ad placeholder image ad placeholder image

ICMP: Internet Control Message Protocol

ICMP (Internet Control Message Protocol) is a supporting protocol in the IP suite used for error reporting, diagnostics, and network troubleshooting. While not used for data transfer, ICMP is essential for network operations and is the foundation of common tools like ping and traceroute. This comprehensive guide explains ICMP, its messages, and practical applications.

What is ICMP?

ICMP is a network layer protocol (Layer 3) that operates alongside IP to provide error reporting and diagnostic capabilities. It's defined in RFC 792 (ICMPv4) and RFC 4443 (ICMPv6).

Purpose and Characteristics

Primary functions:

Error reporting
Network diagnostics
Path discovery
Reachability testing

Key characteristics:

Protocol number: 1 (in IP header)
Layer: Network layer (Layer 3)
Encapsulation: Carried in IP packets
Connectionless: No session establishment
Best-effort: No delivery guarantee

ICMP vs TCP/UDP:

ICMP: Control and diagnostics
TCP/UDP: Data transport

ICMP: Part of IP layer
TCP/UDP: Transport layer

ICMP: No ports
TCP/UDP: Port-based

ICMP Message Structure

Packet Format

Basic structure:

┌─────────┬─────────┬──────────────┬─────────────┐
│  Type   │  Code   │   Checksum   │   Variable  │
│ (8 bits)│ (8 bits)│  (16 bits)   │  (varies)   │
└─────────┴─────────┴──────────────┴─────────────┘
│                  Data                           │
└─────────────────────────────────────────────────┘

Fields:

Type: Message type (error or informational)
Code: Subtype/specific condition
Checksum: Error detection
Variable: Type-specific data
Data: Original IP header + first 8 bytes of data (for errors)

IP Encapsulation

ICMP in IP packet:

┌──────────────────┐
│   IP Header      │
│  Protocol: 1     │ ← Indicates ICMP
├──────────────────┤
│   ICMP Header    │
│  Type, Code, etc │
├──────────────────┤
│   ICMP Data      │
└──────────────────┘

ICMP Message Types

Error Messages

Destination Unreachable (Type 3):

Codes:
0: Network unreachable
1: Host unreachable
2: Protocol unreachable
3: Port unreachable
4: Fragmentation needed but DF set
5: Source route failed
6: Destination network unknown
7: Destination host unknown
9: Network administratively prohibited
10: Host administratively prohibited
13: Communication administratively prohibited

Use cases:

Router can't forward packet
Host not responding
Service not available
Firewall blocking

Example:

ping 192.168.1.100
If host down: "Destination Host Unreachable"
If network unreachable: "Destination Network Unreachable"
If port closed: "Port Unreachable" (for UDP)

Time Exceeded (Type 11):

Codes:
0: TTL expired in transit
1: Fragment reassembly time exceeded

Use cases:

Routing loops
Traceroute functionality
Packet took too long

Example:

Packet TTL reaches 0
Router discards packet
Router sends Time Exceeded to source
Traceroute uses this mechanism

Parameter Problem (Type 12):

Codes:
0: Pointer indicates error
1: Missing required option
2: Bad length

Use cases:

Malformed IP header
Invalid options
Protocol errors

Source Quench (Type 4) - Deprecated:

Code: 0
Purpose: Congestion control
Status: No longer used
Replaced by: TCP congestion control

Redirect (Type 5):

Codes:
0: Redirect for network
1: Redirect for host
2: Redirect for TOS and network
3: Redirect for TOS and host

Use cases:

Better route available
Optimize routing
Local network only

Example:

Host sends packet to default gateway
Gateway knows better route
Gateway forwards packet
Gateway sends Redirect to host
Host updates routing table

Informational Messages

Echo Request (Type 8) and Echo Reply (Type 0):

Request:
  Type: 8
  Code: 0
  Identifier: Process ID
  Sequence: Increments per request
  Data: Optional payload

Reply:
  Type: 0
  Code: 0
  Same identifier and sequence
  Same data echoed back

Use cases:

Ping utility
Reachability testing
Latency measurement
Network diagnostics

Example:

ping 8.8.8.8
# Sends Echo Request (Type 8)
# Receives Echo Reply (Type 0)
# Measures round-trip time

Timestamp Request (Type 13) and Reply (Type 14):

Purpose: Time synchronization
Fields: Originate, receive, transmit timestamps
Use: Clock synchronization (rarely used now)
Replaced by: NTP

Information Request/Reply (Type 15/16) - Obsolete:

Purpose: Network address discovery
Status: Obsolete
Replaced by: DHCP, BOOTP

Address Mask Request (Type 17) and Reply (Type 18):

Purpose: Subnet mask discovery
Use: Diskless workstations
Status: Rarely used
Replaced by: DHCP

Router Advertisement (Type 9) and Solicitation (Type 10):

Purpose: Router discovery
Use: Find default gateway
Status: Rarely used in IPv4
Common in: IPv6 (different types)

ICMP in Practice

Ping

How ping works:

