Expert Reference Series of White Papers

Why Do Techies
Tell Me to “Ping”
a Website?

1-800-COURSES www.globalknowledge.com
Why Do Techies Tell Me to “Ping”
a Website?
Paul Simoneau, Global Knowledge Senior Instructor and Course Director

Introduction
Great question! Let’s start by dividing the answer into three parts:
• A better understanding of ping
• How to ping
• Learning from pinging a system

A Better Understanding of Ping

Ping is an operating system application that calls up an internal protocol: Internet Control Message Protocol (ICMP).
Instead of being an acronym like so many other applications, ping is a word from naval sonar. You may remember it
from the 1990 movie, The Hunt for Red October, when Sean Connery’s Russian character asks for “one ping only” to
verify the range to the American submarine.

The ping command tells ICMP to send an echo request. By default, that is a relatively small message. It goes out to a
destination to verify that the sender can reach the target device. In normal operation, the system that receives that
request will respond with an echo reply.

Those messages have specific contents for their assigned purpose. There are three fields that ping uses by default.
The first contains an ID number to identify each new ping command issued by the operating system. The second
field carries a sequence number to separately identify which of multiple request/reply combinations is being
processed. The third field is the ICMP checksum to make sure the data sent is the data received.

Both messages will normally have identical data fields. By default, the operating system will set the number of bytes
in the field from 32 bytes to 128 bytes, depending on the system. The ping command also lets the user set the
number of bytes to be echoed, which is called an override. That can be as many as the IP datagram maximum of
65,535 bytes, minus the IP header and ICMP header (or approximately 65,500 bytes).

The ping command lets the user set a flag and designate the number of pings at a specific number or use another
flag to tell the system to ping until interrupted by a Control-C key combination. It also lets the user separately set a
flag that will request a translation from a target IP address to a host and domain name that matches that numeric
address.

Copyright ©2013 Global Knowledge Training LLC. All rights reserved. 2

Since ICMP follows an IP header, all the IP options are available to the ping app. That includes setting certain IP
header field values, such as the flags as noted below. IP options include:
• Security handling
• Loose source routing
• Collect Internet time stamps
• Record route
• Strict source routing

IP fields with matching ping flags include:

• Preventing fragmentation
• Setting the number of routers the message will pass through while it travels to the target system
• Special network handling

How to Ping
While IP and ping are standardized, the commands that each operating system (Windows, Linux, Mac) uses to send
ping with options will be different.

With many people using XP or XP Pro, we will examine those commands first. As a starting point, you can look up
the possible choices by going to the command prompt and typing: ping /?

The result of that will show:

ping [-t] [-a] [-n Count] [-l Size] [-f] [-i TTL] [-v TOS] [-r Count] [-s Count] [{-j HostList | -k HostList}] [-w Timeout]
[TargetName]

• -t: Specifies that ping continue sending echo request messages to the destination until interrupted. To
interrupt and display statistics, press CTRL-BREAK. To interrupt and quit ping, press CTRL-C.
• -a: Specifies that reverse name resolution is performed on the destination IP address. If this is successful,
ping displays the corresponding host name.
• -n Count: Specifies the number of echo request messages sent. The default is four.
• -l Size: Specifies the length, in bytes, of the data field in the echo request messages sent. The default is 32.
The maximum size is 65,527.
• -f: Specifies that echo request messages are sent with the “Don't Fragment” flag in the IP header set to 1.
The echo request message is not to be fragmented by routers in the path to the destination. This
parameter is useful for troubleshooting Path Maximum Transmission Unit (PMTU) problems.
• -i TTL: Specifies the value of the TTL field in the IP header for echo request messages sent. The default is the
default TTL value for the host. For Windows XP hosts, this is typically 128. The maximum TTL is 255.
• -v TOS: Specifies the value of the Type of Service (ToS) field in the IP header for echo request messages
sent. The default is zero. TOS is specified as a decimal value from zero to 255.

