Windows Network Monitoring: Continuous Ping Logging with Timestamps

Network outages kill production systems silently. Your application is unreachable, but nobody knows when it started or whether the network ever recovered. A single ping command to a text file is where most Windows engineers begin troubleshooting—but that quick fix compounds into months of half-measures: appending to the same log file with no timestamps, running multiple ping processes that collide, parsing dates as strings, escalating alerts manually when a site goes down. The real cost: when your SCADA system loses contact with a sensor node 300 miles away, you spend six hours tracing through time-zone-mismatched logs, counting dropped packets by hand, and manually calling the remote site to reboot the gateway. What’s at stake: without structured, timestamped, continuously logged ping data and a clear escalation path to proper monitoring tools, you’ll conflate network flakiness with application bugs and miss the single-point-of-failure gateways that quietly lose 0.1% of traffic every eight hours.

---

TL;DR

• Start with batch scripting: ping -t > c:\logs\ping.txt is 30 seconds to deploy but unstructured, loses timestamps, and collapses under concurrent runs. Good enough for five-minute troubleshooting, not for production.
• Upgrade to PowerShell: A 15-line script with Get-Date, timestamps, and CSV output gives you structured data, millisecond-precision latency, and jitter detection. Pair with Task Scheduler for continuous 24/7 logging.
• Add alerting and escalation: Email or webhook notifications when packet loss exceeds a threshold (e.g., >5% over 5 minutes) trigger runbooks before users complain. Store alerts in a central log.
• Measure jitter and baseline drift: Raw ping response times hide pathology. Calculate median, standard deviation, and percentiles (p50, p95, p99). When p99 latency jumps from 15 ms to 200 ms, something is degrading.
• Know when to escalate to enterprise tools: Once you’re monitoring 10+ sites or need historical trends, packet captures, or route tracing, move to PRTG, Zabbix, or Prometheus with blackbox_exporter. Ping is a symptom detector, not a replacement for telemetry.
• Understand ICMP fundamentals: Ping uses ICMP Echo Request/Reply, subject to rate-limiting, firewall rules, and routed latency. TTL (Time-To-Live) and timeout windows reveal where packets are getting lost. One-off pings lie; continuous logging tells the story.

---

Terminology primer

Before diving into scripts and tools, ground these load-bearing terms in plain language:

ICMP (Internet Control Message Protocol): A network-layer protocol (Layer 3) used for diagnostics and error reporting. Ping uses ICMP Echo Request and Echo Reply. Unlike TCP or UDP, ICMP has no ports—it’s identified by protocol number 1 in the IP header. Firewalls and cloud providers often rate-limit or block ICMP entirely, making ping unreliable in some environments (hence the need for fallback alerting on application-layer metrics).

RTT (Round-Trip Time): The time from when a ping Echo Request leaves your host until the Echo Reply returns. Measured in milliseconds. RTT is the most visible symptom of network degradation: typical LAN RTT is 1–5 ms, typical cross-continent RTT is 100–300 ms. When RTT spikes from 50 ms to 500 ms, the network is congested or a route has changed.

Packet Loss: The percentage of sent Echo Requests that never receive a Reply. Typical LAN: <0.1% (one drop per 1,000 packets). WAN: 0.5–2%. Satellite or wireless: 5–10%. Anything over 5% is a red flag. Loss >20% means the link is functionally broken.

Jitter: The variance in RTT across successive pings. If five consecutive pings have RTTs of 50 ms, 50 ms, 51 ms, 49 ms, 50 ms, jitter is low (~1 ms standard deviation). If they are 50 ms, 150 ms, 75 ms, 200 ms, 60 ms, jitter is high (~60 ms std dev), indicating congestion or route instability. High jitter breaks VoIP and real-time control loops (critical in manufacturing).

TTL (Time-To-Live): A hop counter in the IP header. Each router decrements TTL by 1; if TTL reaches 0, the packet is dropped and an ICMP Time Exceeded message is sent back. Default TTL on Windows is 64. Windows tracert uses increasing TTL to map the route to a destination. If a ping succeeds but tracert stops at a particular hop, that hop is a filtering or rate-limiting point.

Sustained Monitoring vs. One-Off Pings: A single ping host tells you if the host is reachable right now. It’s useless for diagnosis: the network might be fine 99% of the time and broken 1% of the time, and you caught it in the 1%. Sustained monitoring (continuous pinging over hours or days) builds a statistical picture: median RTT, percentile tails, drop rate, and drift. This is where root cause emerges.

Store-and-Forward: When the network is broken and you can’t send alerts to a remote system, a local agent buffers (stores) the alert. When the network recovers, it sends (forwards) all buffered alerts. Critical for monitoring systems that monitor the network itself (chicken-and-egg problem: if the network is down, you can’t tell anyone).

