from IP at the Network Layer. The MAC address of the router is also cached into the ARP cache on PC-A

Once the frame has been created it is passed down to the Physical Layer where the frame is placed onto the wire one bit at a time. Every host on subnet 192.168.1.0/24 will receive this frame, build it, and check the Destination MAC address, if it is not a match the frame is discarded. At the router interface, E0, the Destination MAC address is a match. The router then checks the Ether_Type field (0x8 = IP) pulls the packet from the frame, discards the frame and passes the packet up to IP at the Network Layer.

At the Network Layer the Destination IP address is checked to see if it is a match, in this example the Destination IP address is 192.168.2.25, however the IP address of the router interface which received the frame is 192.168.1.15, and is not a match. The router then consults it’s routing table for the destination IP network address (192.168.2.0). If there is no match in the routing table the packet is discarded and a “Destination Network unavailable” message is returned to PC-A

If there is a match in the routing table then the router will switch the packet to the interface configured to send information to the destination IP Network Address, in this example E1.

Interface E1 now needs to know the MAC address of the machine with IP address 192.168.2.25. The first thing it does is check the ARP cache, no match in the cache, E1 then send out an ARP broadcast.

Note: *Because of the characters limit here i have to publish it in two parts please manage to read completely to get the thorough idea.*

A ping issued but what happens in the Network? Part-2

“Who has 192.168.2.25? Please tell 000000000020”
Because PC-B is on the same subnet as E1, PC-B responds

“I have 192.168.2.25. MAC address is 0000000025”
IP at Interface E1, on the router, then passes the packet (created at PC-A) and the Destination MAC address for 192.168.2.25 down to the Data Link Layer. The Data Link Layer then creates a frame containing the Destination MAC address, Source MAC address, FCS and an Ether_Type field (again set to 0x1h to indicate IP), which encapsulates the IP packet.
(The MAC address of PC-B is placed into the ARP cache on Interface E1, and the MAC address of interface E1 is placed into the cache of PC-B)

The frame is then passed down to the Physical Layer to be placed on the wire one bit at a time. Again all hosts on the 192.168.2.0/24 subnet will receive the frame, build it, check it, discard it with the exception of PC-B which will match the Destination MAC address. PC-B will then check the Ether_Type field, pull the packet from the frame, discard the frame and pass the packet to the protocol indicated in the Ether_Type field, in this example IP.

IP then checks the Destination IP address in the packet and finds a match. It will then check the Protocol field (0x1h = ICMP) and pass the data to ICMP. ICMP recognises that the data sent is an echo request, and will then create an echo response message.

The echo response is then passed to IP, which will then build a packet, consisting of the Destination IP address (192.168.1.10), the Source IP address (192.168.2.25) the data from ICMP, and the protocol field. Once the packet is built the MAC address of the IP address 192.168.1.10 is required. ARP checks it’s cache, if there is no match an ARP broadcast is sent.

“Who has 192.168.1.10? Please tell 000000000025”
Because 192.168.1.10 is on a remote subnet, and routers do not pass broadcasts there is no response.

The default gateway is then required for PC-B. The default gateway is configured as 192.168.2.20 and the ARP cache is checked. As PC-B cached the MAC address of interface E1, a match is found and there is no need to send out an ARP broadcast.

Now that the MAC address of the default gateway has been resolved the packet and the Destination MAC address is then passed down to the Data Link Layer.

At the Data Link Layer a frame is built which consists of the Destination MAC address, the Source MAC address, the FCS and the Ether_Type field (again set to 0x8 to indicate IP). The frame encapsulates the packet passed down from IP. The complete frame is then passed down to the Physical Layer to be put onto the wire one bit at a time.

At Interface E1 of the router, the frame is received, the Destination MAC address is then checked and found to be a match. The Ether_Type field is then checked, the packed is pulled from the frame, the frame is discarded and the packed passed to IP, as indicated in the Ether_Type field.

IP on E1 checks the IP destination address and finds it is not a match. It then consults the routing table for the IP Network Address (192.168.1.0/24), if a match is found the packet is switched to the Interface configured for the 192.168.1.0/24 network, in this example E0.

If no match is found then the packet is discarded. PC-A will receive a time-out error in this case, as the time set to receive replies has been exceeded. A destination network unavailable message is NOT sent to PC-A. If the message could be sent to PC-A then the router would obviously have a route to PC-A’s network and then would not need to generate the message!!

