ping

ping is a computer network tool used to test whether a particular host is reachable across an IP
network; it is also used to self test the network interface card of the computer, or as a latency
test. It works by sending ICMP “echo request” packets to the target host and listening for ICMP
“echo response” replies. The "echo response" is sometimes called a pong. Ping measures the
round-trip time[1] and records any packet loss, and prints when finished a statistical summary of
the echo response packets received, the minimum, mean, max and in some versions the standard
deviation of the round trip time.

The word ping is also frequently used as a noun or verb, where it is used to refer to the round-trip
time, or measuring the round-trip time.[citation needed]

The tool is also used in a type of simple denial-of-service attack, known as a ping flood, in which
the attacker overwhelms the victim with ICMP echo request packets.

[edit] History
A server denying a ping request because of the request's size.

Mike Muuss wrote the program in December, 1983, as a tool to troubleshoot odd behavior on an
IP network. He named it after the pulses of sound made by a sonar, since its operation is
analogous to active sonar in submarines, in which an operator issues a pulse of sound at the
target, which then bounces from the target and is received by the operator. (The pulse of sound in
sonar is analogous to a network packet in ping).[1][2]

The usefulness of ping in assisting the "diagnosis" of Internet connectivity issues was impaired
from late in 2003, when a number of Internet Service Providers began filtering out ICMP Type 8
(echo request) messages at their network boundaries.

This was partly due to the increasing use of ping for target reconnaissance, for example by
Internet worms such as Welchia that flood the Internet with ping requests in order to locate new
hosts to infect. Not only did the availability of ping responses leak information to an attacker, it
added to the overall load on networks, causing problems for routers across the Internet.

Although RFC 1122 prescribes that any host must accept an echo-request and issue an echo-
reply in return, this is supposedly a security risk. Thus, hosts that no longer follow this standard
are frequent on the public Internet.
[edit] ICMP packet
ICMP packet
  Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31
Type of
Version/IHL Length
service
Identification flags and offset
IP Header
Time To Live
(160 bits OR 20 Bytes) Protocol Checksum
(TTL)
Source IP address
Destination IP address
Type of message Code Checksum
ICMP Payload
Quench
(64+ bits OR 8+ Bytes)
Data (optional)

Generic composition of an ICMP packet[3]

 Header (in blue):

o Protocol set to 1 and Type of Service set to 0.
 Payload (in red):
o Type of ICMP message (8 bits)
o Code (8 bits)
o Checksum (16 bits), calculated with the ICMP part of the packet (the header is not
used)
o The ICMP 'Quench' (32 bits) field, which in this case (ICMP echo request and
replies), will be composed of identifier (16 bits) and sequence number (16 bits).
o Data load for the different kind of answers (Can be an arbitrary length, left to
implementation detail. However must be less than the maximum MTU of the
network[citation needed]).
 Data Transportation

Note that ICMP (and therefore Ping) resides on the Network layer (level 3) of the OSI (Open
Systems Interconnection) model. This is the same layer as IP (Internet Protocol). Consequently,
Ping does not use a port for communication.

[edit] Sample pinging

[edit] Sample with Linux

The following is a sample output of pinging en.wikipedia.org under Linux with the iputils
version of ping:
 This article may contain original research or unverified claims. Please improve the article
by adding references. See the talk page for details. (September 2009)
admin@localhost# ping en.wikipedia.org
PING rr.pmtpa.wikimedia.org (66.230.200.100) 56(84) bytes of data.
64 bytes from rr.pmtpa.wikimedia.org (66.230.200.100): icmp_seq=1 ttl=52
time=87.7 ms
64 bytes from rr.pmtpa.wikimedia.org (66.230.200.100): icmp_seq=2 ttl=52
time=95.6 ms
64 bytes from rr.pmtpa.wikimedia.org (66.230.200.100): icmp_seq=3 ttl=52
time=85.4 ms
64 bytes from rr.pmtpa.wikimedia.org (66.230.200.100): icmp_seq=4 ttl=52
time=95.8 ms
64 bytes from rr.pmtpa.wikimedia.org (66.230.200.100): icmp_seq=5 ttl=52
time=87.0 ms
64 bytes from rr.pmtpa.wikimedia.org (66.230.200.100): icmp_seq=6 ttl=52
time=97.6 ms

--- rr.pmtpa.wikimedia.org ping statistics ---

10 packets transmitted, 10 received, 0% packet loss, time 8998ms
rtt min/avg/max/mdev = 78.162/89.213/97.695/6.836 ms

This output shows that en.wikipedia.org is a DNS CNAME record for

rr.pmtpa.wikimedia.org which then resolves to 66.230.200.100.