---

The 30,000-foot view: Why ping monitoring exists

Network operations teams rely on ping for one reason: it is the simplest possible end-to-end connectivity test. It requires no application knowledge, no credentials, no protocol decoding. If you can ping a host, you know:
– The host is powered on and responding to IP traffic.
– The network path from you to the host (and back) has minimal loss.
– Latency is measurable and repeatable.

If you cannot ping a host (or ping is slow), you’ve isolated the problem to the network layer before wasting time debugging the application. That simplicity is also ping’s weakness: it tells you about connectivity, not availability. A host might be pingable but its database might be frozen. A path might have low packet loss but sky-high jitter. Ping is a symptom detector, not a diagnosis tool. It answers: “Is the network alive?” Not: “Is the system healthy?”

Here’s the monitoring stack from the simplest (one-off commands) to most robust (enterprise platforms):

What you’re seeing: The diagram shows five tiers:

• Tier 1: One-Off Ping (Manual): Run ping -c 4 8.8.8.8 once. Get four replies or timeouts. Done. Used when troubleshooting a specific complaint or testing a new site. Not suitable for production monitoring—it gives you a snapshot, not a trend.
• Tier 2: Basic Batch Script (Unstructured Logs): ping -t > c:\logs\ping.txt running in an always-on Terminal window. Captures every reply and timeout, but no timestamps, no parsing, no alerting. Hard to analyze.
• Tier 3: PowerShell Script with Logging (CSV, Timestamps, Alerting): A scheduled task that pings every 10 seconds, logs to CSV with millisecond timestamps, calculates loss and jitter, and emails alerts when thresholds are crossed. This is where production Windows monitoring starts.
• Tier 4: Local Agent + Central Log Aggregation: A Windows service (e.g., Telegraf, custom C# app) that pings multiple targets and ships results to a central logging system (Elasticsearch, Splunk, or even a SQL Server). Enables cross-site dashboards and correlation.
• Tier 5: Enterprise Monitoring Platform: PRTG, Zabbix, Prometheus with blackbox_exporter, or Elastic’s cloud-based offerings. These platforms abstract away the logging and alerting infrastructure and add packet captures, route analysis (traceroute), and historical trend analysis.

Why the escalation path? Ping starts simple for a reason: a script that runs on a single Windows machine and logs to a file costs nothing. But as your infrastructure grows (10+ sites, 24/7 uptime SLA, multi-team ownership), the operational burden climbs:

• One site, one log file: You check the file manually when a site is slow.
• Five sites, five log files on different machines: Which machine should I log into to check? Someone will forget.
• Ten sites, Windows servers in three time zones: Parsing logs becomes impossible without a central system.

At that inflection point (10 sites or five nines SLA), Tier 4 or Tier 5 becomes cheaper than the human labor of manual investigation.

---

Layer 1: The fundamentals—ICMP and why ping works

Ping works because ICMP Echo Request and Echo Reply are low-level network primitives. They don’t require application-layer protocols, don’t depend on DNS resolution beyond the initial lookup, and are processed by the network stack even if the OS is under load.

The ICMP Echo Request/Reply cycle:

A ping to 8.8.8.8 triggers this:

1. Your host sends an ICMP Echo Request packet (type 8) containing a sequence number and a timestamp. Payload is usually 32 bytes of arbitrary data (e.g., ‘a’ repeated). Total packet size: 56 bytes of ICMP + 8 bytes IP header = 64 bytes.
2. The packet is routed through the network, passing through zero or more intermediate routers. Each router reads the destination IP and forwards to the next hop. The TTL (Time-To-Live) field is decremented by each router.
3. When the packet reaches 8.8.8.8, the host’s network stack recognizes the Echo Request and immediately generates an ICMP Echo Reply (type 0), copying the sequence number and timestamp from the request into the reply.
4. The reply packet is routed back to your host (using the reverse path or another path, depending on routing).
5. Your host’s network stack recognizes the Echo Reply and compares the timestamp to the current time, calculating RTT.

The entire cycle is handled by the network stack, not the application. This is why ping works even if the OS is thrashing with disk I/O or the CPU is pegged at 100%—the network stack is a separate kernel component with dedicated hardware (NIC, interrupts, DMA).

Why ICMP can be unreliable:

• Rate-limiting: Many networks rate-limit ICMP to prevent ping floods (a form of DoS attack). If you send more than 100 ICMP packets per second, some intermediate router might drop the excess silently. You’ll see packet loss, but the network is actually fine—just throttled.
• Firewall rules: Cloud providers (AWS, Azure, GCP) often block inbound ICMP entirely or allow it only from specific IP ranges. You might be unable to ping a machine you own because the cloud firewall is blocking it.
• Different priority than data traffic: Some routers prioritize regular TCP/UDP traffic over ICMP. A link that loses 1% of ICMP might lose 0% of TCP. This is rare but happens on congested commodity routers.
• Asymmetric paths: The forward path (your host to target) might be different from the reverse path (target back to you). One direction could be congested; you’d see high latency but symmetrical packet counts. One direction might be unreachable; you’d see 100% loss.

