Networking Interview Prep
Diagnostic Tools

Ping

Testing Network Reachability

LinkedIn Hook

You've been staring at a broken connection for 20 minutes. Is the server down? Is it your network? Is it DNS?

Most engineers just refresh the browser and hope.

Senior engineers type three letters: ping

In this lesson you'll learn exactly what ping tells you, how to read every number in its output, and how to use it as the first step in any network diagnostic. It's one of the most common tools you'll be asked about in networking interviews — and most candidates only know half the story.

Read the full lesson → [link]

#Networking #InterviewPrep #SoftwareEngineering

Ping thumbnail

What You'll Learn

  • What ping does under the hood and which protocol it uses
  • How to read every field in a ping output — bytes, icmp_seq, TTL, RTT
  • What TTL values reveal about a target host's operating system
  • How to use ping as a step-by-step diagnostic ladder
  • Why a blocked ping does not mean a server is offline
  • Useful ping flags for Linux, macOS, and Windows
  • What to say in an interview when ping-related questions come up

The Marco Polo Analogy

Imagine you're in a swimming pool with your eyes closed. You shout "Marco!" and wait. If someone shouts back "Polo!", you know two things: they exist, and they're close enough for sound to travel between you. If there's silence, either nobody is there, or something is blocking the sound.

Ping works exactly like this. Your machine shouts "Marco!" — an ICMP Echo Request — and waits for the target to shout back "Polo!" — an ICMP Echo Reply. If a reply arrives, the target is reachable. The time between shout and reply is your round-trip time. If there's silence, something went wrong between you and the target — but critically, silence doesn't always mean nobody is home.

What Ping Actually Does

Ping sends ICMP Echo Request packets to a target host and listens for ICMP Echo Reply packets in return. For each packet that completes the round trip, ping reports the time elapsed. At the end of a ping session, it prints a summary showing how many packets were sent, how many came back, and the min/average/max round-trip times.

This gives you an immediate answer to the most fundamental networking question: can my machine reach that host, and how long does the trip take?

ICMP — The Protocol Behind Ping

Ping does not use TCP or UDP. It uses ICMP — Internet Control Message Protocol.

ICMP is a Layer 3 (Network layer) protocol. Because it operates at the Network layer alongside IP, it has no concept of ports. You cannot say "ping port 80." Ping is purely about reachability at the IP level, not about specific services.

ICMP messages are identified by type and code numbers:

ICMP TypeNameMeaning
8Echo Request"Are you there?" — sent by ping
0Echo Reply"Yes, I'm here." — sent back by the target
3Destination UnreachableA router could not forward the packet
11Time ExceededTTL reached zero before arriving (used by traceroute)

When you run ping, your OS crafts a Type 8 packet, sends it to the target IP, and waits for a Type 0 reply. The payload is a small chunk of data (typically 56 bytes on Linux/macOS, 32 bytes on Windows) — just enough to confirm the reply matched the request.

Basic Usage

# Ping by hostname (tests DNS + network)
ping google.com

# Ping by IP address (tests network only, no DNS)
ping 8.8.8.8

# Ping localhost (tests your own TCP/IP stack, no network needed)
ping localhost
ping 127.0.0.1

# Linux/macOS: send exactly 4 packets then stop
ping -c 4 google.com

# Windows: send exactly 4 packets (Windows default is already 4)
ping -n 4 google.com

# Windows: ping continuously until Ctrl+C
ping -t google.com

Reading Ping Output — Line by Line

Here is a real ping output from a Linux/macOS terminal. Every part of it carries information:

PING google.com (142.250.80.46): 56 data bytes
64 bytes from 142.250.80.46: icmp_seq=0 ttl=118 time=12.4 ms
64 bytes from 142.250.80.46: icmp_seq=1 ttl=118 time=11.8 ms
64 bytes from 142.250.80.46: icmp_seq=2 ttl=118 time=13.1 ms
--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 11.8/12.4/13.1/0.54 ms

Header Line

PING google.com (142.250.80.46): 56 data bytes
  • google.com — the hostname you pinged
  • 142.250.80.46 — the IP address DNS resolved it to (confirmation that DNS worked)
  • 56 data bytes — the payload size your machine is sending per packet

