Tracing the Internet – Part 1: ICMP, TTL, Ping & Tracert

When your internet connection is slow or a device isn't responding, most people turn to familiar tools like ping, tracert, or ipconfig. These are basic network diagnostic tools available on Windows. Despite their simplicity and command line interfaces, they are powerful tools.

In this post, we’ll take a look at how these basic network tools work, why they are useful, and also explore attacks like Ping of Death, ICMP Flood, and Smurf Attack that exploit the very protocols these tools rely on — ICMP.

Internet Control Message Protocol (ICMP) & Time To Live (TTL)

The Internet Control Message Protocol (ICMP) is one of the protocols that operates at the Network Layer of the OSI model. Its primary use is to verify whether the data transmission process — between two or more devices — is reaching its destination and doing so on time.

If something goes wrong — like a packet can't reach its destination or takes too long — ICMP lets the sender know, so the data can be resent.

ICMP is simply a protocol for communicating information about data, but it does not manage the data itself. That’s why ICMP is the backbone of diagnostic tools like ping and tracert. For example, when you use ping, you're actually sending ICMP Echo Requests to another device.

It plays a crucial role in:

• Error reporting
• Testing reachability
• Measuring response time

One important note: when we say ICMP operates at the network layer, this does not mean ICMP has its own layer within the OSI model. Rather, IP works in conjunction with protocols like ICMP, ARP, and RARP to process incoming or outgoing data.

---

To better understand tools like tracert, we need to look at a key concept: Time to Live (TTL).

Every IP packet includes a TTL value in IPv4 (or Hop Limit in IPv6). This 8-bit field determines how long a packet is allowed to travel through the network before it is discarded.

Each time a packet is passed from one router to the next — a process known as a hop — the TTL is reduced by 1. If the TTL reaches 0 before the packet reaches its destination, the current router discards it and (typically) sends back an ICMP "Time Exceeded" message to the sender.

This mechanism prevents packets from endlessly circulating in routing loops and helps ensure a healthier, more efficient network.

TTL is an 8-bit value, meaning the maximum possible TTL is 255. While it was originally meant to represent seconds, in modern networking, TTL is used as a hop counter — not a time-based value.

Think of TTL like a gas tank for your packet — every router it hits uses a little fuel. Once the tank is empty, the trip is over.

Default TTL/Hop Limit Values by OS

Different operating systems set different default TTL values for outgoing packets. Here are a few examples:

• Linux kernel 2.4 (2001): 255 for TCP, UDP, and ICMP
• Linux kernel 4.10 (2015): 64 for TCP, UDP, and ICMP
• Windows XP (2001): 128 for TCP, UDP, and ICMP
• Windows 10 (2015): 128 for TCP, UDP, and ICMP
• Windows Server 2008: 128 for TCP, UDP, and ICMP
• Windows Server 2019 (2018): 128 for TCP, UDP, and ICMP
• macOS (2001+): 64 for TCP, UDP, and ICMP

Because different systems use different default TTL values, it's sometimes possible to make an educated guess about a device's operating system by analyzing the TTL of a packet it sends — especially if you know approximately how many hops away it is.

The ping Command

At its core, ping is a command-line tool used to test connectivity between your computer and another device — like a server, website, or another machine on your network.

It works by sending ICMP Echo Request packets to the destination and waiting for ICMP Echo Reply packets in return.

What a Successful Ping Tells You

• The device is reachable.
• The network connection is alive (at least at that moment).
• You get a basic idea of latency (delay in milliseconds).

What a Failed Ping Might Mean

• The host is down or unreachable.
• ICMP is being blocked by a firewall.
• There's a DNS resolution issue.
• There’s a routing problem.

Syntax

On Windows, the syntax for the ping command looks like this:

ping <hostname or IP address>

For example, running ping google.com might produce output like this:

Pinging google.com [142.250.190.78] with 32 bytes of data:
Reply from 142.250.190.78: bytes=32 time=20ms TTL=115
Reply from 142.250.190.78: bytes=32 time=21ms TTL=115
Reply from 142.250.190.78: bytes=32 time=19ms TTL=115
Reply from 142.250.190.78: bytes=32 time=20ms TTL=115

Ping statistics for 142.250.190.78:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 19ms, Maximum = 21ms, Average = 20ms

Understanding the Output

• bytes: The size of the packet (usually 32 bytes on Windows)
• time: How long it took to get a response (in milliseconds)
• TTL: Time To Live remaining (helps infer the number of hops)
• Packet Loss: If some pings don't get replies, it's shown here

Keep in mind: a failed ping isn’t always a sign of a down server. Many modern firewalls or servers block ICMP traffic for security reasons. That’s why tools like tracert are useful for deeper analysis.

The tracert Command

While ping tells you if a device is reachable, it doesn't tell you how your data gets there. That’s where tracert (short for trace route) comes in.

According to Microsoft’s own documentation, tracert works by sending ICMP Echo packets to the destination with increasing TTL values. Each router along the way decreases that TTL by 1. When a router receives a packet with TTL = 0, it sends back an ICMP “Time Exceeded” message — which is how tracert learns what that hop was.

• The first packet starts with TTL = 1 and fails at the first hop.
• The second goes out with TTL = 2, reaches the second hop, and fails there.
• This continues until the destination is reached or the max TTL is hit.

Not all routers respond to these expired packets. Some silently drop them (which is why you might see * * * in your trace). By default, tracert performs a DNS lookup on each IP it receives. If you don’t want that (and want faster results), use -d to skip hostname resolution.

On Windows, the syntax for the tracert command looks like this:
tracert <hostname or IP address>

If you use tracert on google.com, it might look like this:

Tracing route to google.com [142.250.190.78]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  192.168.1.1
  2    11 ms     8 ms    10 ms  10.70.1.1
  3    20 ms    18 ms    19 ms  74.125.50.10
  ...
 10    25 ms    27 ms    26 ms  142.250.190.78

Trace complete.

How to Read the Output

• The number at the start is the hop count — how many routers deep the packet is at that stage.
• The three time values (e.g. 11 ms, 8 ms, 10 ms) are response times for three separate ICMP packets sent to that hop — helping you identify consistent delays or packet loss.
• The IP address at the end is the router or node the packet hit at that hop.

Sometimes a hop might look like this:

  2     *        *        *     Request timed out.

This usually means your packet reached that hop, but the router didn’t send back an ICMP "Time Exceeded" message in response.

Some routers (often enterprise firewalls or ISP routers) are configured to drop ICMP traffic. They still forward your packet to the next hop but ignore TTL-expired ICMP requests and don't reply.

A timeout does not necessarily mean failure. If the trace continues after the timeout, it means that hop didn't respond, but your packet moves on.

However, a subsequent timeout could indicate:
- a firewall blocking all outgoing ICMP replies
- a downed router
- or simply, your destination is unreachable

Part 1 concluded.