How to detect these issues:

Use tracert (Windows) or traceroute (Unix) to map the route and identify which hop is slow or dropping packets:

C:\> tracert 8.8.8.8
Tracing route to 8.8.8.8 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.1.1
  2    12 ms    11 ms    10 ms  10.0.0.1
  3    45 ms    46 ms    44 ms  203.0.113.5
  4    50 ms    51 ms    50 ms  203.0.113.9
  5   120 ms   121 ms   119 ms  8.8.4.1
  6   119 ms   120 ms   118 ms  8.8.8.8

Trace complete.

Each line is a hop. Latency jumps from hop 2 (11 ms) to hop 3 (45 ms), indicating that link is slow. No * (timeout) means all hops replied. If a hop shows * * *, it’s either not responding to traceroute or actively filtering ICMP (still reachable, just not traceable). That’s the hop to investigate.

---

Layer 2: Batch scripting—the unstructured approach

The fastest way to start continuous ping logging is a batch script. It’s also the messiest.

The script:

Create C:\scripts\ping-monitor.bat:

@echo off
setlocal enabledelayedexpansion

REM Continuous ping to a target, append to a file
REM Usage: ping-monitor.bat TARGET

set TARGET=%1
if "%TARGET%"=="" (
    echo Usage: ping-monitor.bat TARGET
    exit /b 1
)

set LOGFILE=C:\logs\ping-%TARGET%.txt
set COUNTER=0

echo Ping monitoring started at %date% %time% >> %LOGFILE%

:loop
set /a COUNTER+=1
ping -n 1 %TARGET% >> %LOGFILE% 2>&1
timeout /t 10 /nobreak

if %COUNTER% lss 2147483647 goto loop

What this does:

• Pings TARGET once every 10 seconds (the timeout /t 10 command).
• Appends every output line to C:\logs\ping-%TARGET%.txt.
• Runs indefinitely in a loop.

To start it, run in a background window:

start /min cmd /c C:\scripts\ping-monitor.bat 192.168.1.100

Or add it to Startup folder: C:\Users\YOUR_USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ping-monitor.bat.

The problems:

1. No timestamps on individual pings: The log file contains raw ping output. When did that packet drop happen? You can guess by counting lines, but it’s not precise. If you stop the script for 30 minutes and restart, you don’t know which time period is missing.

2. Collision with concurrent runs: If you accidentally run ping-monitor.bat 192.168.1.100 twice, both processes write to the same file simultaneously. Windows file locking will serialize the writes, but the order is undefined and lines might be interleaved.

3. No parsing or alerting: To find the packet loss rate, you count lines and grep for “lost”. To email an alert, you’d need to wrap this in another script that parses the log, calculates statistics, and sends email. That’s another point of failure.

4. Unbounded log file growth: The script appends forever. After 30 days of continuous pinging (one ping every 10 seconds = 8,640 pings/day), the log file is 100+ MB. Rotating logs requires a separate cleanup job.

5. No jitter calculation: The script logs raw ping output. To calculate jitter, you’d need to parse every line, extract RTT, and compute standard deviation. Doable but tedious.

When to use this approach:

• Quick 5–30 minute troubleshooting session (“I think the network was down between 2 PM and 3 PM; let me capture that window”).
• One-off investigation at a single site.
• Any scenario where you don’t have PowerShell or the ability to run scheduled tasks.

When not to use:

• Production 24/7 monitoring.
• Any scenario with more than one or two monitored hosts.
• When you need alerting or jitter detection.

---

Layer 3: PowerShell with structured logging—timestamps, CSV, and alerting

This is where you begin professional monitoring. A PowerShell script gives you millisecond-precision timestamps, structured CSV output, jitter calculation, and the ability to trigger alerts.

The script:

Create C:\scripts\ping-monitor.ps1:

param(
    [string]$Target = "8.8.8.8",
    [string]$LogDir = "C:\logs",
    [int]$IntervalSeconds = 10,
    [int]$PacketLossThreshold = 5,      # Alert if loss > 5% over a 5-minute window
    [string]$AlertEmail = "ops@company.local",
    [bool]$SendAlerts = $false
)

# Ensure log directory exists
if (-not (Test-Path $LogDir)) {
    New-Item -ItemType Directory -Path $LogDir | Out-Null
}

$LogFile = Join-Path $LogDir "ping-$Target.csv"
$StatsFile = Join-Path $LogDir "ping-$Target-stats.txt"

