Internet Control Message Protocol (ICMP) is a network layer protocol that serves the purpose of error reporting and network path diagnostic functions.
ICMP messages are sent using a basic IP header. The protocol field in IP header will be set to ICMP followed by the ICMP payload.
- How does ICMP work?
- ICMP Packet Structure
- ICMP Type
- Common ICMP Types
- Send ICMP Packet with Ping Command
- Capture ICMP Packet with Tcpdump Command
- Analysis of ICMP Packets
Table of Contents
How does ICMP work?
ICMP is not a transport protocol that sends data between systems.
- ICMP is not used regularly in end-user applications. It is used by network administrators to troubleshoot internet connections in diagnostic utilities including ping and traceroute.
- ICMP is not associated with any transport layer protocol, such as Transmission Control Protocol (TCP) or User Datagram Protocol (UDP).
- It is a connectionless protocol, meaning a device does not need to open a connection with the target device before sending a message.
ICMP Packet Structure
ICMP is part of IP, and it relies on IP to transmit its messages. ICMP contains a relatively small header that changes depending on its purpose. The ICMP header contains the following fields:
- Type The type or classification of the ICMP message, based on the RFC specification
- Code The subclassification of the ICMP message, based on the RFC specification
- Checksum Used to ensure that the contents of the ICMP header and data are intact upon arrival
- Variable A portion that varies depending on the Type and Code fields
Let’s see an example of ICMP packet.
00 0c 29 f8 1c 7c 00 0c 29 23 c1 05 08 00 45 00
00 3c 02 04 00 00 80 01 6a 2e c0 a8 01 01 c0 a8
01 02 08 00 28 b6 7c 01 00 00 00 00 09 00 00 00
00 00 00 00 00 10 11 12 13 14 15 16 17 18 19 1a
1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a
2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37
This is a hexadecimal dump of the packet. ICMP packets are often used for diagnostic or error reporting purposes in networking.
In this example, the packet contains the following fields:
- Ethernet header: The first 14 bytes represent the Ethernet header. The source MAC address is 00 0c 29 f8 1c 7c, and the destination MAC address is 00 0c 29 23 c1 05.
- IP header: The next 20 bytes represent the IP header. The source IP address is 192.168.1.1, and the destination IP address is 192.168.1.2.
- ICMP header: The next 8 bytes represent the ICMP header. The type is 8 (echo request), the code is 0, and the checksum is 28 b6.
- Payload: The rest of the packet contains the payload, which can vary depending on the specific ICMP message being sent. In this example, the payload is 00 00 00 00 00 00 00 00 00 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37, which represents some arbitrary data.
The first 8 bits are the message types. The type provides a brief explanation of what the message is for so the receiving network device knows why it is getting the message and how to treat it.
For example, a Type 8 Echo is a query a host sends to see if a potential destination system is available. Upon receiving an Echo message, the receiving device might send back an Echo Reply (Type 0), indicating it is available.
Some common message types include the following:
- Type 0 — Echo reply
- Type 3 — Destination unreachable
- Type 8 — Echo
- Type 5 — Redirect
Internet Assigned Numbers Authority (IANA) provides a list of all message types ICMP packets use.
ICMP type and code
ICMP messages are identified by a type and a code field. The type field specifies the general category of the message, and the code field provides more detailed information about the message. The combination of the type and code fields is used to uniquely identify each ICMP message.
Here are some common ICMP message types and codes:
- Echo Request (Type 8, Code 0) – Used by the ping command to test if a host is reachable.
- Echo Reply (Type 0, Code 0) – Sent by a host to respond to an Echo Request message.
- Destination Unreachable (Type 3) – Sent by a router or host to indicate that a destination is unreachable. The code field provides more specific information about the reason for the unreachable condition.
- Time Exceeded (Type 11) – Sent by a router to indicate that a packet has been discarded because its TTL (Time To Live) value has reached zero.
- Redirect (Type 5) – Sent by a router to inform a host that a better next-hop address is available for the destination.
There are many other types of ICMP messages with various codes, but these are some of the most common ones.
Generate ICMP Packet with Ping Command
We can use ping command to test the network connectivity and the speed of data relay.
It’s one of the few instances where a user can interact directly with ICMP, which typically only functions to allow networked computers to communicate with one another automatically.
Let’s send an ICMP packet with ping command like below.
$ ping google.com
PING google.com (220.127.116.11): 56 data bytes
64 bytes from 18.104.22.168: icmp_seq=0 ttl=111 time=49.412 ms
Capture ICMP Packet with Tcpdump Command
At the same time, we can capture packets with the following tcpdump command.
# tcpdump -i utun1 -vvvv icmp -A -X -c 1 and dst google.com
Next, we can copy this packet to this online packet analysis tool to decode.
45 00 00 54 89 82 00 00 40 01 BB 95 0A 4F 65 5B AC D9 19 0E 08 00 EC FC C9 50 00 00 60 2B 97 D8 00 08 5E A3 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37
Analysis of ICMP Packets
From the below chart, we can see that there are two protocols in this packet (IPv4 and ICMP).
For this packet, the type is 8 and code 0. It is an ICMP Echo request.
The length is 64 bytes.
From the ICMP part, there is no port number.