♦ Ping packet decode

             The ping command on windows 7 use ICMP packet where it is consisted  74 bytes long (capture). we use the ping command for healthy check your connection between local network or public network. this command will help you to begin troubleshoot as a tools to find out some network problem.
             Note: This below example was test with windows 7 platform Microsoft Windows Version 6.1.7600.

Directory of c:\windows\system32
   07/14/2009  08:14 AM            15,360 PING.EXE
               1 File(s)         15,360 bytes
               0 Dir(s)  294,020,849,664 bytes free

For advantage of this version it can force to show IPv4 with option [-4], IPv6 with [-6].

c:\windows> ping 192.168.0.6

Pinging 192.168.0.6 with 32 bytes of data:
Reply from 192.168.0.6: bytes=32 time<1ms TTL=128
Reply from 192.168.0.6: bytes=32 time<1ms TTL=128
Reply from 192.168.0.6: bytes=32 time<1ms TTL=128
Reply from 192.168.0.6: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.0.6:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0m

Ethernet Header (14 bytes)	IP Datagram (60 bytes)
	IP Header (20 bytes)	IP data (40 bytes)

Fig.1 ICMP structure


1.Ethernet header  (14 bytes)

0000 00 1b 11 ea 5c b4 00 12 3f b1 15 a5 08 00 45 00 ....\...?.....E.
0010 00 3c 41 d6 00 00 80 01 00 00 c0 a8 00 08 c0 a8 .<A.............
0020 00 06 00 00 40 5c 02 00 13 00 61 62 63 64 65 66 ....@\....abcdef
0030 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 ghijklmnopqrstuv
0040 77 61 62 63 64 65 66 67 68 69 wabcdefghi

• MAC Destination Address (0-5, 6 bytes) - 00-1b-11-ea-5c-b4
• MAC Source Address (6-11, 6 bytes)      - 00-12-3f-b1-15-a5
• Ethernet Type Field (12-13, 2 bytes)        - 0x0800 (IP Datagram)

2. IP Header (20 bytes)

0000 00 1b 11 ea 5c b4 00 12 3f b1 15 a5 08 00 45 00 ....\...?.....E.
0010 00 3c 41 d6 00 00 80 01 00 00 c0 a8 00 08 c0 a8 .<A.............
0020 00 06 00 00 40 5c 02 00 13 00 61 62 63 64 65 66 ....@\....abcdef
0030 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 ghijklmnopqrstuv
0040 77 61 62 63 64 65 66 67 68 69 wabcdefghi

• IP Version (14, high nibble) - IPv4
• IP Header Length (14, low nibble) - Five (5) 32-bit Words
• Source IP Address (26-29, 4 bytes) - 192.168.1.8 (c0-a8-00-c0)
• Destination IP Address (30-33, 4 bytes) - 192.168.1.6 (c0-a8-00-06)

3. IP Data (40 bytes)     Internet Control Message Protocol (ICMP)

0000 00 1b 11 ea 5c b4 00 12 3f b1 15 a5 08 00 45 00 ....\...?.....E.
0010 00 3c 41 d6 00 00 80 01 00 00 c0 a8 00 08 c0 a8 .<A.............
0020 00 06 00 00 40 5c 02 00 13 00 61 62 63 64 65 66 ....@\....abcdef
0030 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 ghijklmnopqrstuv
0040 77 61 62 63 64 65 66 67 68 69 wabcdefghi

• 00  Type: 0 (Echo (ping) reply)
• 00   Code: 0 ()
• 40 5c  Checksum: 0x405c [correct]
• 02 00  Identifier: 0x0200
• Data (32 bytes) Data: 6162636465666768696A6B6C6D6E6F707172737475767761...
• 13 00  Sequence number: 4864 (0x1300)

Reference : this an other good example where we refered..

• http://www.pcausa.com/resources/ndispacket_decode.htm
• http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/icmp.html