# Initialize CSV with header if file doesn't exist
if (-not (Test-Path $LogFile)) {
    "Timestamp,SequenceNumber,RTT_ms,Status,PacketSize,TTL" | Out-File $LogFile -Encoding UTF8
}

$sequence = 0
$windowSize = 30  # Sample 30 pings = 5 minutes at 10-sec intervals
$rttBuffer = @()  # Rolling buffer for jitter calculation
$packetLossBuffer = @()  # Track loss per window

while ($true) {
    $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss.fff"
    $sequence++

    try {
        $ping = New-Object System.Net.NetworkInformation.Ping
        $result = $ping.Send($Target, timeout: 5000)

        if ($result.Status -eq "Success") {
            $rtt = $result.RoundtripTime
            $status = "Success"
            $rttBuffer += $rtt
            $packetLossBuffer += 0

            # Trim buffers to window size
            if ($rttBuffer.Count -gt $windowSize) {
                $rttBuffer = $rttBuffer[-$windowSize..-1]
                $packetLossBuffer = $packetLossBuffer[-$windowSize..-1]
            }
        } else {
            $rtt = 0
            $status = "Timeout"
            $packetLossBuffer += 1

            if ($rttBuffer.Count -gt $windowSize) {
                $rttBuffer = $rttBuffer[-($windowSize - 1)..-1]
                $packetLossBuffer = $packetLossBuffer[-$windowSize..-1]
            }
        }

        # Log to CSV
        "$timestamp,$sequence,$rtt,$status,32,64" | Out-File $LogFile -Append -Encoding UTF8

        # Calculate rolling statistics
        if ($rttBuffer.Count -gt 0) {
            $avgRtt = ($rttBuffer | Measure-Object -Average).Average
            $medianRtt = ($rttBuffer | Sort-Object)[($rttBuffer.Count - 1) / 2]
            $stdDev = [Math]::Sqrt(($rttBuffer | ForEach-Object { [Math]::Pow($_ - $avgRtt, 2) } | Measure-Object -Sum).Sum / $rttBuffer.Count)

            $lossPercent = ($packetLossBuffer | Measure-Object -Sum).Sum / $packetLossBuffer.Count * 100

            # Write stats to file (overwrite)
            $stats = @"
Timestamp: $timestamp
Target: $Target
Sequence: $sequence
Window: $($rttBuffer.Count) samples

RTT Statistics (last $($rttBuffer.Count) pings):
  Min: $([Math]::Round(($rttBuffer | Measure-Object -Minimum).Minimum, 2)) ms
  Max: $([Math]::Round(($rttBuffer | Measure-Object -Maximum).Maximum, 2)) ms
  Avg: $([Math]::Round($avgRtt, 2)) ms
  Median: $([Math]::Round($medianRtt, 2)) ms
  Std Dev (Jitter): $([Math]::Round($stdDev, 2)) ms

Loss: $([Math]::Round($lossPercent, 2))%

"@
            $stats | Out-File $StatsFile -Encoding UTF8

            # Alert on packet loss threshold
            if ($lossPercent -gt $PacketLossThreshold -and $SendAlerts) {
                $alertMsg = "ALERT: $Target loss at $lossPercent% (threshold: $PacketLossThreshold%)"
                Write-Host $alertMsg -ForegroundColor Red

                # Log alert to file
                "[ALERT] $timestamp - $alertMsg" | Out-File (Join-Path $LogDir "alerts.txt") -Append -Encoding UTF8

                # Email alert (requires SMTP configuration)
                # Send-MailMessage -To $AlertEmail -From "monitoring@company.local" -Subject $alertMsg -SmtpServer "smtp.company.local" | Out-Null
            }
        }

    } catch {
        Write-Host "Error pinging $Target : $_" -ForegroundColor Red
        "ERROR,$sequence,0,Exception: $_" | Out-File $LogFile -Append -Encoding UTF8
    }

    Start-Sleep -Seconds $IntervalSeconds
}

How to run it:

Option 1: Run manually in PowerShell console:

cd C:\scripts
.\ping-monitor.ps1 -Target "192.168.1.100" -SendAlerts $true

Option 2: Run as a scheduled task (persistent, survives logoff):

# Create a scheduled task
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\scripts\ping-monitor.ps1 -Target 192.168.1.100"
$trigger = New-ScheduledTaskTrigger -AtStartup
$principal = New-ScheduledTaskPrincipal -UserId "NT AUTHORITY\SYSTEM" -RunLevel Highest
$task = New-ScheduledTask -Action $action -Trigger $trigger -Principal $principal -Description "Continuous ping monitoring"
Register-ScheduledTask -TaskName "Ping-Monitor-192.168.1.100" -InputObject $task

What this script does:

1. Timestamps with millisecond precision: Every ping is logged with yyyy-MM-dd HH:mm:ss.fff. You can pinpoint exactly when a packet drop occurred.

