ICMP, Ping, and Traceroute: How the Network Diagnostic Toolkit Works

Ping and traceroute are the two most-used network tools. The ICMP protocol underneath, what each test actually proves, and how to interpret the output.

ICMP, Ping, and Traceroute: How the Network Diagnostic Toolkit Works

You can’t reach a service. Is the host down? Is the network broken? Is the destination filtering you? The first commands you reach for are ping and traceroute. Both run on top of ICMP (Internet Control Message Protocol) — the internet’s diagnostic plumbing.

This post explains ICMP, how ping and traceroute use it, what the results actually tell you, and the limitations that catch out new and experienced engineers alike.

What ICMP Is

ICMP is a control protocol that rides on top of IP, alongside TCP and UDP. Unlike TCP/UDP, ICMP isn’t for application data — it’s for network-level messaging: error reports, diagnostics, and operational signaling.

Common ICMP message types:

IPv4 (ICMPv4)

  • Type 0 — Echo Reply (response to ping)
  • Type 3 — Destination Unreachable (with subtypes for “no route,” “filtered,” “fragmentation needed,” etc.)
  • Type 8 — Echo Request (ping)
  • Type 11 — Time Exceeded (used by traceroute)
  • Type 12 — Parameter Problem

IPv6 (ICMPv6)

  • Type 1 — Destination Unreachable
  • Type 2 — Packet Too Big (replaces IPv4’s “Fragmentation Needed”)
  • Type 3 — Time Exceeded
  • Type 128 — Echo Request
  • Type 129 — Echo Reply

ICMPv6 also handles Neighbor Discovery (replacing ARP) and Multicast Listener Discovery.

How Ping Works

Ping sends an ICMP Echo Request and waits for an ICMP Echo Reply:

Your host → Echo Request → target

Your host ← Echo Reply ←  target

The output shows round-trip time and the TTL of the reply:

$ ping example.com
PING example.com (93.184.216.34): 56 data bytes
64 bytes from 93.184.216.34: icmp_seq=0 ttl=56 time=12.3 ms
64 bytes from 93.184.216.34: icmp_seq=1 ttl=56 time=13.1 ms
64 bytes from 93.184.216.34: icmp_seq=2 ttl=56 time=12.8 ms

What ping proves

  • Reachability — Your packets can reach the target and the replies can return.
  • Latency — Round-trip time gives a sense of network distance.
  • Packet loss — Missing replies suggest network issues.

What ping doesn’t prove

  • Service health. A host can respond to ping while its application is down.
  • One-way latency. Ping measures round-trip; if asymmetric routes have different latencies, you can’t tell.
  • No reply ≠ host is down. Many hosts filter ICMP. Cloud security groups often block it by default.

In 2026, “ping doesn’t work” is increasingly common as cloud services disable ICMP for security or noise reasons. Use nc -zv host port or curl -I for service-level checks.

How Traceroute Works

Traceroute is cleverer than it looks. It exploits the TTL field in IP headers.

TTL refresher

Every IP packet has a TTL (Time To Live) field. Each router that forwards the packet decrements TTL by 1. If TTL reaches 0, the router drops the packet and sends back an ICMP Time Exceeded message.

The traceroute trick

Send a packet with TTL=1. The first router decrements it to 0 and replies with Time Exceeded. You now know the first hop.

Send a packet with TTL=2. The first router decrements to 1 (passes); the second router decrements to 0 (replies). You now know the second hop.

Continue increasing TTL until the destination itself replies (with an Echo Reply or, if you used UDP/TCP, a different response).

Sample output

$ traceroute example.com
traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets
 1  192.168.1.1 (192.168.1.1)        1.234 ms
 2  10.0.0.1 (10.0.0.1)               5.678 ms
 3  isp-router-1 (203.0.113.1)        12.345 ms
 4  isp-router-2 (203.0.113.5)        15.678 ms
 5  * * *
 6  upstream-1.tier1.example.net      45.123 ms
 7  example.com (93.184.216.34)       50.234 ms

Each line is one hop. The * * * indicates no reply (likely a firewall filtering ICMP at that hop). Three timing values per line because traceroute typically sends 3 probes per TTL.

What Traceroute Proves and Doesn’t

What it proves

  • Path discovery. You see the routers between you and the target.
  • Per-hop latency. Where latency increases dramatically gives clues about bottlenecks.
  • Where packets stop. If the trace stops at hop 7, hop 7 is the boundary of reachability.

What it doesn’t prove

  • The return path is the same. Routes are often asymmetric. Traceroute shows the forward path only.
  • Lost packets indicate the hop is down. Routers prioritize forwarding over ICMP generation; “Time Exceeded” can be deprioritized. Hops that look broken may just be rate-limiting ICMP responses.
  • The path is stable. Each probe is an independent packet that might take a different path.

