Examining ICMP Packets
04/04/2001In the past few articles, we examined the frames that were captured by the tcpdump utility during a brief telnet session. We've had a chance to look at IP headers, TCP headers, and ARP packets and had left off at the ICMP packets. Before we take a look at these packets, let's do a brief overview of the ICMP protocol.
ICMP stands for the Internet Control Message Protocol, and it was designed to send control messages between routers and hosts. For example, an ICMP packet may be sent when a router is experiencing congestion or when a destination host is unavailable.
An ICMP packet has a slightly different structure than we've seen before. An ICMP header follows the IP header in an IP packet, but it is not considered to be a Layer 4 header like TCP or UDP. Instead, ICMP is considered to be an integral part of IP; in fact, every vendor's implementation of IP is required to include ICMP.
Here is a picture of the fields an ICMP header adds to an IP packet:| 8 | 16 | 32 bits |
| Type | Code | Checksum |
| Identifier | Sequence number | |
| Data | ||
You'll note that an ICMP header is composed of six fields. Interestingly, the Data field does not contain the actual ICMP "message." Instead, the Type and the Code fields contain numeric values, and each numeric value represents a specific ICMP message. Every ICMP packet must have a Type value, but only some ICMP types have an associated non-zero Code value.
RFC 1700 contains the possible values for each ICMP type and code; I've summarized these into the following table:
| Type | Name | Code(s) |
| 0 | Echo reply | 0 - none |
| 1 | Unassigned | |
| 2 | Unassigned | |
| 3 | Destination unreachable | 0 - Net unreachable |
| 1 - Host unreachable | ||
| 2 - Protocol unreachable | ||
| 3 - Port unreachable | ||
| 4 - Fragmentation needed and DF bit set | ||
| 5 - Source route failed | ||
| 6 - Destination network unknown | ||
| 7 - Destination host unknown | ||
| 8 - Source host isolated | ||
| 9 - Communication with destination network is administratively prohibited | ||
| 10 - Communication with destination host is administratively prohibited | ||
| 11 - Destination network unreachable for TOS | ||
| 12 - Destination host unreachable for TOS | ||
| 4 | Source quench | 0 - none |
| 5 | Redirect | 0 - Redirect datagram for the network |
| 1 - Redirect datagram for the host | ||
| 2 - Redirect datagram for the TOS and network | ||
| 3 - Redirect datagram for the TOS and host | ||
| 6 | Alternate host address | 0 - Alternate address for host |
| 7 | Unassigned | |
| 8 | Echo | 0 - None |
| 9 | Router advertisement | 0 - None |
| 10 | Router selection | 0 - None |
| 11 | Time Exceeded | 0 - Time to live exceeded in transit |
| 1 - Fragment reassembly time exceeded | ||
| 12 | Parameter problem | 0 - Pointer indicates the error |
| 1 - Missing a required option | ||
| 2 - Bad length | ||
| 13 | Timestamp | 0 - None |
| 14 | Timestamp reply | 0 - None |
| 15 | Information request | 0 - None |
| 16 | Information reply | 0 - None |
| 17 | Address mask request | 0 - None |
| 18 | Address mask reply | 0 - None |
| 19 | Reserved (for security) | |
| 20-29 | Reserved (for robustness experiment) | |
| 30 | Traceroute | |
| 31 | Datagram conversion error | |
| 32 | Mobile host redirect | |
| 33 | IPv6 where-are-you | |
| 34 | IPv6 I-am-here | |
| 35 | Mobile registration request | |
| 36 | Mobile registration reply | |
| 37-255 | Reserved |
You'll note that the ICMP types that do have associated codes use the Code field to further explain the message value in the Type field. For example, ICMP Type 3 represents "destination unreachable." There can be many reasons why a destination is unreachable; accordingly, every ICMP Type 3 packet will also use one of the codes to explain why the destination was unreachable.
Pages: 1, 2 |