Copyright ©2013 Global Knowledge Training LLC. All rights reserved. 3

 • -r Count: Specifies that the record route option in the IP header is used to record the path taken by the
echo request message and corresponding echo reply message. Each hop in the path uses an entry in the
record route option. If possible, specify a count that is equal to or greater than the number of hops
between the source and destination. The count must be a minimum of one and a maximum of nine.
• -s Count: Specifies that the Internet timestamp option in the IP header is used to record the time of arrival
for the echo request message and corresponding echo reply message for each hop. The count must be a
minimum of one and a maximum of four.
• -j HostList: Specifies that the echo request messages use the loose source route option in the IP header with
the set of intermediate destinations specified in HostList. With loose source routing, successive intermediate
destinations can be separated by one or multiple routers. The maximum number of addresses or names in
the host list is 9. The host list is a series of IP addresses (in dotted decimal notation) separated by spaces.
• -k HostList: Specifies that the Echo Request messages use the Strict Source Route option in the IP header
with the set of intermediate destinations specified in HostList. With strict source routing, the next
intermediate destination must be directly reachable (it must be a neighbor on an interface of the router).
The maximum number of addresses or names in the host list is 9. The host list is a series of numeric IP
addresses separated by spaces.
• -w Timeout: Specifies the amount of time, in milliseconds, to wait for the Echo Reply message that
corresponds to a given Echo Request message to be received. If the Echo Reply message is not received
within the time-out, the "Request timed out" error message is displayed. The default time-out is 4000 (4
seconds).
• TargetName: Specifies the destination, which is identified either by IP address or host name.
• Windows Vista, Windows 7, and Windows 8 add the following flags to those offered by Windows XP:
• -R: Use routing header to test reverse route also (IPv6-only). This routing header has been stopped. Some
systems may drop echo requests if they receive a ping with this header.
• -S srcaddr: Source address to use.
• -4: Force use of IPv4.
• -6: Force use of IPv6.

As an example of Windows output, you may see:

ping www.globalknowledge.com
Pinging www.globalknowledge.com [192.168.111.222] with 32 bytes of data:

Reply from 192.168.111.222: bytes=32 time=101ms TTL=124

Reply from 192.168.111.222: bytes=32 time=100ms TTL=124
Reply from 192.168.111.222: bytes=32 time=120ms TTL=124
Reply from 192.168.111.222: bytes=32 time=120ms TTL=124

Ping statistics for 192.168.111.222:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milliseconds:
Minimum = 101ms, Maximum = 120ms, Average = 110ms

Copyright ©2013 Global Knowledge Training LLC. All rights reserved. 4

On a Linux-based system, the commands are different:

ping -s [-d] [-l] [-L] [-n] [-r] [-R] [-v] [ -i interface_address ] [-I interval] [-t ttl] host [packetsize] [count]

• -d: Set the SO_DEBUG socket option.

• -l: Loose source route. Use this option in the IP header to send the packet to the given host and back again.
Usually specified with the -R option.
• -L: Turn off loopback of multicast packets. Normally, if there are members in the host group on the out-
going interface, a copy of the multicast packets will be delivered to the local machine.
• -n: Show network addresses as numbers. Ping normally displays addresses as host names.
• -r: Bypass the normal routing tables and send directly to a host on an attached network. If the host is not
on a directly-attached network, an error is returned. This option can be used to ping a local host through
an interface that has been dropped by the router daemon.
• -R: Record route. Sets the IP record route option, which will store the route of the packet inside the IP
header. The contents of the record route will only be printed if the -v option is given, and only be set on
return packets if the target host preserves the record route option across echos, or the -l option is given.
• -v: Verbose output. List any ICMP packets, other than ECHO_RESPONSE, that are received.
• -i interface_address: Specify the outgoing interface address to use for multicast packets. The default
interface address for multicast packets is determined from the (unicast) routing tables.
• -I interval: Specify the interval between successive transmissions. The default is one second.
• -t ttl: Specify the IP time to live for unicast and multicast packets. The default time to live for unicast
packets is set with ndd (using the icmp_def_ttl variable). The default time to live for multicast is one hop.
• host: The network host.
• packetsize: Specified size of packetsize. Default is 64.
• count: Amount of times to send the ping request. Default is to ping until Control-C is pressed.

