An ICMP Reference

June 28, 2014

The Internet Control Message Protocol (RFC 792 >) was designed to provide network connectivity information to administrators and applications. The protocol is broken up into two classifications: types, and codes. The types are the overall categories, and the codes are the individual messages within the categories.

Some types don’t have any codes beneath them, and receive by default a "no-code" number of zero (0). An example is Type 8 (a ping > packet), which is often thought of as Type 8, Code 0. Also notice the color-coded pairings within the types; they indicate a relationship the pair, e.g. an echo request solicits an echo reply, and a timestamp request solicits a timestamp reply.

hermes root # tcpdump -nnvXSs 1514 -c1 icmp tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes 23:11:10.370321 IP (tos 0x20, ttl 48, id 34859, offset 0, flags [none], length: 84) 69.254.213.43 > 72.21.34.42: icmp 64: echo request seq 0 0x0000: 4520 0054 882b 0000 3001 7cf5 45fe d52b E..T.+..0.|.E..+ 0x0010: 4815 222a 0800 3530 272a 0000 25ff d744 H."..50'..%..D 0x0020: ae5e 0500 0809 0a0b 0c0d 0e0f 1011 1213 .^.............. 0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"# 0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123 0x0050: 3435 3637 4567
The Most Common Types

**For a complete list see IANA >

  • Type  0 : Echo Reply

  • Type  3 : Destination Unreachable

  • Type  5 : Redirect

  • Type  8 : Echo Request

  • Type 11 : Time Exceeded

  • Type 13 : Timestamp Request

  • Type 14 : Timestamp Reply

  • Type 17 : Address Mask Request

  • Type 18 : Address Mask Reply

  • Type 30 : Traceroute

Some Key Points About ICMP

  • ICMP Doesn’t Have Ports

You can’t actually ping a port. Or, more accurately, "pinging a port" is a misnomer. When someone speaks of "pinging a port" they are actually referring to using a layer 4 protocol (such as TCP or UDP) to see if a port is open. So if someone "pings" port 80 on a box, that usually means send it a TCP SYN > to that system in order to see if it’s responding.

The misnomer exists because "pinging something" is now synonymous in the IT world with checking to see if it’s alive in a general sense. So if you’re checking to see if a port is listening, it’s natural to refer to that act as "pinging" the port. Just remember that the original, real ping uses ICMP, which doesn’t use ports at all.

  • ICMP Works At Layer Three (3)

While ICMP sits "on top of", i.e. is embedded in, IP, ICMP is not a layer 4 protocol. It’s still considered to be at layer 3 rather than one layer higher.

  • Traceroute Uses ICMP Type 11, Code 0 (TTL Exceeded) To Do Its Work

Windows (tracert) and Unix/Linux (traceroute) use different protocols by default to do traceroutes. Windows uses ICMP, while Unix/Linux uses UDP. The key point here, however, is that the embedded protocol doesn’t matter. Tracerouting works because of the TTL value > in the IP portion of the packet — not the ICMP, TCP, or UDP parts. This is why it doesn’t matter what "upper level" protocol is used.

hermes root # tcpdump -nnvXSs 1514 -c1 icmp and dst hermes tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes 16:07:53.016435 IP (tos 0xc0, ttl 255, id 27812, offset 0, flags [none], length: 56) 72.21.34.41 > 72.21.35.45: icmp 36: time exceeded in-transit 0x0000: 45c0 0038 6ca4 0000 ff01 79e3 4815 2229 E..8l.....y.H.") 0x0010: 4815 222a <blue0b00 f4ff 0000 0000 4500 001c H."........E... 0x0020: 6c53 0000 0001 ccdd 4815 222a 480e cf63 lS......H."H..c 0x0030: 0800 10a2 e75d 0000 .....]..

This TTL Exceeded packet shows the Type 11 (0b), Code 0 (00) in the first two bytes of the ICMP header.

Fun with ICMP

If you’re ever interviewing someone for a networking-oriented position, consider the following trick question:

If they are interviewing for a position that requires they know their protocols and they give it any real thought, consider another candidate.

Thank you for reading...