cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1440
Views
10
Helpful
9
Replies
Pietro955
Beginner

ICMP packet curiosity

Hi guys... I have a question: why when we ping for the first time a pc which is located in another subnet the first packet will be always be lost?

9 REPLIES 9
omz
VIP Collaborator VIP Collaborator
VIP Collaborator

Hi 

The first packet is lost when the PC doesn't have mac address of the gateway or local PC .. 

PC sends ARP to resolve the IP address to MAC address .. once it learns the MAC address .. it can send the packet. If you ping again .. the first packet is not lost.

Oleg Volkov
Contributor

Because Your PC do not know hardware addres of the target.
PC need to resolve IP to MAC and then send ICMP packet with properly MAC address. It is case for L2 secment.
L3 same but ARP resolved by router. After router get ARP response, it can send ICMP packet to target PC
Also You can try to clear arp table and test it.
--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog

Yes but how the pc sends the ARP request? I though the ARP request won't go through the router since and ARP request is a broadcast message...

Pc do not send ARP , pc send icmp packet to router, destination Mac - is Mac of the router and destination IP is IP of the target pc in other L2 segment. Router receive this packet, check self ARP table , and if this IP/MAC not in cache - send ARP .
--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog
omz
VIP Collaborator VIP Collaborator
VIP Collaborator

ARP doesnt go beyond router .. anything beyond router .. ARP will be for the default gateway i.e. router 

Screenshot 2020-05-22 at 20.21.12.png

 

ARP still needs to be resolved and that takes time.

 

Byte Solutions, Managed Computer Services
https://www.bytesolutions.com 561.338.9696
omz
VIP Collaborator VIP Collaborator
VIP Collaborator

I will share my understanding .. see if that helps :)

Ping is an application layer process.

Think about how the TCP/IP stack will be built .. going down the layers .. lets start from Layer 4 .. the Transport layer is skipped in Ping. Ping uses raw sockets; hence no ports are associated with ping. At Layer 3, Source and Destination IP addresses are filled with the Source of sending and Destination of the destination address in your ping.

 

1. The Ping process starts the next ping request.
2. The Ping process creates an ICMP Echo Request message and sends it to the lower process.
3. The source IP address is not specified. The device sets it to the port's IP address.
4. When the destination IP address is in the same subnet. The device sets the next-hop to destination.

4. When the destination IP address is not in the same subnet and is not the broadcast address.

It checks for the default gateway.
5. The default gateway is not set. The device drops the packet.
5. The default gateway is set. The device sets the next-hop to the default gateway.

 

How does the PC know if the destination address is in the same subnet? This is where Subnet Mask comes in.

The PC will do logical AND operation on the IP address and Subnet Mask.

 

192 . 168 . 1 . 1 <<< Source
255 . 255 . 255 . 0
11000000 10101000 00000001 00000001
11111111 11111111 11111111 00000000
11000000 10101000 00000001 00000001

192 . 168 . 1 . 2 <<< Destination
255 . 255 . 255 . 0 11000000 10101000 00000001 00000010 11111111 11111111 11111111 00000000 11000000 10101000 00000001 00000010 192 . 168 . 1 . 10 <<< Destination
255 . 255 . 255 . 0 11000000 10101000 00000001 00001010 11111111 11111111 11111111 00000000 11000000 10101000 00000001 00001010 192 . 168 . 10 . 2 <<< Destination on a different subnet
255 . 255 . 255 . 0 11000000 10101000 00001010 00000010 11111111 11111111 11111111 00000000 11000000 10101000 00001010 00000010

For the destination IPs (192.168.1.2 and 192.168.1.10) on the same subnet .. the AND operation result will be the same .. so PC knows its same subnet. For destination IP on a different subnet (192.168.10.2) the AND operation will be different. So it knows the destination is not local.

Hope this helps.

 

It would check for routes to the destination, not specifically the default gateway.

Byte Solutions, Managed Computer Services
https://www.bytesolutions.com 561.338.9696

I have several comments about this discussion:

- The original poster states that "the first packet will be always be lost?". My experience is that this is a generalization and a bit of an exaggeration. The first packet is sometimes lost. But sometimes all ping requests are successful.

- Fundamentally this is due to need to arp, as several responses have stated. But we need to be careful about where that arp might take place. Perhaps the PC originating the ping needs to arp for its default gateway. In this case the first ping packet will be lost. But perhaps the PC already has the mac address of the gateway. In that case the PC sends the ping request to its default gateway. The default gateway forwards the ping request to the router where the destination is locally connected. Perhaps that remote router needs to arp for the destination address. In that case the first ping packet is lost.

- It is true that in an ideal world the PC originating the ping would not arp for the destination when the destination is remote. But sometimes we are not in ideal worlds, and sometimes the PC originating the ping might arp for the remote destination. In that case whether there is a response to the arp request for the remote destination depends on whether proxy arp is enabled or not. If proxy arp is enabled (and if the local router has a valid route to the destination address) then the local router would respond to the arp request, and in the response would give its own mac address as the destination mac.

 

HTH

Rick
Content for Community-Ad