2. Structured CSV output: Each row is Timestamp,Sequence,RTT_ms,Status,PacketSize,TTL. Easy to import into Excel, parse with scripts, or feed to a log aggregation system.

3. Jitter calculation: The script maintains a rolling 5-minute window (30 pings at 10-second intervals) and calculates min, max, average, median, and standard deviation. This reveals network degradation: when standard deviation jumps from 2 ms to 50 ms, something is wrong.

4. Packet loss tracking: The script counts timeouts in the rolling window and calculates loss percentage. When loss exceeds the threshold, it logs an alert and (optionally) sends email.

5. Rolling statistics file: ping-192.168.1.100-stats.txt is updated every 10 seconds with the latest statistics. You can tail this file or dashboard it without parsing the CSV.

6. No unbounded log growth: The CSV is append-only, but you can rotate it daily (separate script, see next section). Or consume it with a log aggregation agent and delete after ingest.

Example output:

Timestamp,SequenceNumber,RTT_ms,Status,PacketSize,TTL
2026-04-17 14:30:00.123,1,34,Success,32,64
2026-04-17 14:30:10.456,2,33,Success,32,64
2026-04-17 14:30:20.789,3,0,Timeout,32,64
2026-04-17 14:30:30.012,4,35,Success,32,64
...

Timestamp: 2026-04-17 14:30:30.012
Target: 192.168.1.100
Sequence: 4
Window: 4 samples

RTT Statistics (last 4 pings):
  Min: 33.0 ms
  Max: 35.0 ms
  Avg: 34.25 ms
  Median: 34.0 ms
  Std Dev (Jitter): 0.82 ms

Loss: 25.0%

When to use this approach:

• Production monitoring on 1–20 sites.
• When you need structured, parseable data and jitter detection.
• When you want email or webhook alerts without deploying a full monitoring platform.
• Windows environments where PowerShell is available (Windows Server 2008 R2+, Windows 7+).

When to graduate to enterprise tools:

• More than 20 monitored sites (operational burden of managing individual scripts becomes untenable).
• Need for historical dashboards (“Show me packet loss trends over the last month”).
• Multi-team ownership (need RBAC, audit logs, change tracking).
• Integration with incident management (PagerDuty, Slack, ServiceNow).

---

Layer 4: Log rotation, alerting, and escalation

A CSV that grows forever becomes a liability. Here’s how to rotate logs and escalate alerts.

Log rotation script (C:\scripts\rotate-logs.ps1):

param(
    [string]$LogDir = "C:\logs",
    [int]$MaxAgedays = 7
)

Get-ChildItem $LogDir -Filter "ping-*.csv" | ForEach-Object {
    $age = (Get-Date) - $_.LastWriteTime
    if ($age.Days -gt $MaxAgedays) {
        Compress-Archive -Path $_.FullName -DestinationPath "$($_.DirectoryName)\archive\$($_.BaseName)-$(Get-Date $_.LastWriteTime -Format 'yyyyMMdd').zip" -CompressionLevel Optimal
        Remove-Item $_.FullName
    }
}

Schedule this to run daily at 1 AM using Task Scheduler:

$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ExecutionPolicy Bypass -File C:\scripts\rotate-logs.ps1"
$trigger = New-ScheduledTaskTrigger -Daily -At 1:00AM
$task = New-ScheduledTask -Action $action -Trigger $trigger
Register-ScheduledTask -TaskName "Rotate-Ping-Logs" -InputObject $task

Webhook alerting (instead of email, for integration with Slack or PagerDuty):

Modify the PowerShell script to send JSON webhook:

if ($lossPercent -gt $PacketLossThreshold -and $SendAlerts) {
    $webhook = "https://hooks.slack.com/services/YOUR/WEBHOOK/URL"
    $payload = @{
        "text" = "ALERT: Ping loss on $Target at $([Math]::Round($lossPercent, 2))% (threshold: $PacketLossThreshold%)"
        "attachments" = @(
            @{
                "color" = "danger"
                "fields" = @(
                    @{ "title" = "Target"; "value" = $Target; "short" = $true }
                    @{ "title" = "Loss %"; "value" = $lossPercent; "short" = $true }
                    @{ "title" = "Avg RTT"; "value" = "$([Math]::Round($avgRtt, 2)) ms"; "short" = $true }
                    @{ "title" = "Jitter"; "value" = "$([Math]::Round($stdDev, 2)) ms"; "short" = $true }
                )
            }
        )
    } | ConvertTo-Json

    Invoke-RestMethod -Uri $webhook -Method Post -ContentType 'application/json' -Body $payload
}

Alert deduplication (prevent spam):

Keep a state file to track when alerts were last sent:

$alertStateFile = Join-Path $LogDir "alert-state.json"

