Network Troubleshooting: Ping and Traceroute: Essential Tools for Data Communications and Networking

This article explores how ping and traceroute work, their practical applications in diagnosing network issues, their limitations, and how they complement more advanced networking tools.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  9 minute read  

In the realm of network management and troubleshooting, few tools are as ubiquitous and valuable as ping and traceroute. These utilities have stood the test of time, remaining fundamental components in every network administrator’s toolkit despite the rapid evolution of network technologies. This article explores how these seemingly simple tools work, their practical applications in diagnosing network issues, their limitations, and how they complement more advanced networking tools.

Understanding Ping: The Network Echo Test

What is Ping?

Ping (Packet Internet Groper) is a network utility that tests the reachability of a host on an Internet Protocol (IP) network. Developed by Mike Muuss in 1983, ping works by sending Internet Control Message Protocol (ICMP) Echo Request packets to the target host and waiting for an ICMP Echo Reply. The term “ping” was inspired by sonar technology, mimicking the sound that sonar makes when detecting objects.

How Ping Works

At its core, ping operates through a straightforward process:

  1. The sending host creates an ICMP Echo Request packet
  2. This packet is encapsulated in an IP packet and sent to the destination
  3. If the target host is reachable and configured to respond, it returns an ICMP Echo Reply
  4. The sending host receives the reply and calculates the round-trip time (RTT)

Each ping packet contains a timestamp that allows the sending host to calculate how long it took for the packet to make the round trip. Additionally, ping packets include a sequence number and sometimes a payload of data (often alphabetic characters that make patterns easy to recognize in packet captures).

Key Information from Ping

A typical ping command provides several crucial pieces of information:

  • Round-trip time (RTT): The time it takes for a packet to travel from source to destination and back, measured in milliseconds
  • Packet loss: The percentage of packets that did not receive a reply
  • Time To Live (TTL): The number of router hops a packet can traverse before being discarded
  • Statistics summary: Average, minimum, and maximum RTT values

Example output from pinging Google’s DNS server:

PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=118 time=12.883 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=118 time=12.412 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=118 time=11.808 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=118 time=11.833 ms

--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 11.808/12.234/12.883/0.454 ms

Common Ping Options

Different operating systems offer various ping command options, but some common ones include:

  • Count (-c): Specify the number of packets to send
  • Interval (-i): Set the time between packets in seconds
  • Timeout (-W): Set the time to wait for a response
  • TTL (-t): Set the Time-To-Live value for outgoing packets
  • Size (-s): Specify the packet size in bytes

For system administrators, customizing these parameters can provide more targeted testing based on specific troubleshooting scenarios.

Traceroute: Mapping the Network Path

What is Traceroute?

While ping tests direct connectivity, traceroute (tracert in Windows) maps the route packets take through a network to reach a destination. Developed by Van Jacobson in 1987, traceroute allows network administrators to visualize each hop in a packet’s journey, identifying where delays or failures occur.

How Traceroute Works

Traceroute operates using a clever technique that exploits the Time-To-Live (TTL) field in IP packets:

  1. The tool sends packets with incrementing TTL values (starting with TTL=1)
  2. When a router receives a packet, it decrements the TTL by 1
  3. If the TTL reaches zero, the router discards the packet and sends an ICMP “Time Exceeded” message back to the source
  4. By incrementing the TTL with each subsequent packet, traceroute discovers each router in the path

The implementation varies slightly by platform:

  • Unix/Linux/macOS: Uses UDP packets by default
  • Windows (tracert): Uses ICMP Echo Request packets
  • Modern implementations: Often offer TCP-based traceroute options

Key Information from Traceroute

A traceroute output typically provides:

  • Hop number: The sequence of routers in the path
  • Router IP address: The IP of each intermediate device
  • Router hostname (when available): DNS name of the device
  • RTT: The time to reach each hop (usually sampled three times)
  • Asterisks (*): Indicate timeouts or non-responsive hops