The output then shows the results of making 10 pings to 66.230.200.100 with the results
summarized at the end. (To stop the program in Linux or Windows, press Ctrl+C.)

 shortest round trip time was 78.162 milliseconds

 average round trip time was 89.213 milliseconds
 maximum round trip time was 97.695 milliseconds
 Standard deviation of the round-trip time was 6.836 milliseconds

While a ping session is running, under some Linux systems, you can get the overall status of the
session without quitting by sending the Ctrl+\ key combination. This will give you a summary
similar to the following.

6/6 packets, 0% loss, min/avg/ewma/max = 15.304/23.188/20.446/53.673 ms

[edit] Sample with Windows

The following is a sample output of pinging en.wikipedia.org under Windows (Windows 7

used in the following example) from within the Command Prompt:

Pinging rr.pmtpa.wikimedia.org [208.80.152.2] with 32 bytes of data:

Reply from 208.80.152.2: bytes=32 time=80ms TTL=53
Reply from 208.80.152.2: bytes=32 time=81ms TTL=53
Reply from 208.80.152.2: bytes=32 time=84ms TTL=53
Reply from 208.80.152.2: bytes=32 time=84ms TTL=53

Ping statistics for 208.80.152.2:

 Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 80ms, Maximum = 84ms, Average = 82ms

Windows appears not to inform the user about duplicated return packets.

While a ping session is running you can get the overall status of the session without quitting by
sending the Ctrl+Break key combination.

[edit] Sample with Mac OS X

The following is a sample output of pinging en.wikipedia.org under Mac OS X Leopard using
the Terminal:

Macintosh:~ user$ ping -c 10 en.wikipedia.org

PING rr.knams.wikimedia.org (91.198.174.2): 56 data bytes
64 bytes from 91.198.174.2: icmp_seq=0 ttl=53 time=40.019 ms
64 bytes from 91.198.174.2: icmp_seq=1 ttl=53 time=47.502 ms
64 bytes from 91.198.174.2: icmp_seq=2 ttl=53 time=43.208 ms
64 bytes from 91.198.174.2: icmp_seq=3 ttl=53 time=50.851 ms
64 bytes from 91.198.174.2: icmp_seq=4 ttl=53 time=46.556 ms
64 bytes from 91.198.174.2: icmp_seq=5 ttl=53 time=42.180 ms
64 bytes from 91.198.174.2: icmp_seq=6 ttl=53 time=49.853 ms
64 bytes from 91.198.174.2: icmp_seq=7 ttl=53 time=45.556 ms
64 bytes from 91.198.174.2: icmp_seq=8 ttl=53 time=41.186 ms
64 bytes from 91.198.174.2: icmp_seq=9 ttl=53 time=48.836 ms

--- rr.knams.wikimedia.org ping statistics ---

10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max/stddev = 40.019/45.575/50.851/3.588 ms

While a ping session is running you can get the overall status of the session without quitting by
sending the Ctrl+t key combination. This will give you a summary similar to the following.

load: 0.37 cmd: ping 1748 running 0.01u 0.07s

255/255 packets received (100%) 18.827 min / 19.975 avg / 29.200 max

[edit] Message format

[edit] Echo request

The echo request is an ICMP message whose data is expected to be received back in an echo
reply ("ping"). The host must respond to all echo requests with an echo reply containing the
exact data received in the request message.

 Type must be set to 8.

 Code must be set to 0.
  The Identifier and Sequence Number can be used by the client to match the reply with the
request that caused the reply. In practice, most Linux systems use a unique identifier for
every ping process, and sequence number is an increasing number within that process.
Windows uses a fixed identifier, which varies between Windows versions, and a
sequence number that is only reset at boot time.
 The data received by the Echo Request must be entirely included in the Echo Reply.

[edit] Echo reply

The echo reply is an ICMP message generated in response to an echo request, and is mandatory
for all hosts and routers.

0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Type = 0 Code = 0 Header Checksum

Identifier Sequence Number

Data :::

 Type and code must be set to 0.

 The identifier and sequence number can be used by the client to determine which echo
requests are associated with the echo replies.
 The data received in the echo request must be entirely included in the echo reply.

