Computer NetworksPing and Traceroute

Ping and Traceroute: Network Diagnostic Tools

LevelIntermediate

Duration75 mins

TopicPing and Traceroute

1 / 5

Echo Request/Reply: The Foundation of Network Reachability Testing

The First Question in Network Troubleshooting

When a network connection fails, the first question every engineer asks is deceptively simple: "Is the destination reachable at all?" Before diving into application logs, firewall rules, or DNS configurations, you need to know whether IP packets can even reach their target and return.

This fundamental question is answered by the ICMP Echo Request/Reply mechanism—the networking equivalent of calling out "Hello!" into a canyon and listening for the echo. It's the most basic form of network communication verification, yet its simplicity belies a sophisticated design that has remained largely unchanged since its standardization in RFC 792 (September 1981).

Understanding Echo Request/Reply isn't just about knowing how ping works—it's about grasping the foundational mechanism that underpins nearly all network diagnostic tools. Whether you're debugging connectivity issues at 3 AM, designing network monitoring systems, or implementing custom health checks, the concepts in this page form the bedrock of your diagnostic toolkit.

What You Will Master

By the end of this page, you will understand the complete lifecycle of ICMP Echo messages—from the exact byte-level format of Echo Request and Reply packets, through the significance of each header field, to the protocol-level mechanics that make reliable reachability testing possible. You'll also understand the historical context and design decisions that shaped this critical protocol.

ICMP in the Protocol Stack

Before dissecting Echo Request/Reply, we must understand where ICMP fits in the network architecture. This positioning is crucial because it explains both the capabilities and limitations of ICMP-based diagnostics.

ICMP: A Network Layer Protocol with a Twist

The Internet Control Message Protocol (ICMP) occupies an unusual position in the TCP/IP stack. It sits at the Network Layer (Layer 3), alongside IP itself, but is technically encapsulated within IP packets. This creates an interesting duality:

ICMP's Dual Nature

•Peer of IP: ICMP operates at the same conceptual layer as IP, providing control and error messaging for the network layer
•Encapsulated by IP: ICMP messages are carried as the payload of IP packets, with IP Protocol Number 1
•Required by IP: Every IP implementation MUST include ICMP—it's not optional
•No Port Concept: Unlike TCP/UDP, ICMP doesn't use ports; message types serve as the disambiguation mechanism

ICMP Packet Encapsulation Structure
Layer	Component	Key Fields for Echo
Data Link (L2)	Ethernet Frame	Source/Dest MAC, EtherType (0x0800 for IPv4)
Network (L3)	IP Header	Protocol=1 (ICMP), Source/Dest IP, TTL
Network (L3)	ICMP Header	Type (8 or 0), Code (0), Checksum
Network (L3)	ICMP Echo Data	Identifier, Sequence Number, Payload

Why This Architecture Matters

The encapsulation of ICMP within IP has profound implications for network diagnostics:

Universal Reachability Testing: Because ICMP is mandatory in IP implementations, Echo Request/Reply works with any IP-capable device (unless explicitly blocked)
Router Processing: Routers must process ICMP messages—they can generate them (for errors), forward them, and respond to them (for Echo directed at the router itself)
End-to-End Semantics: ICMP Echo tests the complete IP path from source to destination, traversing all intermediate routers and links
Firewall Visibility: ICMP traffic is distinct from TCP/UDP, allowing firewalls to apply specific policies (which is why some networks block ping)

RFC 792: The Foundation

ICMP was defined in RFC 792 by Jon Postel in September 1981—making it one of the oldest protocols still in daily use. The Echo Request/Reply mechanism is specified in just two paragraphs, yet these few sentences define the behavior of billions of ping commands executed daily.

Echo Request (Type 8) and Echo Reply (Type 0)

ICMP defines numerous message types for different control and error scenarios. Echo Request and Echo Reply are the simplest and most widely used:

Type 8: Echo Request

The Echo Request message is sent by a host to request an echo (response) from another host. The key characteristics are:

Direction: Source → Destination
Purpose: "Are you there? Can you copy back what I send you?"
Expected Response: Echo Reply with identical data
Common Generators: ping utility, monitoring systems, load balancers

Type 0: Echo Reply

The Echo Reply message is the mandatory response to an Echo Request:

Direction: Destination → Source
Purpose: "Yes, I'm here. Here's your data back."
Generation Rule: MUST be generated for every received Echo Request (unless blocked by policy)
Data Integrity: Payload MUST match the original Echo Request exactly

Echo Request Properties

•ICMP Type: 8
•ICMP Code: 0 (always)
•Initiated by: Source host
•Requires: IP connectivity
•Payload: Arbitrary data (for matching)
•Addressing: Unicast or broadcast

Echo Reply Properties

•ICMP Type: 0
•ICMP Code: 0 (always)
•Generated by: Destination host
•Requires: Successful request receipt
•Payload: Copied from request
•Addressing: Unicast only

The Code Field Mystery

You may notice that the Code field is always 0 for both Echo Request and Reply. This stands in contrast to other ICMP types (like Destination Unreachable) where the Code distinguishes sub-types. For Echo messages, the Code field is reserved and must be zero. Some implementations have (incorrectly) used non-zero Code values for experimental purposes, but compliant implementations should reject or ignore such deviations.