$shouldAlert = $false
if (Test-Path $alertStateFile) {
    $state = Get-Content $alertStateFile | ConvertFrom-Json
    $lastAlertTime = [DateTime]$state.lastAlertTime
    $minutesSinceAlert = ((Get-Date) - $lastAlertTime).TotalMinutes

    if ($minutesSinceAlert -gt 60) {  # Alert every 60 minutes max
        $shouldAlert = $true
    }
} else {
    $shouldAlert = $true
}

if ($shouldAlert -and $lossPercent -gt $PacketLossThreshold) {
    # Send alert...
    @{ "lastAlertTime" = (Get-Date).ToString() } | ConvertTo-Json | Out-File $alertStateFile
}

---

Layer 5: Advanced jitter and baseline detection

Packet loss is a hard signal: either the packet arrived or it didn’t. Jitter is subtle: 50 ms one second, 55 ms the next, 100 ms the next. Users notice jitter more than absolute latency (a 100 ms baseline to a WAN site is acceptable; 100 ms with 80 ms jitter is not—VoIP breaks, remote desktop becomes unusable).

Enhanced statistics—percentiles and rolling baseline:

function Get-PercentileRTT {
    param([array]$rttSamples, [double]$percentile)

    $sorted = $rttSamples | Sort-Object
    $index = [Math]::Ceiling(($percentile / 100) * $sorted.Count) - 1
    return $sorted[$index]
}

# In the main loop:
$p50 = Get-PercentileRTT $rttBuffer 50
$p95 = Get-PercentileRTT $rttBuffer 95
$p99 = Get-PercentileRTT $rttBuffer 99

# Detect baseline drift
$baselineFile = Join-Path $LogDir "ping-$Target-baseline.json"
if (Test-Path $baselineFile) {
    $baseline = Get-Content $baselineFile | ConvertFrom-Json
    $rttDrift = $avgRtt - $baseline.avgRtt

    if ([Math]::Abs($rttDrift) -gt 50) {  # More than 50 ms change
        Write-Host "BASELINE DRIFT: RTT shifted from $($baseline.avgRtt) ms to $avgRtt ms" -ForegroundColor Yellow
    }
} else {
    @{
        "avgRtt" = $avgRtt
        "captureDate" = (Get-Date).ToString()
    } | ConvertTo-Json | Out-File $baselineFile
}

Alert on jitter, not just loss:

if ($stdDev -gt 30 -and $SendAlerts) {  # High jitter threshold
    $jitterAlert = "JITTER ALERT: $Target jitter at $([Math]::Round($stdDev, 2)) ms (Std Dev)"
    # ... send alert...
}

What jitter values mean:

• <5 ms: Excellent, stable link.
• 5–20 ms: Good, typical for congested LAN or moderate WAN.
• 20–50 ms: Fair, some congestion or route instability.
• >50 ms: Poor, link is flaky. Investigate routing, congestion, or hardware failure.

---

Layer 6: Understanding ICMP internals and TTL

For deeper troubleshooting, understand the ICMP packet structure and TTL behavior.

ICMP Echo Request packet (simplified):

IP Header:
  Source IP: 192.168.1.100 (your host)
  Dest IP: 8.8.8.8
  TTL: 64 (decremented at each hop)
  Protocol: 1 (ICMP)

ICMP Header:
  Type: 8 (Echo Request)
  Code: 0
  Checksum: computed over ICMP payload
  Sequence: 1 (which ping in the sequence?)
  Identifier: 1234 (process ID, to match reply to request)

Payload:
  Timestamp: 1713178800000 (milliseconds since epoch)
  Data: 32 bytes of padding (e.g., 'a' repeated)

Why TTL matters:

When a ping times out, TTL is often the culprit. Each router decrements TTL; if TTL hits 0, the packet is dropped and an ICMP Time Exceeded message is sent back. Typical scenarios:

1. Traceroute to a host 15 hops away, you send TTL=1: Router 1 receives it, decrements TTL to 0, drops it, sends ICMP Time Exceeded. You see * 1 ms * on line 1 of tracert output. You incrementally increase TTL to map the route.

2. Default TTL=64, but path is 100 hops (rare): Last hop sees TTL=0, packet is dropped. You get 100% loss. This almost never happens on the public internet (most AS hops are <30).

3. Asymmetric path with different TTL budgets: Forward path uses 10 hops (TTL goes from 64 to 54), reply path uses 20 hops (TTL goes from 64 to 44). Both reply and request succeed, so you see 0% loss. But reverse path is congested, so reply latency is high. You’d see high RTT with 0% loss—unusual and a sign to investigate routing.