1. Send ICMP Echo Request (Type 8)
2. Destination receives request
3. Destination sends Echo Reply (Type 0)
4. Source receives reply
5. Calculate round-trip time (RTT)
6. Repeat

Ping command:

# Basic ping
ping google.com

# Specific count
ping -c 4 8.8.8.8

# Interval
ping -i 0.5 8.8.8.8

# Packet size
ping -s 1000 8.8.8.8

# Flood ping (requires root)
ping -f 8.8.8.8

Ping output:

PING google.com (142.250.185.46): 56 data bytes
64 bytes from 142.250.185.46: icmp_seq=0 ttl=117 time=12.3 ms
64 bytes from 142.250.185.46: icmp_seq=1 ttl=117 time=11.8 ms
64 bytes from 142.250.185.46: icmp_seq=2 ttl=117 time=12.1 ms

--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 11.8/12.1/12.3/0.2 ms

Interpreting results:

icmp_seq: Sequence number
ttl: Time to Live (hops remaining)
time: Round-trip time in milliseconds

Good: Low time, no loss
Bad: High time, packet loss
Unreachable: Destination/network unreachable

Traceroute

How traceroute works:

1. Send packet with TTL=1
2. First router decrements TTL to 0
3. Router sends Time Exceeded (Type 11)
4. Source records first hop
5. Send packet with TTL=2
6. Second router sends Time Exceeded
7. Continue until destination reached
8. Destination sends Echo Reply or Port Unreachable

Traceroute variations:

Linux (traceroute):

traceroute google.com
# Uses UDP packets
# Destination Port Unreachable indicates arrival

Windows (tracert):

tracert google.com
# Uses ICMP Echo Request
# Echo Reply indicates arrival

Modern traceroute:

# ICMP-based
traceroute -I google.com

# TCP-based (bypass firewalls)
traceroute -T -p 80 google.com

# UDP-based (default)
traceroute google.com

Traceroute output:

traceroute to google.com (142.250.185.46), 30 hops max
 1  192.168.1.1 (192.168.1.1)  1.234 ms  1.123 ms  1.089 ms
 2  10.0.0.1 (10.0.0.1)  5.678 ms  5.432 ms  5.321 ms
 3  203.0.113.1 (203.0.113.1)  12.345 ms  12.234 ms  12.123 ms
 4  * * *
 5  142.250.185.46 (142.250.185.46)  15.678 ms  15.567 ms  15.456 ms

Interpreting results:

Each line: One hop (router)
Three times: Three probe packets
* * *: No response (firewall/timeout)
Hostname: Reverse DNS if available

Path MTU Discovery

Purpose: Find maximum packet size without fragmentation

Process:

1. Send packet with DF (Don't Fragment) flag set
2. If too large, router sends ICMP Type 3, Code 4
   "Fragmentation Needed but DF Set"
3. Message includes next-hop MTU
4. Sender reduces packet size
5. Repeat until successful

ICMP message:

Type: 3 (Destination Unreachable)
Code: 4 (Fragmentation needed but DF set)
Next-hop MTU: Included in message

Benefits:

Avoid fragmentation
Optimize performance
Prevent packet loss
Efficient transmission

ICMP Security Considerations

Security Risks

ICMP flood (Ping flood):

Attack: Overwhelming target with Echo Requests
Impact: Resource exhaustion, DoS
Mitigation: Rate limiting, filtering

Smurf attack:

Attack: Spoofed Echo Request to broadcast
Impact: Amplification DDoS
Mitigation: Disable directed broadcast

ICMP tunneling:

Attack: Data exfiltration via ICMP
Impact: Bypass firewalls
Detection: Deep packet inspection

Reconnaissance:

Attack: Network mapping via ping sweeps
Impact: Information disclosure
Mitigation: Selective ICMP filtering

ICMP Filtering

Common approaches:

Allow necessary ICMP:

Echo Request/Reply (ping)
Destination Unreachable
Time Exceeded (traceroute)
Fragmentation Needed

Block problematic ICMP:

Redirect (security risk)
Timestamp (information disclosure)
Address Mask (information disclosure)
Source Quench (obsolete)

Firewall rules (iptables):

# Allow ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

# Allow traceroute
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

# Block redirect
iptables -A INPUT -p icmp --icmp-type redirect -j DROP

# Rate limit
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 5 -j ACCEPT

Cisco ACL:

! Allow ping
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply

! Allow traceroute
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable

! Deny redirect
access-list 100 deny icmp any any redirect

Best Practices

1. Allow necessary ICMP:

Echo Request/Reply (diagnostics)
Destination Unreachable (path discovery)
Time Exceeded (traceroute)
Fragmentation Needed (PMTUD)

2. Rate limit ICMP:

Prevent flood attacks
Limit per source
Reasonable thresholds

3. Log suspicious ICMP:

Unusual types
High volume
External sources
Pattern analysis

4. Monitor ICMP traffic:

Baseline normal traffic
Detect anomalies
Alert on spikes
Investigate patterns

ICMPv6

Differences from ICMPv4

Protocol number: 58 (vs 1 for ICMPv4)