Historical Note on Type Numbering

The choice of Type 8 for Request and Type 0 for Reply isn't arbitrary. In the original ICMP design, Type 0 was assigned as the first 'positive' response type, while requests were grouped in a higher range. This seemingly minor detail has persisted for over 40 years—a testament to the stability of foundational internet protocols.

Memorization Aid

Remember: When you send an Echo Request (Type 8), you're hoping to get 'nothing' back problems-wise, just a clean Echo Reply. Type 0 = 'Zero problems, message received!' Type 8 = 'Ate (8) my message, please respond!'

ICMP Echo Header Format: Byte-Level Analysis

Understanding the exact byte-level format of ICMP Echo messages is essential for network engineers, protocol developers, and anyone implementing or analyzing ping-like tools. The ICMP Echo message follows this precise structure:

ICMP Echo Message Format

Text

┌─────────────────────────────────────────────────────────────────────┐
│                    ICMP Echo Request/Reply Format                    │
├─────────────────────────────────────────────────────────────────────┤
│ Byte Offset │  0-1  │  2-3  │  4-5  │  6-7  │  8+              │
├─────────────────────────────────────────────────────────────────────┤
│             │ Type  │ Code  │    Checksum    │                      │
│             │ (1B)  │ (1B)  │     (2B)       │                      │
├─────────────┼───────┴───────┴────────────────┤                      │
│             │     Identifier (2 bytes)       │   Data Payload       │
│             ├────────────────────────────────┤   (Variable length)  │
│             │  Sequence Number (2 bytes)     │                      │
└─────────────┴────────────────────────────────┴──────────────────────┘
 
Minimum ICMP Echo Message: 8 bytes (header only, no payload)
Typical ICMP Echo Message: 64 bytes (8-byte header + 56-byte payload)
Maximum ICMP Echo Message: Limited by IP MTU (typically ~65507 bytes)

Let's examine each field in detail:

Type (1 byte, offset 0)

The Type field identifies the ICMP message type:

8 (0x08): Echo Request
0 (0x00): Echo Reply

This single byte determines whether the message is asking a question or providing an answer.

Code (1 byte, offset 1)

For Echo messages, the Code is always 0. This field is used by other ICMP message types to provide sub-categorization (e.g., different reasons for 'Destination Unreachable'), but Echo messages don't need this granularity.

Checksum (2 bytes, offset 2-3)

The Checksum field contains the 16-bit one's complement of the one's complement sum of the entire ICMP message (header + data). This checksum:

Covers: All ICMP bytes (Type, Code, Checksum, Identifier, Sequence, Data)
Does NOT cover: IP header (which has its own checksum)
Purpose: Detect corruption during transmission
Calculation: Sender sets checksum to 0, computes sum, stores result

Checksum Algorithm Detail

The one's complement checksum algorithm: (1) Treat the data as 16-bit words, (2) Sum all words with end-around carry, (3) Take the one's complement of the final sum. When verifying, computing the checksum over the entire message (including the checksum field) should yield all 1s (0xFFFF) if the message is intact.

Identifier (2 bytes, offset 4-5)

The Identifier field serves a critical role in matching replies to requests. Because multiple ping processes might run simultaneously on the same host, each needs a way to recognize its own replies:

Typical Value: Process ID (PID) of the ping process
Purpose: Demultiplex replies when multiple echo sessions are active
Persistence: Remains constant across all packets in one ping session
Matching Rule: Echo Reply must copy the Identifier from the Echo Request

Sequence Number (2 bytes, offset 6-7)

The Sequence Number field tracks individual packets within a ping session:

Initial Value: Typically starts at 0 or 1
Increment: Increased by 1 for each subsequent Echo Request
Purpose: Detect packet loss, reordering, and duplication
Range: 0 to 65,535 (wraps around in long-running sessions)
Matching Rule: Echo Reply must copy the Sequence Number from the Echo Request

ICMP Echo Header Fields Summary
Field	Size	Offset	Echo Request Value	Echo Reply Behavior
Type	1 byte	0	8	Changed to 0
Code	1 byte	1	0	Copied (stays 0)
Checksum	2 bytes	2-3	Computed	Recomputed (different due to Type change)
Identifier	2 bytes	4-5	Set by sender	Copied exactly
Sequence Number	2 bytes	6-7	Incremented	Copied exactly

The Data Payload: More Than Random Bytes

Following the 8-byte ICMP Echo header comes the data payload—a variable-length field that is echoed back unchanged by the destination. While seemingly simple, the payload serves multiple critical functions in network diagnostics.