Debugging with explicit TTL:

On Windows, you can’t set TTL for ping directly, but you can with tracert:

C:\> tracert -h 20 8.8.8.8   REM Max hops = 20

Or use Test-NetConnection in PowerShell:

Test-NetConnection -ComputerName 8.8.8.8 -TraceRoute | Format-Table

---

Layer 7: Integrating with enterprise tools

Once your infrastructure reaches a certain scale (10+ sites, multi-team operations), managing individual PowerShell scripts becomes untenable. Time to move to enterprise monitoring.

PRTG Network Monitor (Windows-native, uses SNMP and HTTP):

PRTG is widely deployed in Windows shops. It has:
– Pre-built ping sensor (ICMP uptime check).
– Packet loss, RTT, and jitter graphs.
– Threshold-based alerting to email, Slack, PagerDuty.
– Multi-site dashboard, automatic failover sensor selection (if primary is down, check secondary).

Basic PRTG ping sensor setup:

1. Install PRTG on a central server (or cloud-hosted).
2. Add sensor: “ICMP Ping” to a device.
3. Configure threshold: Alert if loss >5% or RTT >200 ms.
4. Alert action: Email, webhook, or PagerDuty.

Prometheus with blackbox_exporter (cloud-native, highly flexible):

If you’re already using Prometheus/Grafana:

1. Deploy blackbox_exporter on a probe host (or multiple probes for redundancy).
2. Configure Prometheus scrape job:
   “`yaml
   – job_name: ‘blackbox’
   metrics_path: /probe
   params:
   module: [icmp]
   static_configs:
   • targets:
     • 8.8.8.8
     • 192.168.1.100
       relabel_configs:
   • source_labels: [address]
     target_label: __param_target
   • source_labels: [__param_target]
     target_label: instance
   • target_label: address
     replacement: 127.0.0.1:9115
     “`
3. Metrics exported: probe_success, probe_duration_seconds, probe_icmp_duration_ms.
4. Alert with Prometheus rules:
   yaml
- alert: HighPacketLoss
expr: (1 - probe_success{job="blackbox"}) > 0.05
for: 5m

Zabbix (enterprise favorite, supports auto-discovery):

Zabbix can auto-discover hosts and create ping monitors:

1. Create host group, host, and application.
2. Add item: “ICMP ping” (type: Simple Check).
3. Dependent items for jitter and loss rate.
4. Triggers: Alert if loss >5% or p99 latency >300 ms.
5. Action: Webhook to incident management.

Comparison:

Tool	Windows Native?	Ease of Setup	Jitter Calculation	Pricing
PowerShell (Layer 3)	Yes	30 minutes	Manual script	Free
PRTG	Yes	1 hour	Built-in	$1600–$5000/year
Prometheus + Blackbox	No (Linux)	2 hours	Via scrape interval	Free
Zabbix	Yes (agent-based)	2 hours	Via dependent items	Free

---

Real-world scenario: Diagnosing a flaky WAN link

A manufacturing site has a fiber link from the main plant (192.168.1.100) to a remote facility (203.0.113.50). Users report the remote site is “slow and intermittently unreachable.”

Step 1: One-off ping (5 minutes)

C:\> ping 203.0.113.50
Pinging 203.0.113.50 with 32 bytes of data:
Reply from 203.0.113.50: bytes=32 time=85ms TTL=64
Reply from 203.0.113.50: bytes=32 time=87ms TTL=64
Request timed out.
Reply from 203.0.113.50: bytes=32 time=300ms TTL=64
Reply from 203.0.113.50: bytes=32 time=88ms TTL=64

Ping statistics for 203.0.113.50:
    Packets: Sent = 5, Received = 4, Lost = 1 (20%)
    Approximate round trip times in milli-seconds:
    Minimum = 85ms, Maximum = 300ms, Average = 190ms

Diagnosis: 20% loss, 300 ms spike. Indicates link is marginal but not entirely broken.

Step 2: Continuous monitoring (1 hour with PowerShell)

Deploy the PowerShell script above with 10-second intervals. After 1 hour (360 pings), the rolling statistics show:

RTT Statistics (last 30 pings):
  Min: 82 ms
  Max: 312 ms
  Avg: 110 ms
  Median: 92 ms
  Std Dev (Jitter): 65 ms

Loss: 12%

Diagnosis: Jitter is extremely high (65 ms std dev). This indicates the link is experiencing intermittent congestion or packet reordering. The route might have a congested intermediate hop or a flaky router.

Step 3: Traceroute to pinpoint the hop

C:\> tracert 203.0.113.50
...
  5   84 ms    86 ms    85 ms  203.0.113.1   [local ISP gateway]
  6  200 ms   250 ms   195 ms  203.0.113.2   [ISP backbone router]
  7   90 ms    88 ms    91 ms  203.0.113.5   [destination ISP gateway]
  8   89 ms    90 ms    88 ms  203.0.113.50

Hop 6 (203.0.113.2) shows high variance (200–250 ms), while all other hops are stable (85–91 ms). This is the culprit: an ISP backbone router that’s either congested or flaky.

