Understanding ICMP Packets with Examples

Updated: Aug 2

Internet Control Message Protocol (ICMP), described in RFC 792 and part of the TCP/IP protocol stack, is an error reporting and control-based protocol used between network devices.


ICMP messages are encapsulated into IP datagrams, which are then encapsulated into an Ethernet frame.



What is ICMP?

Internet Control Message Protocol (ICMP) is the utility protocol of TCP/IP, responsible for providing information regarding the availability of devices, services, or routes on a TCP/IP network. Most network-troubleshooting techniques and tools center around common ICMP message types.


The primary purpose of an ICMP ping is to test communication between devices. Data is sent from one host to another as a request, and the receiving host should send that data back as a reply.




ICMP Packet Structure ICMP header

ICMP is part of IP, and it relies on IP to transmit its messages. ICMP contains a relatively small header that changes depending on its purpose. The ICMP header contains the following fields:


  • Type   The type or classification of the ICMP message, based on the RFC specification

  • Code   The subclassification of the ICMP message, based on the RFC specification

  • Checksum   Used to ensure that the contents of the ICMP header and data are intact upon arrival

  • Variable   A portion that varies depending on the Type and Code fields




ICMP Types and Codes

The ICMP protocol has a field called type, which indicates what type the ICMP packet is. If the type field is 8, then the packet is an ICMP echo (ping) request, while if the type field is 0, then the packet is an ICMP echo (ping) reply.


That type of field is a one-byte field at the very beginning of the ICMP protocol header.


We might consider the ICMP Type field the packet’s classification and the Code field its subclass. For example, a Type field value of 3 indicates “destination unreachable.”


While this information alone might not be enough to troubleshoot a problem, if that packet were also to specify a Code field value of 3, indicating “port unreachable,” We could conclude that there is an issue with the port with which we are attempting to communicate.




Capture ICMP packets with Tcpdump Command

In IPV4, we can use this tcpdump command to filter all ICMP packets. We use eth0 network interface in all our examples. Please change it based on the environment.


# tcpdump -i eth0 icmp

To filter ICMP echo-requests, we can use this tcpdump command.


# tcpdump -i eth0 "icmp[0] == 8"

These are the packets we get captured with tcpdump command.


14:37:14.555295 IP 10.79.101.23 > 108.177.125.101: ICMP echo request, id 61205, seq 0, length 6414:37:15.557948 IP 10.79.101.23 > 108.177.125.101: ICMP echo request, id 61205, seq 1, length 6414:37:16.562905 IP 10.79.101.23 > 108.177.125.101: ICMP echo request, id 61205, seq 2, length 64



Related:

Exploring ICMP Protocol with Examples

Understanding Ping Command and ICMP with Examples

Exploring ICMP Port Number with Example

Capture ICMP Packets With Tcpdump

186 views
屏幕快照 2021-08-08 下午5.16.32.png