Internet Control Message Protocol (ICMP), RFC 792

Prof. Lin Weiguo Copyleft 2009~2013, College of Computing, CUC

Oct. 2013

Overview
!!

The IP (Internet Protocol) relies on several other protocols to perform necessary control and routing functions:
!! !! !!

Control functions (ICMP) Multicast signaling (IGMP) Setting up routing tables (RIP, OSPF, BGP, PIM, )
Routing

RIP

OSPF

BGP

PIM

ICMP

IGMP

Control

Advanced Windows Network Programming

10/30/13

Purpose of ICMP
!!

The Internet Control Message Protocol (ICMP) is a helper protocol that supports IP with facility for
!! !!

Error reporting Simple queries

Advanced Windows Network Programming

10/30/13

Layering view
From a layering point of view, ICMP is a separate protocol that sits above IP and uses IP to transport messages. !! In practice, ICMP is an integral part of IP and all IP modules must support the ICMP protocol. !! ICMP datagrams are encapsulated within IP datagrams and processed by IP in the same way as TCP and UDP datagrams;
!!
4
Advanced Windows Network Programming

Transport TCP/UDP

ICMP

IP

10/30/13

Message Encapsulation
!!

ICMP messages are encapsulated as IP datagrams:

IP header

ICMP message IP payload

Protocol field:
ICMP:00000001 IGMP:00000010 TCP: 00000110 UDP: 00010001

Advanced Windows Network Programming

10/30/13

ICMP message format

bit # 0 type 7 8 code additional information or 0x00000000 15 16 23 24 31 checksum

4 byte header: ! Type (1 byte): type of ICMP message ! Code (1 byte): subtype of ICMP message ! Checksum (2 bytes): similar to IP header checksum. Checksum is calculated over entire ICMP message

If there is no additional data, there are 4 bytes set to zero. ! each ICMP messages is at least 8 bytes long
6
Advanced Windows Network Programming 10/30/13

Types of ICMP Msges

!!

Two general types of ICMP messages:

!!

!!

Information messages, where a sender sends a query to another machine (either host or gateway) and expects an answer. For example, a host might want to know if a gateway is alive. Error indication messages, where the IP software on a host or gateway has encountered a problem processing an IP datagram. For example, it may be unable to route a datagram to its destination, or it may have had to drop a frame.

Advanced Windows Network Programming

10/30/13

ICMP messages type/code

Type 0 3 3 3 3 3 3 4 8 9 10 11 12 Code 0 0 1 2 3 6 7 0 0 0 0 0 0 description echo reply (ping) dest network unreachable dest host unreachable dest protocol unreachable dest port unreachable dest network unknown dest host unknown source quench (congestion control - not used) echo request (ping) route advertisement router discovery TTL expired bad IP header

Advanced Windows Network Programming

10/30/13

ICMP Query message

ICMP Request ICMP Reply

Host
!!

Host or router

ICMP query:
! !

Request sent by host to a router or host Reply sent back to querying host

Advanced Windows Network Programming

10/30/13

Example of ICMP Queries

Type/Code
8/0 0/0 13/0 14/0 10/0 9/0

Description
Echo Request Echo Reply Timestamp Request Timestamp Reply Router Solicitation Router Advertisement
The ping command uses Echo Request/ Echo Reply

10

Advanced Windows Network Programming

10/30/13

Purpose of Req/Reply
!!

The ICMP echo request and echo reply messages are useful for network debugging. !! If machine A sends an echo request message to machine B, machine B is required to respond with an ICMP echo reply. !! Most systems supply an application program that sends and receives ICMP echo messages. !! In UNIX, the program ping allows a user to check whether a machine is reachable and functioning. !! Because ICMP messages are handled just like other IP datagrams, ICMP echo messages test the reachability of any host. Also, because ICMP is an integral part of IP, all hosts and gateways must implement ICMP.
11
Advanced Windows Network Programming 10/30/13

Ping: Echo Request and Reply

!!

Format
!! !!

ping ip address (or ping <cr> for extended ping with CISCO IOS) ping 172.30.1.25 Each Ping is translated into an ICMP Echo Request The Pinged host responds with an ICMP Echo Reply

!!