Step 4: Contact ISP and escalate

Call the ISP and provide:
– Timestamp of outages.
– Ping statistics (loss %, jitter).
– Traceroute showing the problematic hop.

ISP investigates that specific router and finds the issue: a faulty optics module causing packet drops and reordering. They replace it; latency drops to 88 ms with 0% loss and <2 ms jitter.

What the one-off ping couldn’t tell you: Timing, trend, jitter magnitude, and which hop was responsible. Continuous monitoring with statistics revealed all three.

---

Diagram: Monitoring stack and escalation

This diagram shows the decision tree: start with batch scripts, graduate to PowerShell with logging when you need alerts and jitter, and move to enterprise tools when you manage 10+ sites.

---

Diagram: ICMP packet and TTL lifecycle

Shows how ICMP Echo Request travels through routers, TTL is decremented, and reply is sent back. Illustrates why trace route takes increasing TTLs to map the route.

---

Diagram: PowerShell logging architecture

Shows the data flow: ping → PowerShell process → CSV file + stats file + alerts + optional webhook to Slack/PagerDuty.

---

Diagram: Jitter and packet loss metrics over time

Shows a 24-hour trend: normal operation (low jitter), degradation over 6 hours (jitter spike, loss climbs to 5%), recovery after infrastructure team intervention.

---

Common pitfalls and how to avoid them

Pitfall 1: Assuming ICMP behavior is the same everywhere

ICMP is often rate-limited or blocked by firewalls. A host might be unreachable via ping but fully operational. Always correlate ping results with application-layer health checks (DNS queries, HTTP probes, TCP port connectivity).

Mitigation: Deploy both ICMP ping and TCP connectivity checks. Alert only if both fail.

Pitfall 2: Setting alert thresholds without baseline data

If you alert on RTT >100 ms without knowing the baseline, you’ll false-alarm for links that are naturally slow (e.g., satellite, transcontinental). You’ll also miss degradation from a 80 ms baseline to 150 ms if you set the threshold at 200 ms.

Mitigation: Run monitoring for 24–48 hours to establish a baseline (min, max, average, p95). Set alert thresholds at 1.5–2x the baseline or based on business SLA (e.g., “remote desktop must have <100 ms latency”).

Pitfall 3: Not correlating ping with application behavior

A link with 0.5% packet loss and stable RTT might still cause application timeouts if the lost packets happen to be TCP SYN or TLS handshake packets. Ping loss and application error rates are not always correlated.

Mitigation: Dashboard ping metrics alongside application metrics (API response times, error rates, database query latency). When both degrade simultaneously, the network is the problem. When only one degrades, investigate the application.

Pitfall 4: Log file explosion and no rotation

After one month, a 10-second ping interval generates 259,200 log entries. A single CSV row is ~80 bytes; the file is 20 MB. After one year, 240 MB. Storage and parsing become slow.

Mitigation: Rotate logs daily or weekly, compress old logs, and use a log aggregation system (Splunk, ELK) to ingest and archive.

Pitfall 5: Running PowerShell scripts without Task Scheduler

If a script runs in a console window and you close the laptop or VPN disconnects, the script stops. Users won’t know that monitoring was stopped for 3 hours.

Mitigation: Always register scheduled tasks to run at startup. Monitor the scheduled task’s status (use Task Scheduler History). Alert if the task fails.

---

Conclusion: When to move from ping to enterprise monitoring

Ping is the simplest tool for the simplest question: “Is this host reachable?” Use it liberally for that. But understand its limitations:

• Ping measures network-layer connectivity; it doesn’t measure application health.
• Ping can be blocked, rate-limited, or asymmetric; always correlate with other checks.
• A single ping is a snapshot; continuous monitoring with jitter and percentile analysis is diagnosis.
• Manual log parsing is error-prone; structured CSV output and rolling statistics are non-negotiable.
• Email alerts are unreliable and don’t scale beyond 5–10 monitored sites.

The progression is:

1. One-off pings: Quick troubleshooting.
2. Batch scripts with unstructured logs: Marginally better, but limited.
3. PowerShell with CSV, timestamps, and jitter: Professional monitoring, small scale (1–20 sites).
4. Local agent + log aggregation: Medium scale (20–100 sites), cross-site correlation.
5. Enterprise platform (PRTG, Zabbix, Prometheus): Large scale, multi-team, incident management integration.

By the time you’re managing 10+ sites with 24/7 availability requirements, the cost of enterprise tooling is cheaper than the human labor of investigating manual logs. But start with PowerShell; it’s fast, free, and 90% of the functionality you need. Graduate to enterprise tools only when the manual overhead becomes unbearable.