Purposes of the Echo Payload

•Timestamp for RTT Calculation: Ping implementations embed a departure timestamp in the payload. When the reply arrives, the sender subtracts the embedded time from the current time to calculate Round-Trip Time (RTT).
•Data Integrity Verification: By echoing the exact bytes sent, we verify not just IP reachability, but data integrity across the network path.
•Packet Size Testing: Different payload sizes test different aspects of the network (fragmentation behavior, buffer handling, MTU compliance).
•Pattern Detection: Known patterns in the payload can help identify bit errors, byte reordering, or truncation by misbehaving equipment.
•Matching Replies to Requests: The payload provides additional context for matching (beyond just Identifier and Sequence).

Standard Payload Sizes

Different environments use varying payload sizes:

Environment	Total ICMP Size	Payload Size	Total IP Packet
Windows ping	40 bytes	32 bytes	60 bytes
Linux/Unix ping	64 bytes	56 bytes	84 bytes
macOS ping	64 bytes	56 bytes	84 bytes
Cisco IOS	100 bytes	72 bytes	100 bytes

Payload Content Conventions

What goes in the 56 bytes of a typical Unix ping payload?

Typical Unix Ping Payload Structure
C
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
/* Standard BSD ping payload structure */
struct ping_payload {
    /* Bytes 0-7: Unix timestamp (struct timeval) */
    uint32_t tv_sec;      // Seconds since epoch
    uint32_t tv_usec;     // Microseconds
    
    /* Bytes 8-55: Pattern data */
    uint8_t pattern[48];  // Typically: 0x08, 0x09, 0x0a... incremental
};
 
/* Example raw payload (56 bytes, hexadecimal):
 * 
 * Timestamp: 65 A7 B6 8F  00 0D 2E 10  (8 bytes: sec + usec)
 * Pattern:   08 09 0A 0B  0C 0D 0E 0F  (remaining bytes)
 *            10 11 12 13  14 15 16 17
 *            18 19 1A 1B  1C 1D 1E 1F
 *            20 21 22 23  24 25 26 27
 *            28 29 2A 2B  2C 2D 2E 2F
 *            30 31 32 33  34 35 36 37
 */

Custom Patterns for Debugging

Network engineers often use custom patterns to diagnose specific issues:

All Zeros (0x00): Test for stuck-at-one bit errors
All Ones (0xFF): Test for stuck-at-zero bit errors
Alternating (0xAA, 0x55): Test for cross-talk between adjacent wires
Walking Ones/Zeros: Systematically test each bit position
Sequential Bytes (0x00, 0x01, 0x02...): Detect byte reordering or truncation

The -p option in Unix ping allows specifying custom patterns:

# Send ping with alternating bit pattern
ping -p aa55 192.168.1.1

# Send ping with all zeros pattern
ping -p 00 192.168.1.1

The Payload Echo Requirement

RFC 792 mandates: 'The data received in the echo message must be returned in the echo reply message.' ANY modification to the payload by intermediate devices or the destination indicates a protocol violation or malicious tampering. This makes Echo Request/Reply valuable for detecting man-in-the-middle attacks that corrupt data.

The Echo Exchange Process: Step by Step

Let's trace the complete lifecycle of an ICMP Echo exchange, from initiation to completion. Understanding this process reveals the elegant simplicity of the Echo protocol and the numerous opportunities for failure that diagnostic tools help identify.

Echo Request/Reply Lifecycle

•Request Initiation: The ping process creates an ICMP Echo Request packet with Type=8, sets the Identifier to its PID, initializes Sequence Number, embeds timestamp in payload, and computes the checksum.
•IP Encapsulation: The operating system wraps the ICMP message in an IP packet with Protocol=1, sets source and destination IP addresses, assigns a TTL value (typically 64 or 128), and passes the packet to the network interface.
•Outbound Transmission: The packet is framed for the local network (e.g., Ethernet), ARP resolution obtains the next-hop MAC address (router or direct destination), and the frame is transmitted on the wire.
•Network Transit: Each intermediate router decrements the TTL, recomputes the IP header checksum, performs routing lookup, and forwards to the next hop. If TTL reaches 0, the router drops the packet and sends ICMP Time Exceeded.
•Destination Reception: The destination's IP layer receives the packet, verifies the IP header checksum, recognizes Protocol=1 (ICMP), and passes the ICMP message to the ICMP handler.
•Echo Processing: The ICMP handler validates the ICMP checksum, recognizes Type=8 (Echo Request), creates an Echo Reply (Type=0) copying the Identifier, Sequence, and payload, and recomputes the ICMP checksum.
•Reply Transmission: The IP layer creates a new IP packet with source/destination reversed, wraps the Echo Reply, assigns TTL, and transmits. The reply packet follows its own (potentially different) network path back.
•Reply Reception: The original sender receives the reply, extracts the timestamp from payload, computes RTT, matches Identifier/Sequence to the pending request, and reports success.

Converting Mermaid diagram...