On Interface E0, the interface configured for 192.168.1.0/24, IP and ARP will then locate the MAC address for the IP address 192.168.1.10. ARP checks the cache, because the MAC address for PC-A was cached on the outgoing trip, there is a match and the packet and frame are then passed down to the Data Link Layer.

The Data Link Layer will then build a frame, consisting of the Destination MAC address, the Source MAC address, Ether_Type field and the FCS. This frame encapsulates the packet passed down from IP and then passes the frame down to the Physical Layer to be placed onto the wire, one bit at a time.

PC-A receives the frame sent from interface E0 on the router, checks the MAC address, finds a match, reads the Ether_Type field, pulls the packet from the frame, discards the frame and passes the packet to IP as indicated in the Ether_Type field. IP checks the Destination IP address and finds a match. IP will then read the Protocol field (0x1h = ICMP) and passes the data to ICMP.

ICMP recognises the data as an echo response, ICMP acknowledges receipt by sending information to the user interface, (“!” with Cisco routers, “Reply from 192.168.2.25 and additional information in Windows), and then builds another echo request and the whole process begins again.

The above is designed to give an overview of what happens on the network when data is sent from one machine to another. This is by no way to be considered complete as there are additional parameters which can be configured and created both within the IP packet and the Data-Link Frame. The above assumes the use of Ethernet_II frames on the network. No matter how big the network or how many routers the data passes through the process is identical to the above.

Running Ping Continuously:
On some computers (particularly those running Linux), the standard ping program does not stop running after four request attempts but instead runs until the user ends it. That is useful for those wanting to monitor the status of a network connection over longer periods of time. In Microsoft Windows, type "ping -t" instead of "ping" at the command line to launch the program in this continuously running mode (and use the Control-C key sequence to stop it).

Ping command working process (THE PING PROCESS).

THE PING PROCESS

Step 1-

The source host generates an ICMP protocol data unit.

Step 2-

The ICMP PDU is encapsulated in an IPdatagram, with the source and *destination***IP addresses** in the IP header. At this point the datagram is most properly referred to as an ICMPECHOdatagram, but we will call it an IPdatagram from here on since that's what it looks like to the networks it is sent over.

Step 3-

The source host notes the local time on it's clock as it transmits the IPdatagram towards the destination. Each host that receives the IPdatagram checks the destination address to see if it matches their own address or is the all hosts address (all 1's in the host field of the IP address).

 Step 4-

If the destination IP address in the IPdatagram does not match the local host's address, the IPdatagram is forwarded to the network where the IP address resides.

Step 5-

The destination host receives the IPdatagram, finds a match between itself and the destination address in the IPdatagram.

Step 6-

The destination host notes the ICMPECHO information in the IPdatagram, performs any necessary work then destroys the original IP/ICMPECHOdatagram.

Step 7-

The destination host creates an ICMPECHO REPLY, encapsulates it in an IP datagram placing it's own IP address in the source IP address field, and the original sender's IP address in the destination field of the IPdatagram.

Step 8-

The new IPdatagram is routed back to the originator of the PING. The host receives it, notes the time on the clock and finally prints PING output information, including the elapsed time.

The process above is repeated until all requested ICMPECHO packets have been sent and their responses have been received or the default 2-second timeout expired. The default 2-second timeout is local to the host initiating the PING and is NOT the Time-To-Live value in the datagram.

NOTES ON 'FAILED' RESPONSES

Note that an ICMPECHO REPLY might return after the default 2-second timeout. Thus the packet did return, it just did not do so in the 2 seconds alotted. When experiencing so-called packet loss when using ping, it is always a good idea to increase the default 2 second timeout to see if packets are no longer being dropped. If increasing the default timeout value seems to improve performance by reducing packet loss, then your problem is NOT a packet loss issue, it is a congestion issue caused by high load at one of the following locations (in order of frequency):

1.Your own Internet connection to your ISP
2.The remote server
3.The remote host's connection to their ISP
4.A peering point between two ISP's which your traffic transits over

Large companies maintaining websites (eg. Google, Yahoo, Microsoft, CNN, AOL etc.) usually monitor their Internet connections to help them prepare for upgrades to their Internet provider before any serious issues arise. They keep a five minute running average byte-count of the input and output of each Internet pipe and trend the utilization over weeks, months and years. This gives them the ability to predict when they will run out of bandwidth under normal usage.

A Ping issued but what happens in the Network? Part-1

Ping

References

Your comment on this post:

Related Articles