Ping and ICMP Checks

The ping command is a conversation with the network. You send a question—"Are you there?"—and the network answers in latency, packet loss, and sometimes silence. Learning to interpret these responses is the skill.

The Echo Request and Reply

When you ping a host, your computer sends an ICMP Echo Request packet. If the host is reachable and willing to respond, it sends back an Echo Reply. The time between sending and receiving is the round-trip time (RTT)—commonly called latency or ping time.

This simple exchange reveals several things at once:

Reachability: A reply means every router and switch between you and the target successfully forwarded packets in both directions. The network path works.

Latency: Round-trip time indicates how long packets take to traverse the path. Under 10ms suggests nearby hosts on fast connections. Over 100ms indicates distance or congestion.

Packet Loss: If some requests never get replies, packets are dying somewhere in the network. Even 5% loss can devastate real-time applications.

Stability: Consistent latency suggests a stable path. Wildly variable latency (jitter) indicates congestion, competing traffic, or routing instability.

What Ping Can't Tell You

Ping checks network-layer connectivity. A server might respond to pings while every application on it has crashed. Conversely, many servers respond to HTTP requests but ignore pings entirely—administrators disable ICMP for security reasons.

This distinction shapes monitoring strategy. Ping answers "Can I reach this host on the network?" HTTP and TCP checks answer "Is this service functioning?" Both questions matter, but they're different questions.

Many monitoring systems use ping as a first-level check. If ping fails, there's no point attempting application checks—the host isn't reachable. This saves resources and clarifies troubleshooting.

Reading Latency

Latency tells stories about the network:

Physics constrains the minimum. Light travels about 200 kilometers per millisecond through fiber. Pinging a server 1,000 kilometers away can't produce latency below roughly 10ms round-trip, no matter how fast the equipment. Cross-continental pings typically show 100-300ms on optimal routes.

Each router adds delay. More hops generally mean higher latency, though modern routers add only microseconds.

Congestion creates queues. When links approach capacity, routers buffer packets, adding delay. Latency spikes during business hours often indicate congested links.

Routing changes shift baselines. Latency sometimes jumps to a new value and stays there. This often means traffic now routes through a different, longer path.

Priority affects measurement. Some networks deprioritize ICMP. Ping might show worse latency than your actual application traffic experiences.

Reading Packet Loss

How packets die reveals what's killing them:

Random loss (occasional dropped packets, 1-5%) suggests radio interference on WiFi, bit errors on cables, or oversubscribed links. Some random loss is normal on many networks.

Burst loss (several consecutive packets) indicates momentary outages—a cable unplugged briefly, a router rebooting, a wireless connection dropping and reconnecting.

Steady loss (consistent percentage) means sustained congestion or failing hardware. A damaged cable might successfully transmit 70% of packets while corrupting the rest.

Complete loss means the host is down, firewalls are blocking ICMP, or network connectivity has entirely failed.

When Ping Lies

Many networks restrict ICMP for security reasons, and these restrictions can make ping misleading:

Blocking: Security-conscious administrators configure firewalls to drop ICMP Echo Requests from the Internet. The host is perfectly reachable—it just won't answer ping.

Rate limiting: Some networks allow ICMP but throttle responses to prevent ping flood attacks. Your monitoring sees packet loss that doesn't reflect actual network conditions.

Directional blocking: Networks might allow outbound pings but block inbound. You can't ping in, but internal hosts can ping out.

These restrictions make ping unreliable for monitoring Internet-facing services. HTTP or TCP checks prove more dependable since they test actual service functionality.

Tuning Your Checks

How you ping affects what you measure:

Interval: Short intervals (1-5 seconds) reveal momentary issues—important for VoIP or gaming where brief delays matter. Long intervals (30-60 seconds) reduce overhead when you only care about general reachability.

Sample size: Sending multiple pings per check provides statistics. Ten pings yield minimum, average, maximum latency plus packet loss percentage. This reveals patterns a single ping misses.

Packet size: Small packets (56-64 bytes) test basic connectivity. Large packets (1400+ bytes) approach the MTU of most networks, testing whether the path handles full-size packets. Some equipment handles small packets fine but drops or fragments large ones.

Traceroute: Mapping the Path

Traceroute extends ping to reveal the entire network path.

It sends packets with increasing TTL (Time To Live) values. The first packet has TTL=1 and expires at the first router, which returns an ICMP Time Exceeded message revealing its address. The second packet reaches the second router. Continuing maps the complete path.

This reveals where problems live. If latency suddenly spikes at hop 7, the issue lies between hop 6 and 7. Router names often indicate locations (router-nyc.example.com), showing which cities your packets traverse.

One catch: packets might take different paths in each direction. Traceroute shows only the outbound path. Return traffic might use completely different routers. Your round-trip time is really two different journeys.

Internal vs. External Monitoring

Ping serves different purposes depending on what you're monitoring:

Internal infrastructure: Pinging servers and network equipment monitors your own network. Latency should be low and consistent. Unexpected increases indicate switch, router, or cabling problems.

External services: Pinging external destinations verifies Internet connectivity. If you can't ping well-known hosts, your Internet connection has problems.

Gateway testing: Pinging your router verifies local network connectivity. If the gateway responds but external hosts don't, the problem lies beyond your local network.

Interpreting Responses

Different responses indicate different problems:

Timeout: No response arrived. The host might be down, firewalls might block ICMP, or connectivity failed completely. A timeout isn't silence—it's the network refusing to answer, and that refusal tells you something.

Destination Unreachable: A router along the path knows the destination isn't reachable. Unlike timeout, you received a response—just not from who you asked.

Increasing latency: Gradually rising response times often precede complete failure. A server under excessive load shows increasing latency before becoming unresponsive.

Key Takeaways

Ping asks the network a simple question and interprets the answer. Latency reveals distance, congestion, and routing. Packet loss patterns distinguish interference from congestion from hardware failure. But ping has limits: successful pings prove network connectivity, not service functionality. Many networks block or throttle ICMP, making ping unreliable for public-facing services. Ping excels at monitoring internal infrastructure and diagnosing connectivity problems—just remember it's testing the network path, not the application at the end of it.