ICMP (Internet Control Message Protocol)
ICMP (Internet Control Message Protocol) is a network protocol used for diagnostics and
network management. A good example is the “ping” utility which uses an ICMP request and
ICMP reply message. When a certain host of port is unreachable, ICMP might send an error
message to the source. Another example of an application that uses ICMP is traceroute.
ICMP messages are encapsulated in IP packets so most people would say that it’s a layer 4
protocol like UDP or TCP. However, since ICMP is a vital part of the IP protocol it is typically
considered a layer 3 protocol.
The header that ICMP uses is really simple, here’s what it looks like:
type: The first byte specifies the type of ICMP message. For example, type 8 is used for an
ICMP request and type 0 is used for an ICMP reply. We use type 3 for destination
unreachable messages.
Code: The second byte called code specifies what kind of ICMP message it is. For example,
the destination unreachable message has 16 different codes. When you see code 0 it
means that the destination network was unreachable while code 1 means that the
destination host was unreachable.
checksum: The third field is 2 bytes that are used for the checksum to see if the ICMP
header is corrupt or not. What the remaining part of the header looks like depends on the
ICMP message type that we are using.
To show you some examples of ICMP in action, let’s look at some popular ICMP messages
in Wireshark.
Wireshark Captures
ICMP Echo request and reply
Let’s start with a simple example, a ping. I will use two routers for this:
CRYPTO NETWORKING
�Let’s send a ping from R1:
R1#ping [Link]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to [Link], timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/21/64 ms
Here’s what it looks like:
The message above is the ICMP request, you can see it uses type 8 and code 0 for this.
When R2 receives it will reply:
CRYPTO NETWORKING
�The ICMP echo reply is a type 0 and code 0 message.
Destination Unreachable
Traceroute
Traceroute also uses ICMP messages, to demonstrate this we will use three routers:
Let’s see what a traceroute from R1 to R3 looks like:
R1#traceroute [Link] probe 1
Type escape sequence to abort.
Tracing the route to [Link]
1 [Link] 52 msec
2 [Link] 60 msec
Cisco IOS by default will send multiple probes. For this demonstration, I only need one
probe. Here’s the first packet that R1 sends:
CRYPTO NETWORKING
�Cisco IOS uses UDP packets with a TTL value of 1 and destination port 33434. The TTL and
destination port will increase for every hop. Once R2 receives this packet it will reply like
this:
Here’s where ICMP comes into play. R2 will send an ICMP type 11 (time to live exceeded)
message to R1. Once R1 receives this, it will send its second probe:
Above you can see that the TTL is now 2 and the destination port number has increased to
33435. Once R3 receives this packet it will reply like this:
CRYPTO NETWORKING
�R3 will reply with a type 3 destination unreachable message. Take a close look at the type
and code. The type tells us the destination is unreachable. This could mean that the remote
host or network is unreachable.
However, the code is number 3 which means port unreachable. R3 uses this code because
nothing is listening on UDP port 33435. R3 replies to R1 and sets this code, so R1 at least
now knows that R3 ([Link]) is reachable, it’s just not listening in UDP port 33435.
CRYPTO NETWORKING