[edit] Other replies

In case of error, destination host or intermediate router will send back an ICMP error message,
i.e. host unreachable or TTL exceeded in transit. This messages additionally have first 8 bytes of
original message (in this case header of ICMP echo request, including quench value), so ping
utility can match it to originating query.[citation needed]

[edit] Payload
The payload of the packet is generally filled with letters of the alphabet as this ASCII tcpdump
shows

16:24:47.966461 IP (tos 0x0, ttl 128, id 15103, offset 0, flags [none],

proto: ICMP (1), length: 60) 192.168.146.22 > 192.168.144.5: ICMP echo
request,
id 1, seq 38, length 40
0x0000: 4500 003c 3aff 0000 8001 5c55 c0a8 9216 E..<:.....\U....
0x0010: c0a8 9005 0800 4d35 0001 0026 6162 6364 ......M5...&abcd
0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst
0x0030: 7576 7761 6263 6465 6667 6869 uvwabcdefghi

Some values of this payload indicates timestamp when message was sent to the network. This
allows to compute round trip time in stateless manner - ping doesn't need to remember anywhere
internally what and when packets was sent. When they return, all the data needed will be
contained in the message. In case of no answer and no error message, most implementation of
ping displays nothing, or periodically prints notification about timeout.[citation needed]

[edit] In gaming
Main article: ping (video gaming)

In various network multiplayer games, the server notes the time it requires for a game packet to
reach a client and a response to be received. This round-trip time is usually reported as the
player's 'ping'. It is used as an effective measurement of the player's latency, with lower ping
times being desirable. Note that this style of ping typically does not use ICMP packets.

[edit] In common usage

The term 'ping' is commonly used to indicate an effectively contentless message. For instance, a
short or empty instant message, email, voice mail or "missed call" notification can be used to
indicate availability, or anything else that can be conveyed with a single bit of information at a
given time.

Occasionally Packet InterNet Groper is suggested as a retronym or backronym, but the original
author of ping says that it is based on the sound of a sonar return.[1].

The term 'ping' has been generalized to a word used to query if someone is available over Instant
Messenger.[citation needed] The term is typically used in this fashion among computer professionals or
other people who are familiar with the ping utility and its functionality.[citation needed]

[edit] See also

 bing, ping with added throughput measurements
 dping, IBM AIX command included in IBM Cluster Systems Management for sending
ICMP packets to multiple hosts in parallel
 fping, command for sending ICMP packets to multiple hosts in parallel
 List of DOS commands
 List of Unix utilities
 Ping of death
  Ping (video gaming)
 traceroute, my traceroute
 SING stands for 'Send ICMP Nasty Garbage' a tool found on some unix systems.

[edit] References
1. ^ a b c "The Story of the PING Program". http://ftp.arl.mil/~mike/ping.html. Retrieved 29
December 2008.
2. ^ Salus, Peter (1994). A Quarter Century of UNIX. Addison-Wesley. ISBN 0201547775.
3. ^ RFC 792

[edit] External links

 ping(8): send ICMP ECHO_REQUEST to network hosts – Linux man page
 Ping Simulation
 WikiHow: To PING an IP address

The word ping is also frequently used as a noun or verb, where it is used to refer to the round-trip
time, or measuring the round-trip time.[citation needed]

The tool is also used in a type of simple denial-of-service attack, known as a ping flood, in which
the attacker overwhelms the victim with ICMP echo request packets.

[edit] History
A server denying a ping request because of the request's size.

Mike Muuss wrote the program in December, 1983, as a tool to troubleshoot odd behavior on an
IP network. He named it after the pulses of sound made by a sonar, since its operation is
analogous to active sonar in submarines, in which an operator issues a pulse of sound at the
target, which then bounces from the target and is received by the operator. (The pulse of sound in
sonar is analogous to a network packet in ping).[1][2]

The usefulness of ping in assisting the "diagnosis" of Internet connectivity issues was impaired
from late in 2003, when a number of Internet Service Providers began filtering out ICMP Type 8
(echo request) messages at their network boundaries.

This was partly due to the increasing use of ping for target reconnaissance, for example by
Internet worms such as Welchia that flood the Internet with ping requests in order to locate new
hosts to infect. Not only did the availability of ping responses leak information to an attacker, it
added to the overall load on networks, causing problems for routers across the Internet.
Although RFC 1122 prescribes that any host must accept an echo-request and issue an echo-
reply in return, this is supposedly a security risk. Thus, hosts that no longer follow this standard
are frequent on the public Internet.

Generic composition of an ICMP packet[3]

 Header (in blue):

o Protocol set to 1 and Type of Service set to 0.
 Payload (in red):
o Type of ICMP message (8 bits)
o Code (8 bits)
o Checksum (16 bits), calculated with the ICMP part of the packet (the header is not
used)
o The ICMP 'Quench' (32 bits) field, which in this case (ICMP echo request and
replies), will be composed of identifier (16 bits) and sequence number (16 bits).
o Data load for the different kind of answers (Can be an arbitrary length, left to
implementation detail. However must be less than the maximum MTU of the
network[citation needed]).
 Data Transportation

Note that ICMP (and therefore Ping) resides on the Network layer (level 3) of the OSI (Open
Systems Interconnection) model. This is the same layer as IP (Internet Protocol). Consequently,
Ping does not use a port for communication.