Example traceroute output to Google’s DNS:

traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
 1  router.home (192.168.1.1)  3.169 ms  1.678 ms  1.451 ms
 2  192.0.2.1 (192.0.2.1)  12.321 ms  11.023 ms  10.887 ms
 3  isp-aggregation-router.net (203.0.113.2)  12.458 ms  11.791 ms  12.134 ms
 4  isp-core-router.net (203.0.113.18)  13.889 ms  14.001 ms  14.233 ms
 5  internet-exchange-point.net (198.51.100.5)  15.333 ms  13.882 ms  14.991 ms
 6  google-peer-router.net (172.217.0.1)  14.521 ms  13.487 ms  13.001 ms
 7  * * *
 8  dns-server.google.com (8.8.8.8)  12.781 ms  11.923 ms  12.532 ms

Common Traceroute Options

Useful traceroute options include:

  • Maximum hops (-m): Limit the number of hops to probe
  • Wait time (-w): Specify how long to wait for a response
  • Packet count (-q): Set how many probes to send per hop
  • Protocol options: Choose between ICMP, UDP, or TCP probing methods

Practical Network Troubleshooting with Ping and Traceroute

Diagnosing Connectivity Issues

When users report inability to access services, ping serves as the first-line diagnostic tool:

  1. Local connectivity: Ping the loopback address (127.0.0.1) to verify the TCP/IP stack is functioning
  2. Local network: Ping the default gateway to check local network connectivity
  3. Internet connectivity: Ping a reliable external host (like 8.8.8.8) to verify internet access
  4. DNS resolution: Ping a domain name to check if DNS resolution works

If any step fails, the problem is isolated to that layer of connectivity.

Identifying Network Bottlenecks

High latency can significantly impact application performance. Using ping with different packet sizes and intervals helps identify performance issues:

  • Baseline latency: Establish normal RTT values for key network paths
  • Packet size testing: Increase packet sizes to detect fragmentation issues
  • Continuous monitoring: Run extended ping tests to detect intermittent problems

For example, if small packets show normal latency but large packets exhibit high latency or loss, this might indicate MTU or fragmentation issues along the path.

Tracing Network Paths

Traceroute provides visibility into routing paths, helping identify:

  • Routing inefficiencies: Detect when traffic takes unexpected paths
  • Failing network segments: Identify specific segments with high latency or packet loss
  • Asymmetric routing: Combined with reverse traceroute to detect when return paths differ from outbound paths

When traceroute shows increasing latency at specific hops, this often points to congestion or hardware limitations at those points in the network.

Finding the “Breaking Point”

When connectivity fails completely, traceroute helps identify the last responsive hop in the path:

  1. The last responding router before timeouts begin may be the problematic device
  2. Multiple consecutive timeouts might indicate a firewall blocking ICMP/UDP traffic
  3. Reaching the destination but seeing service unavailability suggests application-layer issues

Limitations and Challenges

Firewall and Security Considerations

Modern networks often restrict ICMP and UDP traffic for security reasons:

  • ICMP filtering: Many firewalls and routers block ICMP Echo Requests/Replies
  • Rate limiting: Some devices limit ICMP response rates to prevent DoS attacks
  • Path asymmetry: Return packets may take different routes than outbound ones

These security measures can lead to incomplete or misleading results. For example, a host might be reachable but not respond to ping, or traceroute might show timeouts despite functional connectivity.

