Unveiling the Ping Command: How ICMP and ARP Work Together

Overview

For programmers, the ping command is a familiar tool for checking network status, primarily to detect timeouts and high latency.

Environment Preparation and Capture

2.1 Environment Preparation

1. Capture tool: Wireshark.

2. Two computers are used for ping testing.

IP addresses:

A computer: 192.168.2.135 MAC: 98:22:EF:E8:A8:87

B computer: 192.168.2.179 MAC: 90:A4:DE:C2:DF:FE

2.2 Capture Operation

Open Wireshark, select the appropriate network interface, start capturing, and ping from computer A to computer B.

Capture results are shown below:

Wireshark panel fields include No., Time, Source, Destination, Protocol, Length, and Info.

No. (packet number)

Time (timestamp)

Source (source address)

Destination (destination address)

Protocol (protocol type)

Length (packet length)

Info (additional packet info)

In-depth Analysis

The ping process is captured in packets 54‑132. Ping operates over the ICMP protocol rather than TCP or UDP.

3.1 Background of ICMP

RFC792 explains that ICMP was created to report errors and improve the efficiency of IP datagram delivery.

3.2 ICMP Data Format

The ICMP header is 4 bytes long and contains fields for type and checksum.

A table of type and code meanings is provided for later reference.

3.3 ARP Protocol

In a LAN, ARP (Address Resolution Protocol) maps an IP address to its corresponding MAC address.

3.4 Ping Process Parsing

Detailed packet flow:

A computer (192.168.2.135) initiates a ping request to 192.168.2.179.

A broadcasts an ARP request to discover B's MAC address.

B replies with its MAC address (90:A4:DE:C2:DF:FE).

With the MAC known, the actual ping request and response are exchanged using the MAC addresses.

Flow diagram:

After the four ping exchanges, B sends another ARP request to refresh its ARP cache. This occurs for two reasons: (1) to prevent cache expiration and ensure correct routing, and (2) because ARP consumes time, so caching the result saves time for subsequent pings.

Verification: a second ping is performed after the ARP cache is populated. The ARP cache is displayed with

arp -a

:

The second capture shows no ARP request before the ping, confirming that the cached ARP entry was used.

ICMP request details: Type=8, Code=0, checksum correct.

ICMP response details: Type=0, Code=0; latency calculated as 3379.764 ms − 3376.890 ms = 2.874 ms.

Conclusion

Ping relies on the ICMP protocol, which was designed to improve IP datagram delivery. In a LAN environment, ping also uses ARP to resolve MAC addresses, and ARP caching is refreshed to maintain accuracy.

References

Computer Networks

TCP/IP Protocol – ICMP