Potential Failure Points

At each stage of this process, multiple failure modes are possible:

Stage	Potential Failures	Observable Symptom
Request Initiation	Socket creation fails, no network interface	Immediate error message
IP Encapsulation	No route to host	ICMP Destination Unreachable (Network)
Outbound Transmission	ARP failure	Request timeout (no reply)
Network Transit (forward)	Link down, routing loop	TTL Exceeded or Destination Unreachable
Destination Reception	Firewall blocks ICMP	Request timeout
Echo Processing	Host too busy, ICMP rate limited	Delayed or dropped replies
Reply Transmission	Reverse path failure	Request timeout
Network Transit (return)	Asymmetric routing issues	Request timeout or high RTT
Reply Reception	Wrong Identifier	Reply discarded (wrong session)

Asymmetric Routing Complexity

The forward path (request) and return path (reply) may traverse completely different routes. A success only confirms that SOME path exists in both directions—not that the same path works both ways. This is important when diagnosing one-way connectivity issues.

Identifier and Sequence Number: The Matching Mechanism

The Identifier and Sequence Number fields work together to solve a fundamental problem: How does a host with multiple concurrent ping sessions associate incoming replies with the correct request?

This is trickier than it might seem. Consider a server running:

Network monitoring pinging 100 devices every 5 seconds
A user running ping from the command line
An application performing health checks
Load balancer probing backend servers

All of these generate Echo Requests from the same source IP. When Echo Replies arrive, how do we route them to the correct process?

The Identifier Field Solution

The Identifier field acts like a session identifier or process tag:

Unique per ping session: Each instance of ping (each process) uses a different Identifier
Constant within session: All packets from one ping session share the same Identifier
Copied in replies: The destination MUST copy the Identifier into its reply exactly
Filtering criterion: The sender uses (SourceIP, DestIP, Identifier) to match replies

Common Identifier Assignment Strategies:

Identifier Assignment Strategies
Strategy	Value Source	Pros	Cons
Process ID (PID)	getpid()	Unique per process, easy to debug	Predictable, potential security issue
Random 16-bit	rand()	Less predictable	Possible collisions on busy hosts
Hash-based	hash(target IP + time)	Deterministic, low collision	More complex implementation
Sequential	Global counter	Simple	May collide across restarts

The Sequence Number Field Solution

Within a single ping session, the Sequence Number tracks individual packets:

Unique per packet: Each Echo Request in a session gets a different Sequence Number
Usually incremental: Most implementations start at 0 or 1 and increment by 1
16-bit range: 0 to 65,535—adequate for even long-running ping sessions
Diagnostic value: Enables detecting:
- Packet loss: Missing Sequence Numbers in replies
- Duplication: Same Sequence Number received twice
- Reordering: Sequence Numbers arriving out of order
- Correlation: Match RTT to specific request

Example Scenario:

Multi-Session Echo Matching

Text

# Host 192.168.1.10 running three concurrent ping sessions
 
# Session A: Monitoring tool (PID=1234) pinging 10.0.0.1
Session A sends: Type=8, Identifier=1234, Seq=1  → No reply (lost)
Session A sends: Type=8, Identifier=1234, Seq=2  → Reply received
Session A sends: Type=8, Identifier=1234, Seq=3  → Reply received
 
# Session B: User ping (PID=5678) to 10.0.0.1 (same destination!)
Session B sends: Type=8, Identifier=5678, Seq=1  → Reply received
Session B sends: Type=8, Identifier=5678, Seq=2  → Reply received
 
# Session C: Health check (PID=9012) to 10.0.0.2
Session C sends: Type=8, Identifier=9012, Seq=1  → Reply received
 
# Incoming replies from 10.0.0.1:
Type=0, Identifier=5678, Seq=1 → Matched to Session B (PID 5678)
Type=0, Identifier=1234, Seq=3 → Matched to Session A (PID 1234)
Type=0, Identifier=1234, Seq=2 → Matched to Session A (PID 1234)
Type=0, Identifier=5678, Seq=2 → Matched to Session B (PID 5678)
 
# Notice: Session A never received Seq=1 reply → detected as packet loss

Operating System Implementation Detail

On Unix-like systems, raw socket access requires root privileges. When a non-root user runs ping, it typically runs with setuid root or uses socket capabilities. The kernel's ICMP socket implementation handles the matching internally, delivering replies to the correct process based on the Identifier field.

Echo and Network Security Considerations

ICMP Echo Request/Reply, despite its diagnostic utility, has been involved in numerous security incidents over the decades. Understanding these security dimensions is essential for both network defenders and engineers configuring ICMP handling.

Historical Attack Vectors Using Echo:

ICMP Echo Security Risks

•Ping of Death (1996-1997): Oversized ICMP packets (>65,535 bytes) caused buffer overflows and system crashes in vulnerable TCP/IP stacks. Modern systems are immune, but this attack demonstrated how malformed ICMP could weaponize a diagnostic tool.
•Smurf Attack: Sending Echo Request to a broadcast address with a spoofed source IP. All hosts on the network reply to the victim, creating massive amplification. Countermeasure: Routers now typically block directed broadcast.
•ICMP Flood (Ping Flood): High-rate Echo Requests overwhelming target's network bandwidth or CPU. Simple but effective DoS when attacker has more bandwidth than victim.
•Network Reconnaissance: Echo Reply confirms host existence. Ping sweeps map network addressing before targeted attacks. Many organizations block ICMP Echo to prevent reconnaissance.
•Covert Channels: Payload field can encode hidden data. ICMP tunneling tools (like icmpsh, ptunnel) embed data in Echo payload to bypass firewalls that allow ICMP but block other traffic.
•Timing Attacks: RTT measurements can leak information about network topology, host load, or even cryptographic operations (if timing-sensitive operations correlate with ping responses).