Interpreting Results Correctly

Several factors can complicate interpretation:

  • Silent hops: Routers configured not to send ICMP Time Exceeded messages
  • Load balancing: Multiple paths between source and destination can cause inconsistent results
  • MPLS networks: May hide internal network structure
  • QoS policies: Traffic prioritization may affect probe packets differently than real traffic

IPv6 Considerations

As networks transition to IPv6, some important differences emerge:

  • IPv6 uses ICMPv6 instead of ICMP
  • Path MTU discovery works differently in IPv6 networks
  • IPv6 addresses make visual interpretation of output more challenging
  • Some routers process IPv4 and IPv6 traffic with different priorities

Advanced Techniques and Extensions

MTR (My Traceroute)

MTR combines the functionality of ping and traceroute into a single, real-time network diagnostic tool:

  • Continuously updates statistics for each hop
  • Shows packet loss at each node
  • Calculates standard deviation of latency
  • Provides longer-term monitoring in a single view

Example MTR output:

                                         My traceroute  [v0.95]
host.local (192.168.1.5) -> 8.8.8.8                       2023-10-20T14:25:01+0000
Keys:  Help   Display mode   Restart statistics   Order of fields   quit
                                         Packets               Pings
 Host                                  Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. router.home                         0.0%    10    1.5   1.7   1.4   2.0   0.2
 2. 192.0.2.1                           0.0%    10    8.7  10.1   8.7  11.3   0.9
 3. isp-aggregation-router.net          0.0%    10   12.0  12.5  11.1  14.2   1.0
 4. isp-core-router.net                 0.0%    10   13.2  13.7  12.9  14.5   0.5
 5. internet-exchange-point.net         0.0%    10   14.1  14.3  13.8  15.1   0.4
 6. google-peer-router.net              0.0%    10   13.5  13.8  13.0  14.7   0.5
 7. ???                                100.0    10    0.0   0.0   0.0   0.0   0.0
 8. dns-server.google.com               0.0%     9   12.1  12.4  12.0  13.1   0.3

Protocol-Specific Traceroute

Traditional traceroute may not accurately reflect the path taken by specific application traffic. Protocol-specific variants help address this:

  • tcptraceroute: Uses TCP SYN packets, better reflecting real TCP traffic paths
  • Layer 4 traceroute (LFT): Provides advanced options for TCP tracing
  • UDP-based applications: Can use specialized traceroute variants that match application patterns

Scripting and Automation

For system administrators, integrating ping and traceroute into monitoring solutions provides ongoing visibility:

  • Regular ping tests to critical hosts with alert thresholds
  • Scheduled traceroutes to detect routing changes
  • Correlation of network path data with application performance metrics
  • Long-term trend analysis for capacity planning

Integration with Other Network Tools

Packet Capture Analysis

Wireshark or tcpdump can complement ping and traceroute by capturing actual packets:

  • Verify that ICMP packets are leaving the source system
  • Examine responses for unusual flags or content
  • Identify packet fragmentation or other low-level issues

Network Flow Analysis

NetFlow, sFlow, or IPFIX data provides broader context:

  • Verify if other traffic types are successfully traversing the same path
  • Identify congestion patterns affecting specific routes
  • Compare traffic volumes with link capacities along the path

Looking Glass Servers

For troubleshooting internet routing issues, Looking Glass servers allow running traceroute from remote locations:

  • Test connectivity from multiple geographic perspectives
  • Identify if problems are localized to specific regions or providers
  • Verify BGP routing announcements are propagating correctly

Conclusion

Ping and traceroute remain indispensable tools in network troubleshooting despite their age and simplicity. They provide quick, accessible insights into network behavior that help technicians, administrators, and engineers diagnose a wide range of connectivity issues. While modern networks introduce complexities that can make their results less straightforward to interpret, understanding how these tools work and their limitations is essential knowledge for anyone working with networked systems.

When used appropriately and in combination with other diagnostic tools, ping and traceroute continue to serve as the first line of defense against network problems, helping quickly narrow down issues from the vast complexity of modern networks to specific segments, devices, or configurations that require attention.

As networks continue to evolve with technologies like SD-WAN, cloud networking, and containerized applications, these fundamental tools adapt accordingly, with new variants and extensions that maintain their relevance in the network administrator’s toolkit. Mastering these utilities provides a solid foundation for more advanced network troubleshooting and optimization work.


< Network Diagnostic ToolsTroubleshooting Connectivity Issues on Data Communications and Networking >