Pings are handled directly by the kernel

!! !!

ICMP ECH O REQUES T

Host or Router
ICMP

EPL R O ECH

Host or router

12

Advanced Windows Network Programming

10/30/13

Ping Frame Format

Ethernet Header (Layer 2)
Ethernet Destination Address (MAC)
bit # 0 type ID Optional Data

IP Header (Layer 3)
Frame Type Source IP Add. Dest. IP Add. Protocol field:1
7 8 code

ICMP Message (Layer 3)

Type 8 or 0 Code 0 Checksum ID Seq. Num. Data

Ether. Tr.
FCS

Ethernet Source Address (MAC)

15 16

23

24

31

checksum Seq. Num.

!! !! !!

Uses ICMP message within an IP Packet, Protocol field = 1 Both are layer 3 protocols. (ICMP is considered as a network layer protocol.) Does not use TCP or UDP, but may be acted upon by the receiver using TCP or UDP.
13
Advanced Windows Network Programming 10/30/13

ICMP Echo(Ping) Request Message

14

Advanced Windows Network Programming

10/30/13

ICMP Echo(Ping) Reply Message

15

Advanced Windows Network Programming

10/30/13

Ping Q&A
Q: Are pings forwarded by routers? A: Yes! This is why you can ping devices all over the Internet. Q: Do all devices forward or respond to pings? A: No, this is up to the network administrator of the device. Devices, including routers, can be configured not to reply to pings (ICMP echo requests). This is why you may not always be able to ping a device. Also, routers can be configured not to forward pings destined for other devices.

16

Advanced Windows Network Programming

10/30/13

Timestamp Messages
!!

ICMP timestamp messages are used to estimate the transmission delays between machines and to synchronize clocks:
!!

!!

!!

Including both the receive and transmit timestamp allows the sending host to determine the fraction of time spent transmitting vs. processing the request. By averaging the measurements of several messages, the sender can estimate the offset between its local clock and that on the remote machine. Note: it is quite feasible to synchronize the clocks of all machines on a LAN to within several milliseconds of each other.
Advanced Windows Network Programming 10/30/13

17

Example of a Query: ICMP Timestamp

!! !!

!!

A system (host or router) asks another system for the current time. Time is measured in milliseconds after midnight UTC (Universal Coordinated Time) of the current day Sender sends a request, receiver responds with reply
Type (= 17 or 18) identifier Code (=0)

Sender

Timestamp Request
Receiver

Timestamp Reply

Checksum sequence number

32-bit sender timestamp 32-bit receive timestamp 32-bit transmit timestamp

18

Advanced Windows Network Programming

10/30/13

ICMP Error message

! ! !

ICMP error messages report error conditions Typically sent when a datagram is discarded Error message is often passed from ICMP to the application program

19

Advanced Windows Network Programming

10/30/13

ICMP Error message

ICMP Message from IP datagram that triggered the error IP header ICMP header IP header 8 bytes of payload

type

code Unused (0x00000000)

checksum

ICMP error messages include the complete IP header and the first 8 bytes of the payload (typically: UDP, TCP)

20

Advanced Windows Network Programming

10/30/13

Frequent ICMP Error message

Type Code 3 Description 015 Destination Notification that an IP datagram could not be unreachable forwarded and was dropped. The code field contains an explanation. 03 Redirect Informs about an alternative route for the datagram and should result in a routing table update. The code field explains the reason for the route change. Sent when the TTL field has reached zero (Code 0) or when there is a timeout for the reassembly of segments (Code 1) Sent when the IP header is invalid (Code 0) or when an IP header option is missing (Code 1)
10/30/13

11

0, 1 Time exceeded 0, 1 Parameter problem

12

21

Advanced Windows Network Programming

Some subtypes of the Destination Unreachable

Code 0 1 2 3 4 13 Description
Network Unreachable Host Unreachable Protocol Unreachable

Reason for Sending No routing table entry is available for the destination network. Destination host should be directly reachable, but does not respond to ARP Requests. The protocol in the protocol field of the IP header is not supported at the destination. pass the datagram to an application.