Variants of Traceroute

UDP traceroute (default on Unix)

Sends UDP packets to high port numbers. The target sends ICMP Port Unreachable when the final hop is reached.

ICMP traceroute (default on Windows tracert)

Sends ICMP Echo Requests. Works through some firewalls that block UDP.

TCP traceroute (tcptraceroute, mtr -T)

Sends TCP SYN packets to a specific port (usually 80 or 443). Often works through firewalls that block UDP and ICMP because they let HTTP/HTTPS through.

For modern debugging where ICMP is filtered, TCP traceroute is often the only one that reaches the destination.

MTR: Combining Ping and Traceroute

mtr (My Traceroute) is the modern Swiss army knife: a continuous traceroute that also calculates per-hop loss and latency statistics.

                              Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. 192.168.1.1                0.0%    50    1.2   1.3   0.9   3.4   0.4
 2. 10.0.0.1                   0.0%    50    5.6   5.5   5.1   8.2   0.6
 3. isp-router-1               0.0%    50   12.3  12.1  11.8  15.4   0.8
 4. isp-router-2              20.0%    50   15.5  15.3  14.9  18.2   0.7
 5. ???                       100.0%   50    0.0   0.0   0.0   0.0   0.0
 6. upstream-tier1            18.0%    50   45.1  45.2  44.7  48.3   0.9
 7. example.com                0.0%    50   50.2  50.4  49.8  53.5   0.8

Notice: 100% loss at hop 5 is normal — that hop is probably filtering ICMP. The 18-20% loss at hops 4 and 6 might indicate rate-limiting (still benign) or a real issue. Look at the destination: if the final hop has 0% loss, the path is healthy from your end despite the intermediate “loss.”

Common Misinterpretations

”Hop X has loss” — usually wrong

Routers rate-limit ICMP responses. A 30% loss to one hop doesn’t mean 30% packet loss on that hop’s forwarding — it means 30% of ICMP responses were dropped or never generated. If the destination shows 0% loss, the path is fine.

”Ping shows 5ms latency, so the network is fast”

Ping measures ICMP round-trip. TCP latency for actual traffic might differ. For an HTTPS request, you add DNS lookup, TCP handshake, TLS handshake — easily 100-300ms even if ping is 5ms.

”Traceroute shows 30 hops”

Modern internet paths often have 15-20 hops. 30 hops to a nearby destination suggests something weird (a satellite link, a VPN, a misconfigured BGP path). See BGP routing.

”Different traceroutes show different paths”

Normal. Each TCP/UDP probe can be hashed differently for load balancing. The path is per-probe, not stable.

ICMP Filtering Implications

Many networks filter ICMP for various reasons:

  • DDoS reflection prevention. Limit ICMP flood vectors.
  • Information disclosure. Hide network topology.
  • Default-deny security policy. Just block everything not explicitly needed.

The unintended consequences:

  • Path MTU Discovery breaks. Routers send ICMP “Fragmentation Needed” to indicate MTU. Filtering breaks this. See MTU and MSS.
  • Ping doesn’t work for diagnostics.
  • Traceroute is incomplete.

Best practice: allow specific ICMP types (Echo, Time Exceeded, Fragmentation Needed) even in restrictive networks. Blocking all ICMP causes more problems than it solves.

Practical Patterns

Quick reachability check

ping -c 4 host.example.com

Latency baseline

ping -c 100 host.example.com | tail -3
# Gives min/avg/max/stddev

Path investigation

mtr --report --report-cycles 50 host.example.com

Application-port check (works through ICMP filters)

nc -zv host.example.com 443
# Or
curl -I https://host.example.com

IPv6 versions

ping6 host.example.com  # or ping -6 host.example.com
traceroute6 host.example.com  # or traceroute -6 host.example.com

TL;DR

  • ICMP carries network-level signaling: errors, diagnostics, operational messages.
  • Ping = ICMP Echo Request/Reply. Proves reachability and round-trip latency.
  • Traceroute exploits TTL to discover hops on the path.
  • Routers rate-limit ICMP — “loss” on intermediate hops is usually benign if the destination is fine.
  • ICMP filtering breaks ping, traceroute, and Path MTU Discovery. Allow at least essential types.
  • TCP traceroute works through firewalls that block ICMP.
  • mtr combines ping and traceroute with continuous statistics.
  • Ping doesn’t prove service health — only network reachability.

These tools are 30+ years old and still essential. Understanding what they actually measure (and don’t measure) is one of the differences between guessing at network problems and diagnosing them. For related transport-layer topics, see TCP vs UDP; for the BGP layer that determines the paths traceroute reveals, BGP routing.

Get Started

Convert IPs into accurate location data in milliseconds.

Sign up today and get 1,000 free monthly stored conversions, and discover why developers trust us for fast, reliable, and affordable IP conversions.