Security Best Practices for ICMP Echo

The security community has developed nuanced recommendations that balance security with operational needs:

ICMP Echo Security Recommendations
Context	Recommendation	Rationale
Internet-facing servers	Rate-limit Echo Reply	Prevents flood amplification while allowing diagnostics
Internal networks	Allow Echo Request/Reply	Internal diagnostics outweigh minimal risk
DMZ hosts	Allow from internal, block from external	Maintain visibility without external exposure
Critical infrastructure	Log all Echo activity	Detect reconnaissance before attacks
Border routers	Rate-limit and respond only to own interfaces	Allow traceroute but limit abuse

The 'Block All ICMP' Anti-Pattern

Some organizations block all ICMP traffic as a 'security' measure. This creates operational blindness: Path MTU Discovery breaks (causing mysterious connection failures), troubleshooting becomes nearly impossible, and network problems become harder to diagnose. A nuanced ICMP policy (rate-limiting, filtering specific types) is far preferable to complete blocking.

Summary: Echo Request/Reply Fundamentals

We've covered the complete technical foundation of ICMP Echo messages. Let's consolidate the essential knowledge:

Key Takeaways

•ICMP Echo is the foundation of reachability testing: Type 8 (Request) asks 'Are you there?' and Type 0 (Reply) confirms 'Yes, I am.'
•The 8-byte header contains critical matching information: Identifier links replies to sessions; Sequence Number tracks individual packets.
•Payload serves multiple purposes: Timestamp embedding enables RTT calculation; data echoing verifies integrity; customizable patterns diagnose specific issues.
•Echo exchanges traverse the complete IP path: Success confirms bidirectional connectivity through all intermediate routers and links.
•Security and diagnostics must be balanced: Rate-limiting and selective filtering are preferable to complete ICMP blocking.
•The protocol has remained unchanged since 1981: Echo Request/Reply is one of the most stable and universally implemented network protocols.

What's Next:

With Echo Request/Reply fundamentals mastered, we're ready to explore how these messages are used in practice. The next page examines Ping Operation—how the ping utility orchestrates Echo exchanges, interprets results, and provides the diagnostic information that network engineers rely on every day.

Page Complete

You now understand the fundamental mechanics of ICMP Echo Request and Reply messages—the building blocks upon which ping, traceroute, and countless other diagnostic tools are built. This knowledge will serve as the foundation for understanding the practical tools and techniques covered in the subsequent pages.

1 / 5

Loading learning content...

Computer NetworksPing and Traceroute

Ping and Traceroute: Network Diagnostic Tools

LevelIntermediate

Duration75 mins

TopicPing and Traceroute

1 / 5

Echo Request/Reply: The Foundation of Network Reachability Testing

The First Question in Network Troubleshooting

What You Will Master

ICMP in the Protocol Stack

ICMP: A Network Layer Protocol with a Twist

ICMP's Dual Nature

•Peer of IP: ICMP operates at the same conceptual layer as IP, providing control and error messaging for the network layer
•Encapsulated by IP: ICMP messages are carried as the payload of IP packets, with IP Protocol Number 1
•Required by IP: Every IP implementation MUST include ICMP—it's not optional
•No Port Concept: Unlike TCP/UDP, ICMP doesn't use ports; message types serve as the disambiguation mechanism

ICMP Packet Encapsulation Structure
Layer	Component	Key Fields for Echo
Data Link (L2)	Ethernet Frame	Source/Dest MAC, EtherType (0x0800 for IPv4)
Network (L3)	IP Header	Protocol=1 (ICMP), Source/Dest IP, TTL
Network (L3)	ICMP Header	Type (8 or 0), Code (0), Checksum
Network (L3)	ICMP Echo Data	Identifier, Sequence Number, Payload

Why This Architecture Matters

The encapsulation of ICMP within IP has profound implications for network diagnostics:

Universal Reachability Testing: Because ICMP is mandatory in IP implementations, Echo Request/Reply works with any IP-capable device (unless explicitly blocked)
Router Processing: Routers must process ICMP messages—they can generate them (for errors), forward them, and respond to them (for Echo directed at the router itself)
End-to-End Semantics: ICMP Echo tests the complete IP path from source to destination, traversing all intermediate routers and links
Firewall Visibility: ICMP traffic is distinct from TCP/UDP, allowing firewalls to apply specific policies (which is why some networks block ping)

RFC 792: The Foundation

Echo Request (Type 8) and Echo Reply (Type 0)

ICMP defines numerous message types for different control and error scenarios. Echo Request and Echo Reply are the simplest and most widely used:

Type 8: Echo Request

The Echo Request message is sent by a host to request an echo (response) from another host. The key characteristics are:

Direction: Source → Destination
Purpose: "Are you there? Can you copy back what I send you?"
Expected Response: Echo Reply with identical data
Common Generators: ping utility, monitoring systems, load balancers

