In this post we discuss the Internet Control Message Protocol (ICMP), one of the core protocols of the TCP/IP suite [Wikipedia] [RFC 792]. Many common networking utilities are based on ICMP, including tracert and ping.
ICMP messages are typically generated in response to errors in IP datagrams or for diagnostic or routing purposes. ICMP errors are always reported to the original source IP address of the originating datagram. The protocol is implemented by both hosts and routers, albeit in different ways.
A version of ICMP for IPv6 exists: ICMPv6. The scope of this article is limited to ICMP for IPv4 (ICMPv4).
Each ICMP message is encapsulated directly within a single IP datagram, and thus, like UDP, ICMP is unreliable. The structure of ICMP packets is displayed below:
The Type and Code fields are the first two fields in the header of the ICMP packet. Together these fields designate the meaning of the packet.
The most common combinations of Type and Code are displayed below.
Response to an ICMP Echo Request.
Sent by an IP router when a route to the destination IP address can not be found.
Sent by the destination IP node when the Destination Port in the UDP header cannot be matched with a process using that port.
This message requests the sender to decrease the traffic rate of messages to a router or host. This message may be generated if the router or host does not have sufficient buffer space to process the request, or may occur if the router or host’s buffer is approaching its limit.
Troubleshooting message used to check IP connectivity to a desired host. The ping utility sends ICMP Echo Request messages.
|11||0||Time-to-live equals 0 during transit
This message is generated by a router to inform the source of a discarded datagram, due to the Time-to-live field reaching zero. A time exceeded message may also be sent by a host if it fails to reassemble a fragmented datagram within its time limit.
Used for time synchronization.
Consists of the originating timestamp sent by the sender of the Timestamp as well as a receive timestamp and a transmit timestamp.
As can be seen in the table, an ICMP message can either be an error message or a query message. Query messages are two-way: when an ICMP request is received by a device, an ICMP reply message is sent back. In contrast, when an ICMP error message is received by a device, it may not generate a new error message in response to this message (because this might create an endless loop of messages).
The Code and Type fields are followed by a 16 byte Checksum, which helps ensure the integrity of the ICMP packet.
The contents of next group of 32 bits (4 bytes) are different depending on the type/code combination. The image below shows all the possible variations, and for more details you should check out the surprisingly readable RFC.
Although RFC 1122 prescribes that any host must accept an echo-request and issue an echo-reply in return, this has been characterized as a security risk. As a result, many modern operating systems do not respond to echo-request messages. The following quote from Wikipedia elaborates on this:
The usefulness of ping in assisting the diagnosis of Internet connectivity issues was impaired starting in 2003, when a number of Internet service providers began filtering out ICMP Type 8 (ICMP Echo Request) messages at their network boundaries.This was partly due to the increasing use of ping for target reconnaissance, for example by Internet worms such as Welchia that flood the Internet with ping requests in order to locate new computers to infect. Not only did the availability of ping responses leak information to an attacker, it added to the overall load on networks, causing problems for routers across the Internet.