An example of the command and its response are:

ping google.com –c 1

Ping the host google.com once and return to the command line with a response similar to this:

PING google.com (204.228.150.3) 56(84) bytes of data.

64 bytes from www.google.com (204.228.150.3): icmp seq=1 ttl=63 time=0.267 ms

--- google.com ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.267/0.267/0.267/0.000 ms

Copyright ©2013 Global Knowledge Training LLC. All rights reserved. 5

In OS X, the flags are quite similar to Linux as it is based on BSD Unix. Here is a list of usable flags when pinging a
Macintosh system. Please note the two variations as the flags C and L are mutually exclusive:

ping [-AaCDdfnoQqRrv] [-b boundif] [-c count] [-G sweepmaxsize] [-g sweepminsize] [-h sweepincrsize] [-i wait] [-l
preload] [-M mask | time] [-m ttl] [-P policy] [-p pattern] [-S src_addr] [-s packetsize] [-t timeout] [-W waittime] [-z
tos] host

ping [-AaDdfLnoQqRrv] [-b boundif] [-c count] [-I iface] [-i wait] [-l preload] [-M mask | time] [-m ttl] [-P policy] [-p
pattern] [-S src_addr] [-s packetsize] [-T ttl] [-t timeout] [-W waittime] [-z tos] mcast-group

• -A: Audible. Output a bell (ASCII 0x07) character when no packet is received before the next packet is
transmitted. To cater for round-trip times that are longer than the interval between transmissions, further
missing packets cause a bell only if the maximum number of unreceived packets has increased.
• -a: Audible. Include a bell (ASCII 0x07) character in the output when any packet is received. This option is
ignored if other format options are present.
• -b boundif: Bind the socket to interface boundif for sending.
• -C: Prohibit the socket from using the cellular network interface.
• -c count: Stop after sending (and receiving) count ECHO_RESPONSE packets. If this option is not specified,
ping will operate until interrupted. If this option is specified in conjunction with ping sweeps, each sweep
will consist of count packets.
• -D: Set the Don't Fragment bit.
• -d: Set the SO_DEBUG option on the socket being used.
• -f: Flood ping. Outputs packets as fast as they come back or one hundred times per second, whichever is
more. For every ECHO_REQUEST sent a period “.'' is printed, while for every ECHO_REPLY received a
backspace is printed. This provides a rapid display of how many packets are being dropped. Only the super
user may use this option. This can be very hard on a network and should be used with caution.
• -G sweepmaxsize: Specify the maximum size of ICMP payload when sending sweeping pings. This option is
required for ping sweeps.
• -g sweepminsize: Specify the size of ICMP payload to start with when sending sweeping pings. The default
value is 0.
• -h sweepincrsize: Specify the number of bytes to increment the size of ICMP payload after each sweep
when sending sweeping pings. The default value is 1.
• -I iface: Source multicast packets with the given interface address. This flag only applies if the ping
destination is a multicast address.
• -i wait: The wait number of seconds between sending each packet. The default is to wait for one second
between each packet. The wait time may be fractional, but only the super-user may specify values less than
0.1 second. This option is incompatible with the -f option.
• -L: Suppress loopback of multicast packets. This flag only applies if the ping destination is a multicast
address.
• -l preload: If preload is specified, ping sends that many packets as fast as possible before falling into its
normal mode of behavior. Only the superuser may use this option.