Type 0: Echo Reply

The Echo Reply message is the mandatory response to an Echo Request:

Direction: Destination → Source
Purpose: "Yes, I'm here. Here's your data back."
Generation Rule: MUST be generated for every received Echo Request (unless blocked by policy)
Data Integrity: Payload MUST match the original Echo Request exactly

Echo Request Properties

•ICMP Type: 8
•ICMP Code: 0 (always)
•Initiated by: Source host
•Requires: IP connectivity
•Payload: Arbitrary data (for matching)
•Addressing: Unicast or broadcast

Echo Reply Properties

•ICMP Type: 0
•ICMP Code: 0 (always)
•Generated by: Destination host
•Requires: Successful request receipt
•Payload: Copied from request
•Addressing: Unicast only

The Code Field Mystery

Historical Note on Type Numbering

Memorization Aid

ICMP Echo Header Format: Byte-Level Analysis

ICMP Echo Message Format

Text

┌─────────────────────────────────────────────────────────────────────┐
│                    ICMP Echo Request/Reply Format                    │
├─────────────────────────────────────────────────────────────────────┤
│ Byte Offset │  0-1  │  2-3  │  4-5  │  6-7  │  8+              │
├─────────────────────────────────────────────────────────────────────┤
│             │ Type  │ Code  │    Checksum    │                      │
│             │ (1B)  │ (1B)  │     (2B)       │                      │
├─────────────┼───────┴───────┴────────────────┤                      │
│             │     Identifier (2 bytes)       │   Data Payload       │
│             ├────────────────────────────────┤   (Variable length)  │
│             │  Sequence Number (2 bytes)     │                      │
└─────────────┴────────────────────────────────┴──────────────────────┘
 
Minimum ICMP Echo Message: 8 bytes (header only, no payload)
Typical ICMP Echo Message: 64 bytes (8-byte header + 56-byte payload)
Maximum ICMP Echo Message: Limited by IP MTU (typically ~65507 bytes)

Let's examine each field in detail:

Type (1 byte, offset 0)

The Type field identifies the ICMP message type:

8 (0x08): Echo Request
0 (0x00): Echo Reply

This single byte determines whether the message is asking a question or providing an answer.

Code (1 byte, offset 1)

Checksum (2 bytes, offset 2-3)

The Checksum field contains the 16-bit one's complement of the one's complement sum of the entire ICMP message (header + data). This checksum:

Covers: All ICMP bytes (Type, Code, Checksum, Identifier, Sequence, Data)
Does NOT cover: IP header (which has its own checksum)
Purpose: Detect corruption during transmission
Calculation: Sender sets checksum to 0, computes sum, stores result

Checksum Algorithm Detail

Identifier (2 bytes, offset 4-5)

Typical Value: Process ID (PID) of the ping process
Purpose: Demultiplex replies when multiple echo sessions are active
Persistence: Remains constant across all packets in one ping session
Matching Rule: Echo Reply must copy the Identifier from the Echo Request

Sequence Number (2 bytes, offset 6-7)

The Sequence Number field tracks individual packets within a ping session:

Initial Value: Typically starts at 0 or 1
Increment: Increased by 1 for each subsequent Echo Request
Purpose: Detect packet loss, reordering, and duplication
Range: 0 to 65,535 (wraps around in long-running sessions)
Matching Rule: Echo Reply must copy the Sequence Number from the Echo Request

ICMP Echo Header Fields Summary
Field	Size	Offset	Echo Request Value	Echo Reply Behavior
Type	1 byte	0	8	Changed to 0
Code	1 byte	1	0	Copied (stays 0)
Checksum	2 bytes	2-3	Computed	Recomputed (different due to Type change)
Identifier	2 bytes	4-5	Set by sender	Copied exactly
Sequence Number	2 bytes	6-7	Incremented	Copied exactly

The Data Payload: More Than Random Bytes

Purposes of the Echo Payload

•Timestamp for RTT Calculation: Ping implementations embed a departure timestamp in the payload. When the reply arrives, the sender subtracts the embedded time from the current time to calculate Round-Trip Time (RTT).
•Data Integrity Verification: By echoing the exact bytes sent, we verify not just IP reachability, but data integrity across the network path.
•Packet Size Testing: Different payload sizes test different aspects of the network (fragmentation behavior, buffer handling, MTU compliance).
•Pattern Detection: Known patterns in the payload can help identify bit errors, byte reordering, or truncation by misbehaving equipment.
•Matching Replies to Requests: The payload provides additional context for matching (beyond just Identifier and Sequence).

Standard Payload Sizes

Different environments use varying payload sizes:

Environment	Total ICMP Size	Payload Size	Total IP Packet
Windows ping	40 bytes	32 bytes	60 bytes
Linux/Unix ping	64 bytes	56 bytes	84 bytes
macOS ping	64 bytes	56 bytes	84 bytes
Cisco IOS	100 bytes	72 bytes	100 bytes

Payload Content Conventions

What goes in the 56 bytes of a typical Unix ping payload?

