After reading through all that dry information, you deserve something different. The following screenshot (Figure 4-8) shows what a ping looks like in the trace file and provides details of many of the fields we have discussed so far.

Figure 4-8. Echo Request in a trace file

The two frames in this trace file were captured when my Windows 2000 host issued a ping command to a Linux host. Note that the source address of the second frame, the Echo Reply, is the same as the destination address in the first frame, the Echo Request. The IPv6 header provides more information. The Version field indicates that this is an IPv6 packet. The Next Header field has the value 58, which is the value for ICMPv6. We can also see source and destination IP address. The prefix fe80: indicates that these two addresses are link-local addresses.

Note the first three fields of the ICMPv6 header. They are the fields that are common for every ICMPv6 message: Type, Code, and Checksum field. The Type field contains the value 128, which is the value for an Echo Request. The Identifier and Sequence Number fields are unique to the Echo Request and Echo Reply message. The Identifier is not used in this case and the sender has set the sequence to 38. It has to be identical in the matching reply that is shown in the following screenshot. The Data field contains arbitrary data that doesn’t need to make sense to anyone.

Oh, I almost forgot: I promised to show vendor stack related data in the Echo Request message. What you see here—the alphabet up to the letter w—is what Microsoft uses. Whenever you see this in a trace file, it is a Microsoft stack sending the request. Figure 4-9 shows the Echo Reply in detail.

Figure 4-9. Echo Reply in a trace file

Again, the IPv6 header shows a value of 6 for the IP version and a Next Header value of 58 for ICMPv6. The destination address of the previous frame is now the source address, and the previous source address is now the destination address. The Type field in the ICMPv6 header shows a value of 129, which is the value for an Echo Reply. The Identifier and Sequence Number fields, as well as the Data field, match the ones in the Echo Request.