Copyright ©2013 Global Knowledge Training LLC. All rights reserved. 6

 • -M mask | time: Use ICMP_MASKREQ or ICMP_TSTAMP instead of ICMP_ECHO. For mask, print the
netmask of the remote machine. Set the net.inet.icmp.maskrepl MIB variable to enable ICMP_MASKREPLY.
For time, print the origination, reception, and transmission timestamps.
• -m ttl: Set the IP Time To Live for outgoing packets. If not specified, the kernel uses the value of the
net.inet.ip.ttl MIB variable.
• -n: Numeric output only. No attempt will be made to lookup symbolic names for host addresses.
• -o: Exit successfully after receiving one reply packet.
• -P policy: The policy specifies IPsec policy for the ping session. For details please refer to ipsec.
• -p pattern: You may specify up to 16 “pad'' bytes to fill out the packet you send. This is useful for
diagnosing data-dependent problems in a network. For example, “-p ff'' will cause the sent packet to be
filled with all ones.
• -Q: Somewhat quiet output. Don't display ICMP error messages that are in response to our query messages.
Originally, the -v flag was required to display such errors, but -v displays all ICMP error messages. On a busy
machine, this output can be overbearing. Without the -Q flag, ping prints out any ICMP error messages
caused by its own ECHO_REQUEST messages.
• -q: Quiet output. Nothing is displayed except the summary lines at startup time and when finished.
• -R: Record route. Includes the RECORD_ROUTE option in the ECHO_REQUEST packet and displays the route
buffer on returned packets. Note that the IP header is only large enough for nine such routes.
• -r: Bypass the normal routing tables and send directly to a host on an attached network. If the host is not
on a directly attached network, an error is returned. This option can be used to ping a local host through
an interface that has no route through it.
• -S src_addr: Use the following IP address as the source address in outgoing packets. On hosts with more
than one IP address, this option can be used to force the source address to be something other than the IP
address of the interface the probe packet is sent on. If the IP address is not one of this machine's interface
addresses, an error is returned and nothing is sent.
• -s packetsize: Specify the number of data bytes to be sent. The default is 56, which translates into 64 ICMP
data bytes when combined with the 8 bytes of ICMP header data. This option cannot be used with ping
sweeps.
• -T ttl: Set the IP time-to-live value for multicasted packets. This flag only applies if the ping destination is a
multicast address.
• -t timeout: Specify a timeout, in seconds, before ping exits regardless of how many packets have been
received.
• -v: Verbose output. ICMP packets other than ECHO_RESPONSE that are received are listed.
• -W waittime: Time in milliseconds to wait for a reply for each packet sent. If a reply arrives later, the packet
is not printed as replied, but considered as replied when calculating statistics.
• -z tos: Use the specified type of service.

An example of the command and its response are: ping –c 4 google.com

Copyright ©2013 Global Knowledge Training LLC. All rights reserved. 7

Ping the host google.com four times and return to the command line with a response similar to this:

PING google.com (74.125.228.6): 56 data bytes

64 bytes from 74.125.228.6: icmp_seq=0 ttl=55 time=15.996 ms
64 bytes from 74.125.228.6: icmp_seq=1 ttl=55 time=18.554 ms
64 bytes from 74.125.228.6: icmp_seq=2 ttl=55 time=15.605 ms
64 bytes from 74.125.228.6: icmp_seq=3 ttl=55 time=15.622 ms

--- google.com ping statistics ---

4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 15.605/16.444/18.554/1.228 ms

Learning from Pinging a System

When we use ping, it’s best to follow a plan. Consider pinging the local system first and step-by-step move further
away to finally reach a remote server.

ping 127.0.0.1 will make sure your system’s network components work.

ping default gateway IP address will ensure you can reach systems on your local network including your
router/gateway. To find your network gateway address, use the command route print in Windows and route –n in
Linux and route –n get default in OS X.

ping by name will verify that the domain name system is working correctly. It will also return the IP address for
that name.

Some popular sites like amazon.com, microsoft.com, slashdot.org, and others that have had Denial of Service (DoS)
attacks in the past often disable ICMP echo requests and responses on their servers or setup other network settings
that stop a ping request from being received or block a response.

When you ping these domain names or their matching IP addresses you'll get a "Request timed out" message or a
"100% packet loss" message (sometimes both). This is normal behavior for these sites and there is nothing that can
be done to get around it.

When you ping, your system calculates round-trip times and packet loss statistics. For example, here is a Windows
summary:

Request timedout.
Reply from 192.168.111.222: bytes=32 time=101ms TTL=124
Reply from 192.168.111.222: bytes=32 time=120ms TTL=124
Reply from 192.168.111.222: bytes=32 time=120ms TTL=124

Ping statistics for 192.168.111.222:

Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milliseconds:
Minimum = 101ms, Maximum = 120ms, Average = 114ms

Copyright ©2013 Global Knowledge Training LLC. All rights reserved. 8

“Request timeout” means there was no response that matched the ICMP ID number and sequence number. The
time it took to resolve the domain name and process other needed protocols probably took longer than the default
wait time. Notice that that challenge was resolved and the rest of the pings worked.