[edit] Sample pinging

[edit] Sample with Linux

The following is a sample output of pinging en.wikipedia.org under Linux with the iputils
version of ping:

This article may contain original research or unverified claims. Please improve the article
by adding references. See the talk page for details. (September 2009)
admin@localhost# ping en.wikipedia.org
PING rr.pmtpa.wikimedia.org (66.230.200.100) 56(84) bytes of data.
64 bytes from rr.pmtpa.wikimedia.org (66.230.200.100): icmp_seq=1 ttl=52
time=87.7 ms
64 bytes from rr.pmtpa.wikimedia.org (66.230.200.100): icmp_seq=2 ttl=52
time=95.6 ms
64 bytes from rr.pmtpa.wikimedia.org (66.230.200.100): icmp_seq=3 ttl=52
time=85.4 ms
64 bytes from rr.pmtpa.wikimedia.org (66.230.200.100): icmp_seq=4 ttl=52
time=95.8 ms
64 bytes from rr.pmtpa.wikimedia.org (66.230.200.100): icmp_seq=5 ttl=52
time=87.0 ms
64 bytes from rr.pmtpa.wikimedia.org (66.230.200.100): icmp_seq=6 ttl=52
time=97.6 ms
--- rr.pmtpa.wikimedia.org ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 8998ms
rtt min/avg/max/mdev = 78.162/89.213/97.695/6.836 ms

This output shows that en.wikipedia.org is a DNS CNAME record for

rr.pmtpa.wikimedia.org which then resolves to 66.230.200.100.

The output then shows the results of making 10 pings to 66.230.200.100 with the results
summarized at the end. (To stop the program in Linux or Windows, press Ctrl+C.)

 shortest round trip time was 78.162 milliseconds

 average round trip time was 89.213 milliseconds
 maximum round trip time was 97.695 milliseconds
 Standard deviation of the round-trip time was 6.836 milliseconds

While a ping session is running, under some Linux systems, you can get the overall status of the
session without quitting by sending the Ctrl+\ key combination. This will give you a summary
similar to the following.

6/6 packets, 0% loss, min/avg/ewma/max = 15.304/23.188/20.446/53.673 ms

[edit] Sample with Windows

The following is a sample output of pinging en.wikipedia.org under Windows (Windows 7

used in the following example) from within the Command Prompt:

Pinging rr.pmtpa.wikimedia.org [208.80.152.2] with 32 bytes of data:

Reply from 208.80.152.2: bytes=32 time=80ms TTL=53
Reply from 208.80.152.2: bytes=32 time=81ms TTL=53
Reply from 208.80.152.2: bytes=32 time=84ms TTL=53
Reply from 208.80.152.2: bytes=32 time=84ms TTL=53

Ping statistics for 208.80.152.2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 80ms, Maximum = 84ms, Average = 82ms

Windows appears not to inform the user about duplicated return packets.

While a ping session is running you can get the overall status of the session without quitting by
sending the Ctrl+Break key combination.

[edit] Sample with Mac OS X

The following is a sample output of pinging en.wikipedia.org under Mac OS X Leopard using
the Terminal:
Macintosh:~ user$ ping -c 10 en.wikipedia.org
PING rr.knams.wikimedia.org (91.198.174.2): 56 data bytes
64 bytes from 91.198.174.2: icmp_seq=0 ttl=53 time=40.019 ms
64 bytes from 91.198.174.2: icmp_seq=1 ttl=53 time=47.502 ms
64 bytes from 91.198.174.2: icmp_seq=2 ttl=53 time=43.208 ms
64 bytes from 91.198.174.2: icmp_seq=3 ttl=53 time=50.851 ms
64 bytes from 91.198.174.2: icmp_seq=4 ttl=53 time=46.556 ms
64 bytes from 91.198.174.2: icmp_seq=5 ttl=53 time=42.180 ms
64 bytes from 91.198.174.2: icmp_seq=6 ttl=53 time=49.853 ms
64 bytes from 91.198.174.2: icmp_seq=7 ttl=53 time=45.556 ms
64 bytes from 91.198.174.2: icmp_seq=8 ttl=53 time=41.186 ms
64 bytes from 91.198.174.2: icmp_seq=9 ttl=53 time=48.836 ms

--- rr.knams.wikimedia.org ping statistics ---

10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max/stddev = 40.019/45.575/50.851/3.588 ms

While a ping session is running you can get the overall status of the session without quitting by
sending the Ctrl+t key combination. This will give you a summary similar to the following.

load: 0.37 cmd: ping 1748 running 0.01u 0.07s

255/255 packets received (100%) 18.827 min / 19.975 avg / 29.200 max

[edit] Message format

[edit] Echo request

The echo request is an ICMP message whose data is expected to be received back in an echo
reply ("ping"). The host must respond to all echo requests with an echo reply containing the
exact data received in the request message.

