The Anatomy of a Packet Path (ICMP) from Source to Destination
Two of the most common tasks that are performed by a network engineer are using ping and using traceroute (tracert). An experienced engineer is able to use these commands to achieve an understanding of a number of different problems; these skills mainly come from an understanding of how the IP packet is structured and how traffic is routed. This article takes a look at how the IP packet is structured and routed, and then reviews how both the ping and traceroute (tracert) utilities use IP/ICMP packets to perform their functions.
IP Packet and IP Packet Routing
Before the analysis of a packet path can really begin, some amount of knowledge in how an IP packet is structured is required. Figure 1 below shows the fields that exist within the IPv4 header.
Figure 1 IPv4 Header
When using the ping utility, the engineer needs to have a basic idea of how a packet is routed from a source to destination; as the details of IP routing are contained within many pages of various books, this article will only cover the basic idea of IP routing. When an IP packet is sent from a source to destination there are a few steps that are taken to determine how exactly the sending devices treats the packet. If the packet is destined for another IP address within the same subnet, the packet will simply be sent using Layer 2 techniques (i.e. ARP). If the packet is destined to a separate subnet, the device will review its existing routing table for a specific known path to the intended destination. If this route exists, the packet is sent along this known path; if a specific route is not known, a default route is used, if it exists; if neither of these exist then the packet is dropped and an error given. (What and how the ping utility operates is covered in more detail in the What is a Ping section.) The traceroute utility also requires an understanding of IP routing but also knowledge of how the Time to Live (TTL) field is used within the IP packet; further information about the mechanics of how traceroute works will be discussed in the What is Traceroute section.
What is a Ping?
At its most basic, the ping command is a utility that is used to send 4 or 5 Internet Control Message Protocol (ICMP) packets from a source to a destination using a small buffer size and a simple payload (on Microsoft it is a 32-byte payload with contents being the alphabet from ‘a’ through ‘w’ repeating). Ping itself is a very simple command that can help an engineer figure out a number of things. For example, if the ping is successful, then the path from source to destination is working with no problems; if there is a failure, it tells the engineer that it is not working. An engineer also has the ability to change the ping parameters. For example, they could troubleshoot packet size issues along the path by changing the buffer size or verify working interfaces by changing the number of packets sent to the destination to determine interface consistency. These are just a few of the situations where the ping utility can be a valuable asset to a network engineer.
What is Traceroute?
As stated above, traceroute (Tracert) utilizes the TTL field within the IPv4 header. The TTL field provides the ability to limit the number of hops that will be taken by a specific IP packet. For example, if a packet is never to go over one hop away from a source then the TTL will always be set to 1. The traceroute utility uses this mechanism to find the specific path that a packet is taking from source to destination. The first packet will be sent out using a TTL of 1; if it reaches the destination then a response will tell the utility to stop continuing to look for further hops. If the destination is not reached, the next packet will be sent with a TTL of 2, and this process will repeat until the destination is reached; the responses that are returned from each iteration are compiled by the utility to visualize the path from source to destination. Knowing what path a packet is taking from a source to destination can be used for a number of different troubleshooting situations.
Ping Packet Analysis
In this section, we’ll take a look at the specific traffic that is sent from the ping utility to solidify the ideas covered above, by showing a few figures that display captures taken of ICMP packets sent by the ping utility. Figure 2 shows the capture of the initial ICMP request packet that is sent to a destination; this capture is using the ping utility provided by Microsoft Windows which sends four ICMP requests.
Figure 2 ICMP Request
As can be seen from the capture, the ping command issued was ping 192.168.1.1 with the default settings (4 requests with a 32 byte payload). Figure 3 shows the first ICMP reply from the destination that verifies that the destination is reachable.
Figure 3 ICMP Reply
As is shown, this Request/Reply is completed four times which confirms a consistent path from the source to destination.
Traceroute (tracert) Packet Analysis
In line with what was covered in the Ping Packet Analysis section, this section shows a few figures of ICMP packets sent using the tracert Windows utility. It is, however, important to point out that the operation of the tracert Windows utility and the traceroute Linux and Cisco IOS utilities is slightly different; the tracert utility utilizes ICMP to perform a trace of a route from source to destination, while the traceroute utility utilities UDP/IP. This can be confusing in some circumstances because many network devices automatically will drop ICMP requests due to security concerns; this makes the results from the tracert utility look inconclusive. However, most of the same network devices will allow the UDP traffic which can make the results from the traceroute utility look more complete.
Figure 4 below shows the initial ICMP packet that is sent from the command tracert 10.1.221.1.
Figure 4 Traceroute (tracert) Hop 1
The captures show that this packet is sent using a TTL value of 1 and a TTL exceeded message is returned telling the source device that the destination has not been reached yet. Another thing that should be noticed is that by default, the tracert utility sends three identical ICMP request packets (using TTL of 1); this is to gauge the response time from the source to each hop. Figure 5 shows the first packet that is sent using a TTL of 2 with a following ICMP reply, which tells the source device that the destination was reached.
Figure 5 Traceroute(tracert) Hop 2
With just a little knowledge of how IP/ICMP operates a wealth of information can be obtained and used in a number of situations. These simple utilities are used by every level of network engineer from the new engineers just getting their feet wet to the most experienced network architects; any upcoming network engineers should ensure that they are familiar with them, how they work and how they can be used. Hopefully you now have enough information to get started in this endeavor and will help in future situations.