Per-Packet Lines

64 bytes from 142.250.80.46: icmp_seq=0 ttl=118 time=12.4 ms
FieldValueWhat It Means
64 bytespacket size56 bytes payload + 8 bytes ICMP header = 64 bytes total
from 142.250.80.46source IPthe machine that replied
icmp_seq=0sequence numberfirst packet (starts at 0). Gaps reveal dropped packets
ttl=118Time To Livehops remaining when the reply arrived (explained below)
time=12.4 msround-trip timemilliseconds from send to receive — your key latency metric

Statistics Block

3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 11.8/12.4/13.1/0.54 ms
FieldValueWhat It Means
3 packets transmittedsenthow many Echo Requests left your machine
3 receivedreceivedhow many Echo Replies came back
0% packet lossloss rate(transmitted - received) / transmitted × 100
time 2003mselapsedwall-clock time for the whole session
rtt min11.8 msfastest single round trip
rtt avg12.4 msmean round-trip time
rtt max13.1 msslowest single round trip
rtt mdev0.54 msmean deviation (standard deviation) — measures jitter

A low mdev (like 0.54 ms here) means a stable, consistent connection. A high mdev means jitter — latency is jumping around, which is bad for real-time applications like video calls or VoIP.

TTL — Time To Live

TTL is a counter stamped on every IP packet. Every router that forwards the packet decrements TTL by 1. When TTL hits zero, the router drops the packet and sends back an ICMP "Time Exceeded" message. This prevents packets from looping forever in the internet.

What TTL Tells You About the Target

Different operating systems use different starting TTL values:

Starting TTLLikely OS
64Linux / macOS / Android
128Windows
255Cisco routers / some Unix / network equipment

When a ping reply arrives with ttl=118, you reason: 128 − 118 = 10 hops traversed → the target is likely a Windows machine (or a server behind a Windows-origin path) about 10 routers away.

When a reply arrives with ttl=54, you reason: 64 − 54 = 10 hops → likely a Linux machine the same 10 hops away.

This lets you fingerprint the remote OS without any specialized tool — just ping. Interviewers love this detail.

TTL in the Example Above

ttl=118

118 is close to 128, not to 64 or 255. So: started at 128 (Windows default), crossed approximately 10 routers. Google's servers run Linux, but network appliances or load balancers in the path may have adjusted this. In practice, you use TTL as a rough signal, not a definitive declaration.

The Ping Diagnostic Ladder

Use ping as a systematic ladder, not a one-shot command. Each rung isolates a different layer of the problem:

STEP 1: ping 127.0.0.1
        Tests your own TCP/IP stack.
        Fail here = your OS networking is broken. No further debugging needed yet.

STEP 2: ping <your router IP>  (e.g., 192.168.1.1)
        Tests your local network (Ethernet/Wi-Fi).
        Fail here = LAN problem. Router offline, cable unplugged, Wi-Fi disconnected.

STEP 3: ping 8.8.8.8  (Google's public DNS, by IP)
        Tests internet connectivity WITHOUT DNS.
        Fail here = ISP or WAN problem. DNS is not the issue.

STEP 4: ping google.com  (by hostname)
        Tests DNS resolution AND internet connectivity.
        Fail here (but step 3 works) = DNS failure only.
        Both work = full connectivity confirmed.

This ladder is the single most useful framework for network triage. Memorize it.

Interpreting Ping Outcomes

Request Timeout / 100% Packet Loss

Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss

Possible causes:

  • The host is offline or unreachable
  • A firewall is blocking ICMP (host may still be running — see below)
  • The route to the host is broken

High Latency

time=320.4 ms
time=415.7 ms

For a domestic server, anything above 100–150 ms is elevated; above 200 ms is a problem. Causes: network congestion, suboptimal routing, geographically distant server, or a heavily loaded intermediate router.

Intermittent Packet Loss

64 bytes from 8.8.8.8: icmp_seq=0 ttl=118 time=12.4 ms
Request timeout for icmp_seq 1
64 bytes from 8.8.8.8: icmp_seq=2 ttl=118 time=13.1 ms
Request timeout for icmp_seq 3

Even 1-2% packet loss is significant — TCP retransmits on every dropped packet, which can halve your effective throughput. Causes: unstable connection (Wi-Fi interference, bad cable), overloaded router dropping excess packets, or QoS policies deprioritizing ICMP.

