Traveling Through a Network: Basic Understanding of Network Traffic

    Using ping and traceroute are tools that a forensic examiner will use many times over the years. Microsoft Windows and Apple Mac OS both have the capability of "pinging" devices. Microsoft has PowerShell and Command, whereas Apple has Terminal. For this article, Mac OS Terminal was used. 

    Data is broken down into smaller pieces called packets when transmitted over the internet. An example of how it is transmitted is that if someone has a letter to send to another person, cut into small squares, it would be sent one square at a time and then reassembled by the recipient.

    The technical explanation is that first, there would be packet creation. This is where the “letter” is cut up by the sender. Routing would follow, in which the routing would determine the best way to get the letter to the recipient. Transmission is the physical act of the data or “letter” traveling through the routers and switches. Then comes the reassembly, where the pieces are placed back together to make the data or “letter” readable by the recipient.

    When pinging two different locations: Australia.gov.au and Icehousehotel.ie. The paths to each of these differ because they go through routers or hops that are in physically different locations. The further apart they are geographically, the more hops they have to take. The ping command sends out an echo request that measures the replies. This measurement can indicate packet loss. Traceroute sends out packets of data and reflects the path it takes.

    Pinging a device or host can test whether the device is reachable. For example, if you are on a company network and a user is complaining of internet connectivity issues, you can use the ping command to determine if it is getting a connection and, if so, what the latency is. Someone would use a traceroute to determine where packets are dropped or delayed. This is a good way to test routers. If either of them times out, it could be due to high network traffic or a lack of connectivity to the host. Firewalls can also sometimes cause a block in traffic, which would cause both a ping and a traceroute command to fail.

Samples of ping and traceroute.