Typical Unix Ping Payload Structure
C
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
/* Standard BSD ping payload structure */
struct ping_payload {
    /* Bytes 0-7: Unix timestamp (struct timeval) */
    uint32_t tv_sec;      // Seconds since epoch
    uint32_t tv_usec;     // Microseconds
    
    /* Bytes 8-55: Pattern data */
    uint8_t pattern[48];  // Typically: 0x08, 0x09, 0x0a... incremental
};
 
/* Example raw payload (56 bytes, hexadecimal):
 * 
 * Timestamp: 65 A7 B6 8F  00 0D 2E 10  (8 bytes: sec + usec)
 * Pattern:   08 09 0A 0B  0C 0D 0E 0F  (remaining bytes)
 *            10 11 12 13  14 15 16 17
 *            18 19 1A 1B  1C 1D 1E 1F
 *            20 21 22 23  24 25 26 27
 *            28 29 2A 2B  2C 2D 2E 2F
 *            30 31 32 33  34 35 36 37
 */

Custom Patterns for Debugging

Network engineers often use custom patterns to diagnose specific issues:

All Zeros (0x00): Test for stuck-at-one bit errors
All Ones (0xFF): Test for stuck-at-zero bit errors
Alternating (0xAA, 0x55): Test for cross-talk between adjacent wires
Walking Ones/Zeros: Systematically test each bit position
Sequential Bytes (0x00, 0x01, 0x02...): Detect byte reordering or truncation

The -p option in Unix ping allows specifying custom patterns:

# Send ping with alternating bit pattern
ping -p aa55 192.168.1.1

# Send ping with all zeros pattern
ping -p 00 192.168.1.1

The Payload Echo Requirement

The Echo Exchange Process: Step by Step

Echo Request/Reply Lifecycle

•Request Initiation: The ping process creates an ICMP Echo Request packet with Type=8, sets the Identifier to its PID, initializes Sequence Number, embeds timestamp in payload, and computes the checksum.
•IP Encapsulation: The operating system wraps the ICMP message in an IP packet with Protocol=1, sets source and destination IP addresses, assigns a TTL value (typically 64 or 128), and passes the packet to the network interface.
•Outbound Transmission: The packet is framed for the local network (e.g., Ethernet), ARP resolution obtains the next-hop MAC address (router or direct destination), and the frame is transmitted on the wire.
•Network Transit: Each intermediate router decrements the TTL, recomputes the IP header checksum, performs routing lookup, and forwards to the next hop. If TTL reaches 0, the router drops the packet and sends ICMP Time Exceeded.
•Destination Reception: The destination's IP layer receives the packet, verifies the IP header checksum, recognizes Protocol=1 (ICMP), and passes the ICMP message to the ICMP handler.
•Echo Processing: The ICMP handler validates the ICMP checksum, recognizes Type=8 (Echo Request), creates an Echo Reply (Type=0) copying the Identifier, Sequence, and payload, and recomputes the ICMP checksum.
•Reply Transmission: The IP layer creates a new IP packet with source/destination reversed, wraps the Echo Reply, assigns TTL, and transmits. The reply packet follows its own (potentially different) network path back.
•Reply Reception: The original sender receives the reply, extracts the timestamp from payload, computes RTT, matches Identifier/Sequence to the pending request, and reports success.

Converting Mermaid diagram...

Potential Failure Points

At each stage of this process, multiple failure modes are possible:

Stage	Potential Failures	Observable Symptom
Request Initiation	Socket creation fails, no network interface	Immediate error message
IP Encapsulation	No route to host	ICMP Destination Unreachable (Network)
Outbound Transmission	ARP failure	Request timeout (no reply)
Network Transit (forward)	Link down, routing loop	TTL Exceeded or Destination Unreachable
Destination Reception	Firewall blocks ICMP	Request timeout
Echo Processing	Host too busy, ICMP rate limited	Delayed or dropped replies
Reply Transmission	Reverse path failure	Request timeout
Network Transit (return)	Asymmetric routing issues	Request timeout or high RTT
Reply Reception	Wrong Identifier	Reply discarded (wrong session)

Asymmetric Routing Complexity

Identifier and Sequence Number: The Matching Mechanism

The Identifier and Sequence Number fields work together to solve a fundamental problem: How does a host with multiple concurrent ping sessions associate incoming replies with the correct request?

This is trickier than it might seem. Consider a server running:

Network monitoring pinging 100 devices every 5 seconds
A user running ping from the command line
An application performing health checks
Load balancer probing backend servers

All of these generate Echo Requests from the same source IP. When Echo Replies arrive, how do we route them to the correct process?