Works to Router, Fails Beyond

ping 192.168.1.1   --> 100% success
ping 8.8.8.8       --> 100% packet loss

Your local network is fine. The problem is between your router and the internet — almost certainly an ISP issue.

Step 3 Works, Step 4 Fails

ping 8.8.8.8     --> 100% success
ping google.com  --> cannot resolve host

Internet connectivity is fine. DNS resolution is broken. Check your DNS server configuration.

Why Some Servers Block Ping

Many production servers and cloud instances are configured to silently drop ICMP Echo Requests. A firewall rule like DROP icmp --icmp-type echo-request makes the host invisible to ping while it continues serving HTTP, SSH, or any other traffic normally.

Reasons servers block ping:

  • Security through obscurity: reduces network mapping by attackers running mass ping sweeps
  • DDoS prevention: ICMP can be used in amplification and flood attacks
  • Policy: some corporate environments prohibit external ICMP responses

Critical interview point: A server not responding to ping is not evidence that it is down. Always verify with a service-specific tool (curl, telnet, nc) before concluding a host is unreachable.

# Ping fails — but the web server might still be up:
curl -I https://example.com

# Check if a specific TCP port is open:
nc -zv example.com 443

Useful Ping Flags

Linux / macOS

# Send exactly N packets
ping -c 4 google.com

# Set interval between packets (default 1s; 0.2s = flood test, requires root)
ping -i 0.5 google.com

# Set packet payload size in bytes (default 56)
ping -s 1024 google.com

# Set timeout per packet in seconds (Linux)
ping -W 2 google.com

# Combine: 10 packets, 0.5s apart, large payload
ping -c 10 -i 0.5 -s 512 google.com

Windows

# Send exactly N packets (default is 4)
ping -n 10 google.com

# Ping continuously until Ctrl+C
ping -t google.com

# Set packet size in bytes (default 32)
ping -l 1024 google.com

# Set TTL on outgoing packets
ping -i 5 google.com

# Resolve addresses to hostnames
ping -a google.com

Linux vs Windows Default Behavior

BehaviorLinux / macOSWindows
Default packet countInfinite (until Ctrl+C)4 packets
Default payload size56 bytes32 bytes
Stop after N packets-c N-n N
Continuous ping(default)-t
Packet size flag-s N-l N
Per-packet timeout-W N-w N (ms)

Common Mistakes

  • Concluding a server is down because ping fails. Ping uses ICMP, and ICMP can be blocked by firewalls at the host, the cloud provider, or any hop in between. The web server, SSH daemon, or database may be perfectly healthy and serving requests while every ping times out. Always follow up a failed ping with a service-level check before escalating.

  • Not distinguishing between DNS failure and network failure. If you only run ping google.com and it fails, you cannot tell whether the internet is down or DNS is broken. Running ping 8.8.8.8 first isolates the two problems. If the IP ping works and the hostname ping fails, the internet is fine — your DNS resolver is the culprit.

  • Ignoring packet loss percentage. Engineers often dismiss 1-2% packet loss as "basically working." At the TCP level, this is a serious problem. TCP treats every lost segment as a congestion signal and backs off its sending rate. A sustained 1% loss can degrade TCP throughput by 50% or more. Always treat any packet loss as a problem worth investigating.

Interview Questions

Q: What protocol does ping use and what layer is it on?

Ping uses ICMP — Internet Control Message Protocol — which operates at Layer 3 (the Network layer). It is not TCP or UDP and has no concept of ports. Ping specifically uses ICMP Type 8 (Echo Request) sent to the target and ICMP Type 0 (Echo Reply) received in return.

Q: What does TTL mean in ping output and what can you infer from it?

TTL stands for Time To Live. It is a counter on every IP packet that each router decrements by 1 before forwarding. When TTL reaches zero, the router drops the packet and sends back an ICMP Time Exceeded message — this prevents infinite routing loops. In ping output, the TTL value shown is what remained when the reply arrived at your machine. By knowing the common starting TTL values (64 for Linux/macOS, 128 for Windows, 255 for network equipment), you can estimate the target OS and the approximate hop count. For example, ttl=118 suggests the packet started at 128 (Windows) and crossed roughly 10 routers.

Q: If ping to 8.8.8.8 works but ping to google.com fails, what is the likely cause?

