Internet Control Message Protocol (ICMP) is a network layer protocol that serves the purpose of error reporting and network path diagnostic functions.
The Ping and Traceroute utility tools leverage ICMP messages for fault detection and isolation.
ICMP messages are sent using a basic IP header. The protocol field in IP header will be set to ICMP followed by the ICMP payload.
How does ICMP work?
ICMP is not a transport protocol that sends data between systems.
ICMP is not used regularly in end-user applications. It is used by network administrators to troubleshoot internet connections in diagnostic utilities including ping and traceroute.
ICMP is not associated with any transport layer protocol, such as Transmission Control Protocol (TCP) or User Datagram Protocol (UDP).
It is a connectionless protocol, meaning a device does not need to open a connection with the target device before sending a message.
ICMP Packet Structure
ICMP is part of IP, and it relies on IP to transmit its messages. ICMP contains a relatively small header that changes depending on its purpose. The ICMP header contains the following fields:
Type The type or classification of the ICMP message, based on the RFC specification
Code The subclassification of the ICMP message, based on the RFC specification
Checksum Used to ensure that the contents of the ICMP header and data are intact upon arrival
Variable A portion that varies depending on the Type and Code fields
The first 8 bits are the message types. The type provides a brief explanation of what the message is for so the receiving network device knows why it is getting the message and how to treat it.
For example, a Type 8 Echo is a query a host sends to see if a potential destination system is available. Upon receiving an Echo message, the receiving device might send back an Echo Reply (Type 0), indicating it is available.
Common ICMP Types
Some common message types include the following:
Type 0 -- Echo reply
Type 3 -- Destination unreachable
Type 8 -- Echo
Type 5 -- Redirect
Internet Assigned Numbers Authority (IANA) provides a list of all message types ICMP packets use.
Generate ICMP Packet with Ping Command
We can use ping command to test the network connectivity and the speed of data relay.
It's one of the few instances where a user can interact directly with ICMP, which typically only functions to allow networked computers to communicate with one another automatically.
Let's send an ICMP packet with ping command like below.
$ ping google.com PING google.com (220.127.116.11): 56 data bytes 64 bytes from 18.104.22.168: icmp_seq=0 ttl=111 time=49.412 ms
Capture ICMP Packet with Tcpdump Command
At the same time, we can capture packets with the following tcpdump command.
# tcpdump -i utun1 -vvvv icmp -A -X -c 1 and dst google.com
Next, we can copy this packet to this online packet analysis tool to decode.
45 00 00 54 89 82 00 00 40 01 BB 95 0A 4F 65 5B AC D9 19 0E 08 00 EC FC C9 50 00 00 60 2B 97 D8 00 08 5E A3 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37
Analysis of ICMP Packets
From the below chart, we can see that there are two protocols in this packet (IPv4 and ICMP).
For this packet, the type is 8 and code 0. It is an ICMP Echo request.
The length is 64 bytes.
From the ICMP part, there is no port number.