0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Type = 8 Code = 0 Header Checksum

Identifier Sequence Number

Data :::

 Type must be set to 8.

 Code must be set to 0.
  The Identifier and Sequence Number can be used by the client to match the reply with the
request that caused the reply. In practice, most Linux systems use a unique identifier for
every ping process, and sequence number is an increasing number within that process.
Windows uses a fixed identifier, which varies between Windows versions, and a
sequence number that is only reset at boot time.
 The data received by the Echo Request must be entirely included in the Echo Reply.

[edit] Echo reply

The echo reply is an ICMP message generated in response to an echo request, and is mandatory
for all hosts and routers.

0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Type = 0 Code = 0 Header Checksum

Identifier Sequence Number

Data :::

 Type and code must be set to 0.

 The identifier and sequence number can be used by the client to determine which echo
requests are associated with the echo replies.
 The data received in the echo request must be entirely included in the echo reply.

[edit] Other replies

In case of error, destination host or intermediate router will send back an ICMP error message,
i.e. host unreachable or TTL exceeded in transit. This messages additionally have first 8 bytes of
original message (in this case header of ICMP echo request, including quench value), so ping
utility can match it to originating query.[citation needed]

[edit] Payload
The payload of the packet is generally filled with letters of the alphabet as this ASCII tcpdump
shows

16:24:47.966461 IP (tos 0x0, ttl 128, id 15103, offset 0, flags [none],

proto: ICMP (1), length: 60) 192.168.146.22 > 192.168.144.5: ICMP echo
request,
id 1, seq 38, length 40
0x0000: 4500 003c 3aff 0000 8001 5c55 c0a8 9216 E..<:.....\U....
0x0010: c0a8 9005 0800 4d35 0001 0026 6162 6364 ......M5...&abcd
0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst
0x0030: 7576 7761 6263 6465 6667 6869 uvwabcdefghi

Some values of this payload indicates timestamp when message was sent to the network. This
allows to compute round trip time in stateless manner - ping doesn't need to remember anywhere
internally what and when packets was sent. When they return, all the data needed will be
contained in the message. In case of no answer and no error message, most implementation of
ping displays nothing, or periodically prints notification about timeout.[citation needed]

[edit] In gaming
Main article: ping (video gaming)

In various network multiplayer games, the server notes the time it requires for a game packet to
reach a client and a response to be received. This round-trip time is usually reported as the
player's 'ping'. It is used as an effective measurement of the player's latency, with lower ping
times being desirable. Note that this style of ping typically does not use ICMP packets.

[edit] In common usage

The term 'ping' is commonly used to indicate an effectively contentless message. For instance, a
short or empty instant message, email, voice mail or "missed call" notification can be used to
indicate availability, or anything else that can be conveyed with a single bit of information at a
given time.

Occasionally Packet InterNet Groper is suggested as a retronym or backronym, but the original
author of ping says that it is based on the sound of a sonar return.[1].

The term 'ping' has been generalized to a word used to query if someone is available over Instant
Messenger.[citation needed] The term is typically used in this fashion among computer professionals or
other people who are familiar with the ping utility and its functionality.[citation needed]

[edit] See also

 bing, ping with added throughput measurements
 dping, IBM AIX command included in IBM Cluster Systems Management for sending
ICMP packets to multiple hosts in parallel
 fping, command for sending ICMP packets to multiple hosts in parallel
 List of DOS commands
 List of Unix utilities
 Ping of death
  Ping (video gaming)
 traceroute, my traceroute
 SING stands for 'Send ICMP Nasty Garbage' a tool found on some unix systems.

[edit] References
1. ^ a b c "The Story of the PING Program". http://ftp.arl.mil/~mike/ping.html. Retrieved 29
December 2008.
2. ^ Salus, Peter (1994). A Quarter Century of UNIX. Addison-Wesley. ISBN 0201547775.
3. ^ RFC 792

[edit] External links

 ping(8): send ICMP ECHO_REQUEST to network hosts – Linux man page
 Ping Simulation
 WikiHow: To PING an IP address