DNS resolution is failing. The fact that ping 8.8.8.8 succeeds proves internet connectivity is intact — packets can reach Google's infrastructure. The fact that ping google.com fails means your machine cannot resolve the hostname to an IP address. The DNS resolver (configured in /etc/resolv.conf on Linux or network adapter settings on Windows) is either unreachable, returning an error, or misconfigured.

Q: Why might a server be running but not respond to ping?

The server's firewall (or a network firewall upstream) may be configured to drop ICMP Echo Request packets. This is a common security posture — it prevents network mapping and reduces attack surface. The server continues to handle TCP connections (HTTP, SSH, etc.) normally. A lack of ping response is never sufficient evidence that a server is down; always verify with a protocol-specific check like curl, nc, or an application-level health endpoint.

Quick Reference — Cheat Sheet

Ping Diagnostic Decision Tree

                    START: Something is broken
                              |
                    +---------+---------+
                    |                   |
            ping 127.0.0.1         FAILS?
                    |                   |
               Succeeds             TCP/IP stack broken
                    |               Reinstall network drivers
                    |
            ping <router IP>   (e.g., 192.168.1.1)
                    |
               Succeeds?
            /           \
          NO              YES
          |                |
      LAN broken       ping 8.8.8.8
      (cable/Wi-Fi)        |
                       Succeeds?
                      /         \
                    NO            YES
                    |              |
                ISP/WAN       ping google.com
                problem            |
                               Succeeds?
                              /         \
                            NO            YES
                            |              |
                       DNS broken      Full connectivity
                       Check resolver  Problem is elsewhere

Common Ping Outputs and Their Meaning

OutputMeaningNext Step
0% packet loss, time ~10msFull connectivity, low latencyNormal — no action needed
0% packet loss, time ~200ms+Reachable but high latencyCheck routing, server load, geographic distance
1-5% packet lossUnstable connectionCheck Wi-Fi signal, cables, router health
>10% packet lossSeverely degraded pathLikely hardware, ISP, or congested router
100% packet lossUnreachable OR ICMP blockedTry service-level check; use ping ladder
Request timeoutNo reply within timeout windowSame as 100% loss
Unknown hostDNS resolution failedCheck DNS config, try ping 8.8.8.8
Network unreachableNo route to hostCheck default gateway, routing table
TTL expired in transitTTL set too lowPacket died before reaching target

Useful Ping Flags — Side by Side

PurposeLinux / macOSWindows
Limit packet countping -c 4 hostping -n 4 host
Ping continuously(default)ping -t host
Set payload sizeping -s 512 hostping -l 512 host
Set packet intervalping -i 0.5 host
Set per-packet timeoutping -W 2 hostping -w 2000 host (ms)
Set outgoing TTLping -m 10 hostping -i 10 host
Resolve to hostnamesping -a host

ICMP Type Quick Reference

Type  8  →  Echo Request   (ping sends this)
Type  0  →  Echo Reply     (target sends this back)
Type  3  →  Destination Unreachable
Type 11  →  Time Exceeded  (TTL expired — used by traceroute)

Previous: Lesson 6.4 → Next: Lesson 7.2 →

This is Lesson 7.1 of the Networking Interview Prep Course — 8 chapters, 32 lessons.

DNS in Practice

Setup, Debugging & Developer Tools

Traceroute

Mapping the Path Across the Internet

On this page

LinkedIn HookWhat You'll LearnThe Marco Polo AnalogyWhat Ping Actually DoesICMP — The Protocol Behind PingBasic UsageReading Ping Output — Line by LineHeader LinePer-Packet LinesStatistics BlockTTL — Time To LiveWhat TTL Tells You About the TargetTTL in the Example AboveThe Ping Diagnostic LadderInterpreting Ping OutcomesRequest Timeout / 100% Packet LossHigh LatencyIntermittent Packet LossWorks to Router, Fails BeyondStep 3 Works, Step 4 FailsWhy Some Servers Block PingUseful Ping FlagsLinux / macOSWindowsLinux vs Windows Default BehaviorCommon MistakesInterview QuestionsQuick Reference — Cheat SheetPing Diagnostic Decision TreeCommon Ping Outputs and Their MeaningUseful Ping Flags — Side by SideICMP Type Quick Reference