ICMP (Internet Control Message Protocol)

ICMP (Internet Control Message Protocol) is a network protocol used for diagnostics and network management. A good example is the “ping” utility which uses an ICMP request and ICMP reply message. When a certain host of port is unreachable, ICMP might send an error message to the source. Another example of an application that uses ICMP is traceroute.

ICMP messages are encapsulated in IP packets so most people would say that it’s a layer 4 protocol like UDP or TCP. However, since ICMP is a vital part of the IP protocol it is typically considered a layer 3 protocol.

The header that ICMP uses is really simple, here’s what it looks like:

ICMP Header

The first byte specifies the type of ICMP message. For example, type 8 is used for an ICMP request and type 0 is used for an ICMP reply. We use type 3 for destination unreachable messages.

The second byte called code specifies what kind of ICMP message it is. For example, the destination unreachable message has 16 different codes. When you see code 0 it means that the destination network was unreachable while code 1 means that the destination host was unreachable.

The third field are 2 bytes that are used for the checksum to see if the ICMP header is corrupt or not. What the remaining part of the header looks like depends on the ICMP message type that we are using.

If you are interested, here is a full list with all ICMP codes and types.

To show you some examples of ICMP in action, let’s look at some popular ICMP messages in Wireshark.

Wireshark Captures

ICMP Echo request and reply

Let’s start with a simple example, a ping. I will use two routers for this:

R1 R2 FastEthernet

Let’s send a ping from R1:

R1#ping 192.168.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/21/64 ms

Here’s what it looks like:

Wireshark Capture Echo Request

The message above is the ICMP request, you can see it uses type 8 and code 0 for this. When R2 receives it will reply:

Wireshark capture ICMP echo reply

The ICMP echo reply is a type 0 and code 0 message.

Destination Unreachable

Another nice example to look at is the destination unreachable message. We can test this by adding an access-list on R2 that denies ICMP messages:

R2(config)#ip access-list extended NO_ICMP 
R2(config-ext-nacl)#deny icmp any host 192.168.12.2
R2(config-ext-nacl)#permit ip any any

R2(config)#interface FastEthernet 0/0
R2(config-if)#ip access-group NO_ICMP in

Now let’s try that ping from R1 again:

R1#ping 192.168.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

The ping fails and you can see the U (unreachable) messages on R1. Here’s the ICMP message that R2 sends:

Wireshark Capture ICMP Administratively Filtered

The ICMP destination unreachable message is a type 3 and it’s using code 13 because this packet was “administratively filtered” (acces-list).

Traceroute

Traceroute also uses ICMP messages, to demonstrate this we will use three routers:

R1 R2 R3

Let’s see what a traceroute from R1 to R3 looks like:

R1#traceroute 192.168.23.3 probe 1

Type escape sequence to abort.
Tracing the route to 192.168.23.3

  1 192.168.12.2 52 msec
  2 192.168.23.3 60 msec

Cisco IOS by default will send multiple probes. For this demonstration I only need one probe. Here’s the first packet that R1 sends:

Wireshark Capture Traceroute UDP Probe

Cisco IOS uses UDP packets with a TTL value of 1 and destination port 33434. The TTL and destination port will increase for every hop. Once R2 receives this packet it will reply like this:

Wireshark Capture Traceroute ICMP TTL Exceeded

Here’s where ICMP comes into play. R2 will send an ICMP type 11 (time to live exceeded) message to R1. Once R1 receives this, it will send its second probe:

Wireshark capture traceroute UDP Probe TTL Two

Above you can see that the TTL is now 2 and the destination port number has increased to 33435.  Once R3 receives this packet it will reply like this:

Wireshark Capture Traceroute ICMP Destination Unreachable

R3 will reply with a type 3 destination unreachable message. Take a close look at the code, it indicates that the port is unreachable. This is because nothing is listening on UDP port 33435. At least R1 now knows that 192.168.23.3 is reachable.

Conclusion

You have now seen what the ICMP is used for, what the header looks like and what some of the most popular messages look like. If you have any questions, feel free to leave a comment in our forum!

Tags: ,


Forum Replies

  1. Hello Hussein!

    ICMP is a Layer 3 protocol. It actually never reaches Layer 4. So Wireshark doesn’t display any Layer 4 encapsulation because there is none.

    The encapsulation process starts at Layer 3, where source and destination IP addresses are assigned as usual, and gets encapsulated to layer 2 (where Ethernet, MAC addresses and PPP live to name a few) and then it is placed on the medium. Deencapsuation occurs at the destination up to layer three where the source and destination IP addresses are read. The ICMP protocol adds a header AFTER the IP header w

    ... Continue reading in our forum

  2. Hello Hussein.

    You are correct when you say that you cannot skip an OSI layer when communicating on the network. However, we can BEGIN our communication at layer 3 and go down to layer 1. In this case we are not skipping layers 4-7. Let me express this in an example:

    When you start an FTP file transfer from your computer, you are BEGINNING your communication at the Application layer, or layer 7. As you go down the OSI stack, you cannot skip layer 2 for example. MAC addresses must be placed in the L2 header and appropriate header information must be include

    ... Continue reading in our forum

  3. Hello again Rosna

    In traceroute, a probe is the number of ICMP echo requests sent to each individual hop. So if a traceroute has 7 hops to the destination, the Cisco device will send three probes, or three ICMP echo requests to each of the 7 hops for a total of 21 ICMP echo requests. If you select one probe, a single ICMP request will be sent to each hop. You won’t actually see a difference in the traceroute output.

    ... Continue reading in our forum

  4. Hello Eliu

    Your observation is well taken, and thank you for pointing that out. I should have been clearer in my explanation. You will notice that there is no UDP information in any of the captures that have to do with the ping command while you will see the UDP line as well added to that for any of the captures that have to do with traceroute. Ping does not include layer 4 however, traceroute incorporates layer four, specifically UDP in order to achieve its functionality.

    The default implementation of traceroute sends a sequence of UDP packets, with destina

    ... Continue reading in our forum

  5. Excelent! Thanks a lot!

47 more replies! Ask a question or join the discussion by visiting our Community Forum