“time=101ms” indicates the round trip time for that ping. If the times seem to be large for a known path, it could
be telling us that the network is congested.

“TTL=124” tells us that, to reach the target, the ping had to pass through four routers on its way (128-124 = 4) as
each router subtracts one count from the IP TTL value.

To test response times on a local network, we may use ping –r 9 (destination) to record the path up to nine routers.
If you think it may be more than nine routers away, use the command tracert (destination) on Windows systems or
traceroute (destination) on Linux or OS X. traceroute uses different protocols than ICMP to accomplish a very
similar result as tracert. The tracert command is the equivalent of the following series of commands:

ping -n 3 -i 1 destination
ping -n 3 -i 2 destination
ping -n 3 -i 3 destination
.
.
.
ping -n 3 -i 28 destination
ping -n 3 -i 29 destination
ping -n 3 -i 30 destination

A successful tracert will show a return a result similar to this example: tracert 11.1.0.1

Tracing route to 11.1.0.1 over a maximum of 30 hops

1 2 ms 3 ms 2 ms 157.54.48.1
2 75 ms 83 ms 88 ms 11.1.0.67
3 73 ms 79 ms 93 ms 11.1.0.1

Trace complete.

If the times return a series of entries like 8, 9, and 10 (as shown below), it indicates that the organization supporting
those routers has decided to ignore ICMP messages to protect their networks from potential attacks. The others (at
11 and 12) have chosen to support ICMP or have left the default in place.

8 * * *
9 * * *
10 * * *
11 82 ms 83 ms 82 ms 66.208.233.50
12 97 ms 93 ms 91 ms 216.6.87.158

Copyright ©2013 Global Knowledge Training LLC. All rights reserved. 9

Conclusion
Ping has always been a reference to sonar rather than an acronym, but someone made up the fake acronym Packet
InterNet Groper and spread it around. As Mark Twain wrote “It ain’t what you don’t know that gets you into
trouble. It’s what you know for sure that just ain’t so.”

We examined the details of the commands and flags, and how those flags vary from one operating system to
another. Although the flags are different, the work being done toward troubleshooting is the same. Of course,
some systems ignore some of those flags or have been hardened to secure and protect the networks they access.

Lastly, we looked at some ways to use ping and the related functions for troubleshooting networks. We showed
default values and how to bypass some of them. We also included what technical people (including knowledgeable
users) can learn from reading the results of pinging a system, which helps them (and us) solve connectivity
challenges.

Learn More
Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge
through training.
IPv6 Foundations: Protocols, Services, and Migration
Understanding Networking Fundamentals
TCP/IP Networking

Visit www.globalknowledge.com or call 1-800-COURSES (1-800-268-7737) to speak with a Global Knowledge

training advisor.

About the Author

Paul Simoneau has well over 30 years of experience in working with multiple aspects of computers and data
communications. He is the founder and president of NeuroLink, Ltd.—an international coaching and educational
company specializing in professional development. NeuroLink’s client list includes Cisco, AT&T, Lucent, Citibank,
Quest Communications, Hewlett-Packard, Sprint, Verizon, all branches of the U.S. Armed Forces, and many others.

He is a senior instructor and course director with Global Knowledge, the blended solutions training company. In that
role, he has authored and managed three highly successful courses: Understanding Network Fundamentals, Hands-
On Internetworking with TCP/IP, and Network Management with SNMP. These courses are offered worldwide in
classroom, virtual classroom, and self-directed formats. In support of these and other courses, he actively
participates in Global Knowledge’s e-mentoring programs.

His writing is also recognized outside of Global Knowledge in the “Hands-On TCP/IP” and “SNMP Network
Management” books that are published by McGraw-Hill.

A graduate of the State University of New York at Albany, he also holds a master’s degree from Webster University.

Copyright ©2013 Global Knowledge Training LLC. All rights reserved. 10