The Identifier Field Solution

The Identifier field acts like a session identifier or process tag:

Unique per ping session: Each instance of ping (each process) uses a different Identifier
Constant within session: All packets from one ping session share the same Identifier
Copied in replies: The destination MUST copy the Identifier into its reply exactly
Filtering criterion: The sender uses (SourceIP, DestIP, Identifier) to match replies

Common Identifier Assignment Strategies:

Identifier Assignment Strategies
Strategy	Value Source	Pros	Cons
Process ID (PID)	getpid()	Unique per process, easy to debug	Predictable, potential security issue
Random 16-bit	rand()	Less predictable	Possible collisions on busy hosts
Hash-based	hash(target IP + time)	Deterministic, low collision	More complex implementation
Sequential	Global counter	Simple	May collide across restarts

The Sequence Number Field Solution

Within a single ping session, the Sequence Number tracks individual packets:

Unique per packet: Each Echo Request in a session gets a different Sequence Number
Usually incremental: Most implementations start at 0 or 1 and increment by 1
16-bit range: 0 to 65,535—adequate for even long-running ping sessions
Diagnostic value: Enables detecting:
- Packet loss: Missing Sequence Numbers in replies
- Duplication: Same Sequence Number received twice
- Reordering: Sequence Numbers arriving out of order
- Correlation: Match RTT to specific request

Example Scenario:

Multi-Session Echo Matching

Text

# Host 192.168.1.10 running three concurrent ping sessions
 
# Session A: Monitoring tool (PID=1234) pinging 10.0.0.1
Session A sends: Type=8, Identifier=1234, Seq=1  → No reply (lost)
Session A sends: Type=8, Identifier=1234, Seq=2  → Reply received
Session A sends: Type=8, Identifier=1234, Seq=3  → Reply received
 
# Session B: User ping (PID=5678) to 10.0.0.1 (same destination!)
Session B sends: Type=8, Identifier=5678, Seq=1  → Reply received
Session B sends: Type=8, Identifier=5678, Seq=2  → Reply received
 
# Session C: Health check (PID=9012) to 10.0.0.2
Session C sends: Type=8, Identifier=9012, Seq=1  → Reply received
 
# Incoming replies from 10.0.0.1:
Type=0, Identifier=5678, Seq=1 → Matched to Session B (PID 5678)
Type=0, Identifier=1234, Seq=3 → Matched to Session A (PID 1234)
Type=0, Identifier=1234, Seq=2 → Matched to Session A (PID 1234)
Type=0, Identifier=5678, Seq=2 → Matched to Session B (PID 5678)
 
# Notice: Session A never received Seq=1 reply → detected as packet loss

Operating System Implementation Detail

Echo and Network Security Considerations

Historical Attack Vectors Using Echo:

ICMP Echo Security Risks

•Ping of Death (1996-1997): Oversized ICMP packets (>65,535 bytes) caused buffer overflows and system crashes in vulnerable TCP/IP stacks. Modern systems are immune, but this attack demonstrated how malformed ICMP could weaponize a diagnostic tool.
•Smurf Attack: Sending Echo Request to a broadcast address with a spoofed source IP. All hosts on the network reply to the victim, creating massive amplification. Countermeasure: Routers now typically block directed broadcast.
•ICMP Flood (Ping Flood): High-rate Echo Requests overwhelming target's network bandwidth or CPU. Simple but effective DoS when attacker has more bandwidth than victim.
•Network Reconnaissance: Echo Reply confirms host existence. Ping sweeps map network addressing before targeted attacks. Many organizations block ICMP Echo to prevent reconnaissance.
•Covert Channels: Payload field can encode hidden data. ICMP tunneling tools (like icmpsh, ptunnel) embed data in Echo payload to bypass firewalls that allow ICMP but block other traffic.
•Timing Attacks: RTT measurements can leak information about network topology, host load, or even cryptographic operations (if timing-sensitive operations correlate with ping responses).

Security Best Practices for ICMP Echo

The security community has developed nuanced recommendations that balance security with operational needs:

ICMP Echo Security Recommendations
Context	Recommendation	Rationale
Internet-facing servers	Rate-limit Echo Reply	Prevents flood amplification while allowing diagnostics
Internal networks	Allow Echo Request/Reply	Internal diagnostics outweigh minimal risk
DMZ hosts	Allow from internal, block from external	Maintain visibility without external exposure
Critical infrastructure	Log all Echo activity	Detect reconnaissance before attacks
Border routers	Rate-limit and respond only to own interfaces	Allow traceroute but limit abuse

The 'Block All ICMP' Anti-Pattern

Summary: Echo Request/Reply Fundamentals

We've covered the complete technical foundation of ICMP Echo messages. Let's consolidate the essential knowledge:

Key Takeaways

•ICMP Echo is the foundation of reachability testing: Type 8 (Request) asks 'Are you there?' and Type 0 (Reply) confirms 'Yes, I am.'
•The 8-byte header contains critical matching information: Identifier links replies to sessions; Sequence Number tracks individual packets.
•Payload serves multiple purposes: Timestamp embedding enables RTT calculation; data echoing verifies integrity; customizable patterns diagnose specific issues.
•Echo exchanges traverse the complete IP path: Success confirms bidirectional connectivity through all intermediate routers and links.
•Security and diagnostics must be balanced: Rate-limiting and selective filtering are preferable to complete ICMP blocking.
•The protocol has remained unchanged since 1981: Echo Request/Reply is one of the most stable and universally implemented network protocols.

What's Next:

Page Complete

1 / 5