Ping Packet Decoded

This tutorial will partially decode an ICMP Echo or "Ping" packet as it appears on an Ethernet network.


Packet Representation On The Network

The following is a HEX dump of a simple ICMP echo or "ping" packet:

000000: 00 A0 CC 63 08 1B 00 40 : 95 49 03 5F 08 00 45 00 ...c...@.I._..E.
000010: 00 3C 82 47 00 00 20 01 : 94 C9 C0 A8 01 20 C0 A8 .<.G.. ...... ..
000020: 01 40 08 00 48 5C 01 00 : 04 00 61 62 63 64 65 66 .@..H\....abcdef
000030: 67 68 69 6A 6B 6C 6D 6E : 6F 70 71 72 73 74 75 76 ghijklmnopqrstuv
000040: 77 61 62 63 64 65 66 67 : 68 69                   wabcdefghi

The ping was initiated with the command:

C:> ping 192.168.1.64

        and sent the ICMP echo request with the default of 32 bytes of data.
        The total length of the ping packet is 74 bytes.

The packet can be broken into the following protocol elements:

  1. Ethernet Header
  2. IP Datagram(packet)
    1. IP Header
    2. IP Data

1. Ethernet Header

The network media is Ethernet. This means that the first 14 bytes are the Ethernet Header:

000000: 00 A0 CC 63 08 1B 00 40 : 95 49 03 5F 08 00 45 00 ...c...@.I._..E.
000010: 00 3C 82 47 00 00 20 01 : 94 C9 C0 A8 01 20 C0 A8 .<.G.. ...... ..
000020: 01 40 08 00 48 5C 01 00 : 04 00 61 62 63 64 65 66 .@..H\....abcdef
000030: 67 68 69 6A 6B 6C 6D 6E : 6F 70 71 72 73 74 75 76 ghijklmnopqrstuv
000040: 77 61 62 63 64 65 66 67 : 68 69                   wabcdefghi......

The 14 byte Ethernet Header includes three fields:

  • MAC Destination Address (0-5, 6 bytes) - 00-A0-CC-63-08-1B
  • MAC Source Address (6-11, 6 bytes)      - 00-40-95-49-03-5F
  • Ethernet Type Field (12-13, 2 bytes)      - 0x0800 (IP Datagram)

2. IP Datagram (packet)

The remaining 60 bytes (14-73) constitute the IP datagram itself:

000000: 00 A0 CC 63 08 1B 00 40 : 95 49 03 5F 08 00 45 00 ...c...@.I._..E.
000010: 00 3C 82 47 00 00 20 01 : 94 C9 C0 A8 01 20 C0 A8 .<.G.. ...... ..
000020: 01 40 08 00 48 5C 01 00 : 04 00 61 62 63 64 65 66 .@..H\....abcdef
000030: 67 68 69 6A 6B 6C 6D 6E : 6F 70 71 72 73 74 75 76 ghijklmnopqrstuv
000040: 77 61 62 63 64 65 66 67 : 68 69                   wabcdefghi......

2.1 IP Header

The IP datagram begins at byte 14, which means that the IP Header also starts at byte 14. The 0x45 value found there in interpreted to mean that the packet is an IPv4 packet and the IP Header length is five(5) 32-bit words (20-bytes) (14-33):

000000: 00 A0 CC 63 08 1B 00 40 : 95 49 03 5F 08 00 45 00 ...c...@.I._..E.
000010: 00 3C 82 47 00 00 20 01 : 94 C9 C0 A8 01 20 C0 A8 .<.G.. ...... ..
000020: 01 40 08 00 48 5C 01 00 : 04 00 61 62 63 64 65 66 .@..H\....abcdef
000030: 67 68 69 6A 6B 6C 6D 6E : 6F 70 71 72 73 74 75 76 ghijklmnopqrstuv
000040: 77 61 62 63 64 65 66 67 : 68 69                   wabcdefghi......

Here are decodes of a few key fields:

  • IP Version (14, high nibble)                     - [4] IPv4
  • IP Header Length (14, low nibble)           - [5] Five (5) 32-bit Words
  • Source IP Address (26-29, 4 bytes)          - 192.168.1.32 (C0.A8.01.20)
  • Destination IP Address (30-33, 4 bytes)   - 192.168.1.64 (C0.A8.01.40)

2.2 IP Data

Forty (40) bytes of IP Data follow the IP Header (34-73):

000000: 00 A0 CC 63 08 1B 00 40 : 95 49 03 5F 08 00 45 00 ...c...@.I._..E.
000010: 00 3C 82 47 00 00 20 01 : 94 C9 C0 A8 01 20 C0 A8 .<.G.. ...... ..
000020: 01 40 08 00 48 5C 01 00 : 04 00 61 62 63 64 65 66 .@..H\....abcdef
000030: 67 68 69 6A 6B 6C 6D 6E : 6F 70 71 72 73 74 75 76 ghijklmnopqrstuv
000040: 77 61 62 63 64 65 66 67 : 68 69                   wabcdefghi......

Of course, the IP Data in this case is, in fact, an ICMP Echo Request, including thirty-two (32) bytes of Echo Data (42-73).