Gyaan

ICMP, ping & traceroute

intermediate icmp ping traceroute ttl diagnostics

ICMP (Internet Control Message Protocol) is the network’s signalling layer — it’s how routers and hosts send each other diagnostic and error messages. ping and traceroute are two diagnostic tools built on top of it.

In simple language: when something goes wrong with a packet (or we’re just curious about the path), ICMP is how the network tells us about it.

What ICMP Carries

ICMP is a Layer 3 protocol that sits beside IP. Common message types:

Type 0   Echo Reply              (ping reply)
Type 3   Destination Unreachable (sub-codes: net, host, port unreachable)
Type 5   Redirect                (use a different gateway)
Type 8   Echo Request            (ping)
Type 11  Time Exceeded           (TTL expired — used by traceroute)
Type 12  Parameter Problem

ICMP messages don’t have ports — they’re addressed to whole hosts.

ping — Echo Request / Reply

ping sends an ICMP Echo Request (type 8) and waits for an Echo Reply (type 0).

ping -c 4 example.com
# PING example.com (93.184.216.34): 56 data bytes
# 64 bytes from 93.184.216.34: icmp_seq=0 ttl=53 time=82.4 ms
# 64 bytes from 93.184.216.34: icmp_seq=1 ttl=53 time=81.9 ms
# 64 bytes from 93.184.216.34: icmp_seq=2 ttl=53 time=82.1 ms
# 64 bytes from 93.184.216.34: icmp_seq=3 ttl=53 time=83.0 ms

Three useful numbers:

  • time — round-trip time (RTT) in ms.
  • ttl — TTL value left on the reply. Tells us roughly how many hops we’re away (start TTL minus this).
  • packet loss % — at the end of ping’s summary.

What ping Does and Doesn’t Tell Us

It tells us:

  • Is the host reachable?
  • Roughly how fast is the path?
  • Is there packet loss?

It does NOT tell us:

  • Is the actual app (web server, DB) working — only the kernel responds to ICMP.
  • The full path to the host.
  • Whether ICMP is being blocked (a “no reply” might mean the host is up but firewalled).

Many production hosts deliberately drop ICMP. “Ping doesn’t work” ≠ “host is down.”

TTL — How Packets Expire

Every IP packet has a Time To Live field. Each router decrements it by 1. When TTL hits 0, the packet is dropped and an ICMP Time Exceeded is sent back to the source.

laptop sends packet with TTL=64
hop 1: TTL=63
hop 2: TTL=62
...
hop 64: TTL=0  -> drop, send ICMP Time Exceeded back

TTL exists to prevent packets from looping forever in case of routing bugs.

traceroute — Abusing TTL on Purpose

traceroute (or tracert on Windows) uses TTL as a clever trick:

  1. Send a probe with TTL=1. The first router decrements to 0, drops it, replies with ICMP Time Exceeded. We learn hop 1’s IP.
  2. Send a probe with TTL=2. Reaches hop 2 before expiring. We learn hop 2’s IP.
  3. Repeat with TTL=3, 4, 5… until we reach the destination (which replies normally instead of with Time Exceeded).
traceroute example.com
#  1  192.168.1.1   (home router)        1.1 ms
#  2  10.0.0.1      (ISP first hop)      8.4 ms
#  3  72.x.x.x                           12.0 ms
#  4  *  *  *                            (some hop blocking ICMP)
#  5  93.184.216.34 (example.com)        82.0 ms

traceroute’s Probe Type

What does traceroute send? Depends on the OS:

  • Linux / BSD traceroute — sends UDP probes to incrementing high ports. Replies are ICMP Time Exceeded (mid-hops) or ICMP Port Unreachable (final).
  • Windows tracert — sends ICMP Echo Requests directly.
  • Modern traceroute -T — uses TCP SYN probes (more likely to get through firewalls).

mtr — traceroute + ping

mtr is a fantastic tool that runs traceroute continuously and shows packet loss per hop. Great for diagnosing flaky paths.

mtr --report --report-cycles 10 example.com

Things That Block ICMP

  • Cloud firewalls (AWS security groups, GCP firewall rules) often disable ICMP by default.
  • Some ISPs rate-limit ICMP from routers, causing weird “lost” middle hops in traceroute.
  • DDoS-protected hosts (Cloudflare, etc.) may drop ICMP entirely.

So when traceroute shows * * * for a hop, it’s usually fine — that router is just silent on ICMP.

ICMPv6

IPv6 has its own ICMP (ICMPv6) which is more important than ICMPv4 — Neighbor Discovery (the IPv6 ARP replacement) and Path MTU Discovery rely on it. Blocking ICMPv6 entirely breaks IPv6 networks.

Common Gotcha

Some people use ping to “test the internet.” If the target host blocks ICMP, ping fails — but TCP/UDP services on that host might be perfectly fine. A more reliable test is curl -I https://1.1.1.1 or nc -vz 8.8.8.8 53.

Interview Tip

Two crisp explanations:

  • ping = ICMP echo request/reply, RTT measurement.
  • traceroute = clever abuse of TTL, sending packets with TTL=1, 2, 3… and reading the ICMP Time Exceeded responses.

References