Additional functions:

Neighbor Discovery (replaces ARP)
Router Discovery
Address autoconfiguration
Duplicate address detection

New message types:

Neighbor Solicitation (Type 135)
Neighbor Advertisement (Type 136)
Router Solicitation (Type 133)
Router Advertisement (Type 134)
Redirect (Type 137)

ICMPv6 Neighbor Discovery

Replaces ARP:

ICMPv4: Uses ARP for MAC resolution
ICMPv6: Uses Neighbor Discovery

More secure
Integrated into IPv6
Multicast-based

Process:

1. Send Neighbor Solicitation (Type 135)
2. Receive Neighbor Advertisement (Type 136)
3. Cache MAC address
4. Communicate

ICMPv6 Security

SEND (Secure Neighbor Discovery):

Cryptographic protection
Prevents spoofing
Certificate-based
Rarely deployed

Filtering considerations:

ICMPv6 more critical than ICMPv4
Required for IPv6 operation
Blocking breaks IPv6
Careful filtering needed

Troubleshooting with ICMP

Common Scenarios

Host unreachable:

Symptom: "Destination Host Unreachable"
Causes:
- Host down
- Network disconnected
- Firewall blocking
- Routing issue

Troubleshooting:
1. Verify host is up
2. Check network connectivity
3. Verify routing
4. Check firewall rules

Network unreachable:

Symptom: "Destination Network Unreachable"
Causes:
- No route to network
- Routing misconfiguration
- Network down

Troubleshooting:
1. Check routing table
2. Verify network exists
3. Check upstream routers
4. Verify connectivity

TTL exceeded:

Symptom: "Time to Live exceeded"
Causes:
- Routing loop
- TTL too small
- Very long path

Troubleshooting:
1. Traceroute to identify loop
2. Check routing configuration
3. Verify routing protocols
4. Increase TTL if needed

Fragmentation needed:

Symptom: "Fragmentation needed but DF set"
Causes:
- MTU mismatch
- Path MTU too small
- DF flag set

Troubleshooting:
1. Check interface MTU
2. Adjust packet size
3. Verify PMTUD
4. Check for MTU black holes

Diagnostic Tools

ping:

# Basic connectivity
ping 8.8.8.8

# Continuous
ping -t 8.8.8.8  # Windows
ping 8.8.8.8     # Linux (Ctrl+C to stop)

# Specific count
ping -n 10 8.8.8.8  # Windows
ping -c 10 8.8.8.8  # Linux

traceroute/tracert:

# Trace path
traceroute google.com  # Linux
tracert google.com     # Windows

# ICMP-based
traceroute -I google.com

# TCP-based
traceroute -T -p 443 google.com

tcpdump/Wireshark:

# Capture ICMP
tcpdump -i eth0 icmp

# Specific type
tcpdump -i eth0 'icmp[icmptype] == 8'  # Echo Request
tcpdump -i eth0 'icmp[icmptype] == 0'  # Echo Reply

# Wireshark filter
icmp
icmp.type == 8

hping3:

# Custom ICMP
hping3 --icmp 8.8.8.8

# Flood (testing)
hping3 --icmp --flood 8.8.8.8

ICMP Best Practices

Network Design

1. Allow essential ICMP:

Echo Request/Reply
Destination Unreachable
Time Exceeded
Fragmentation Needed

2. Implement rate limiting:

Prevent abuse
Reasonable limits
Per-source tracking

3. Log and monitor:

Unusual ICMP traffic
High volume
Attack patterns
Baseline deviations

Security

1. Filter at boundaries:

External to internal
Internal to external
DMZ zones

2. Use stateful filtering:

Allow replies to requests
Block unsolicited
Track sessions

3. Disable unnecessary types:

Timestamp
Address Mask
Information Request/Reply
Source Quench

Operations

1. Document ICMP policies:

Allowed types
Rate limits
Filtering rules
Exceptions

2. Test regularly:

Verify connectivity
Check diagnostics work
Validate filtering
Update as needed

3. Educate users:

Proper use of ping
Understanding traceroute
Security implications
Reporting issues

Conclusion

ICMP is an essential protocol for network diagnostics, error reporting, and troubleshooting. While often overlooked, ICMP enables critical tools like ping and traceroute and provides vital feedback about network conditions. Understanding ICMP helps network administrators diagnose issues, optimize performance, and maintain secure networks.

Related Articles

Network Protocols

Diagnostic Tools

Security

Explore More

Key takeaways: - ICMP provides error reporting and diagnostics - Type field indicates message category - Echo Request/Reply powers ping - Time Exceeded enables traceroute - Destination Unreachable reports delivery failures - Essential for Path MTU Discovery - Security risks require careful filtering - Allow necessary types, rate limit - ICMPv6 more critical than ICMPv4 - Fundamental for network troubleshooting

ICMP's role in network operations makes it indispensable despite security concerns. Proper configuration balances diagnostic capabilities with security requirements, enabling effective network management and troubleshooting.

ad placeholder image ad placeholder image
Three funny piglies - an illustration ippigly.com