Uncover How Ping Works: A Deep Dive into ICMP, ARP, and Wireshark Traces

What Ping Checks

Ping primarily examines two indicators: whether a request times out and whether the latency is excessively high. A timeout usually signals a network problem (unless ping is blocked), while high latency also indicates poor network conditions.

How Ping Works

Ping operates using the ICMP protocol rather than TCP or UDP. It sends an ICMP Echo Request and waits for an ICMP Echo Reply, measuring the round‑trip time.

Environment Setup and Packet Capture

Two computers are prepared for the experiment:

A computer – IP: 192.168.2.135, MAC: 98:22:EF:E8:A8:87

B computer – IP: 192.168.2.179, MAC: 90:A4:DE:C2:DF:FE

Wireshark is used to capture traffic on the selected network interface while A pings B.

Wireshark Capture Fields

No – packet number

Time – timestamp

Source – source address

Destination – destination address

Protocol – protocol type

Length – packet length

Info – additional information

Deep Analysis of ICMP

According to RFC 792, ICMP was created to report errors and improve the delivery of IP datagrams. The protocol operates at the network layer and is essential for tools like ping.

The ICMP header is 4 bytes long and contains fields for type, code, checksum, and other data.

ARP Protocol Overview

In a LAN, computers use MAC addresses for communication. ARP (Address Resolution Protocol) maps an IP address to its corresponding MAC address.

Ping Process Breakdown

A computer (192.168.2.135) sends a ping request to B (192.168.2.179).

A broadcasts an ARP request to discover B’s MAC address.

B replies with its MAC address.

With the MAC address known, A sends the actual ICMP Echo Request, and B replies using the source MAC.

Why an Extra ARP After Ping?

After the four ping exchanges, B issues another ARP request. This is likely due to ARP cache expiration prevention and to ensure the cache remains up‑to‑date for future communications.

Verification with a Second Ping

A second ping was performed after the ARP cache was populated. The capture shows no ARP request before the ping, confirming that the cached entry was used.

ICMP Packet Details

Inspecting a ping request shows Type = 8, Code = 0, with a correct checksum, indicating an Echo Request.

The corresponding response (frame 57) has Type = 0, Code = 0, confirming an Echo Reply. The round‑trip time is calculated from the timestamps (e.g., 3379.764 ms − 3376.890 ms = 2.874 ms).

Conclusion

The article walks through a complete ping transaction, showing that ping relies on the ICMP protocol for echo requests/replies and on ARP for MAC address resolution in a LAN. Understanding ICMP structure, ARP caching, and packet timing equips you to explain ping behavior confidently in interviews or troubleshooting scenarios.