Port Unreachable The transport protocol at the destination host cannot Fragmentation Needed and DF Bit Set

IP datagram must be fragmented, but the DF bit in the IP header is set.

Communication Generated if a router cannot forward a packet due to Administratively administrative filtering; Prohibited
Advanced Windows Network Programming 10/30/13

22

ICMP TTL Exceeded Message

23

Advanced Windows Network Programming

10/30/13

ICMP Dest Unreachable (Filtered)

24

Advanced Windows Network Programming

10/30/13

Example: ICMP Port Unreachable

!!

RFC 792:
!!

If, in the destination host, the IP module cannot deliver the datagram because the indicated protocol module or process port is not active, the destination host may send a destination unreachable message to the source host.

!!

Scenario:
Request a at a por service t 80

No process is waiting at port 80 Server

Client
de=3 o c =3 Type e t Por achabl e Unr

25

Advanced Windows Network Programming

10/30/13

UDP Datagram on Linux

26

Advanced Windows Network Programming

10/30/13

ICMP Port Unreachable Error Message

27

Advanced Windows Network Programming

10/30/13

Traceroute
!! !!

!!

Trace (traceroute, tracert, tracepath) is used to trace the probable path a packet takes between source and destination. Probable, because IP is a connectionless protocol, and different packets may take different paths between the same source and destination networks, although this is not usually the case. Trace will show the path the packet takes to the destination, but the return path may be different.
!!

This is more likely the case in the Internet, and less likely within your own autonomous system.

!! !!

Uses ICMP message within an IP Packet (on Windows) Uses UDP in the transport layer (on Unix/Linux/Cisco IOS).

28

Advanced Windows Network Programming

10/30/13

Example(on Windows)
!!

HostA> TraceRT

ip_address

HostA> TraceRT 192.168.10.2

10.0.0.0/8 Host A . 1 . 2 RTB . 1 . 2 172.16.0.0/16 RTC . 1 . 2 192.168.10.0/24 Host D

29

Advanced Windows Network Programming

10/30/13

10.0.0.0/8 Host A . 1
DA = 192.168.10.2,

172.16.0.0/16 RTB . 2
TTL = 1

192.168.10.0/24 RTC Host D . 1 . 2

. 1

. 2

Data Link Header (Layer 2) Data Link Data Link Destination Source Address Address

!!

IP Header (Layer 3) Source IP Add. 10.0.0.1 Dest. IP Add. 192.168.10.2 Protocol field 1 TTL 1

ICMP Message - Echo Request (trace) Type 8 Code 0 Chk sum ID Seq. Num Data

DataLink Tr. FCS

How it works - Fooling the routers & host!

!! !!

Traceroute uses ping (echo requests) Traceroute sets the TTL (Time To Live) field in the IP Header, initially to 1

30

Advanced Windows Network Programming

10/30/13

10.0.0.0/8 Host A . 1 . 2
TTL = 1

172.16.0.0/16 RTB . 1 . 2 RTC

192.168.10.0/24 Host D . 1 . 2

DA = 192.168.10.2,

ICMP Time Exceeded, SA = 10.0.0.2

Data Link Header (Layer 2) Data Link Data Link Destination Source Address Address

!.

IP Header (Layer 3) Source IP Add. 10.0.0.2 Dest. IP Add. 10.0.0.1 Protocol field 1

ICMP Message - Time Exceeded Type 11 Code 0 Chk sum 0 0 Data

DataLink Tr. FCS

RTB - TTL:
!! !!

When a router receives an IP Packet, it decrements the TTL by 1. If the TTL is 0, it will not forward the IP Packet, and send back to the source an ICMP time exceeded message.
!!

using its IP header and first 8 bytes of ICMP header as Data

Advanced Windows Network Programming 10/30/13

!!

ICMP Message: Type = 11, Code = 0

31

TraceRT output -1
HostA, Sending Host !! The traceroute program of the sending host (Host A) will use the source IP address of this ICMP Time Exceeded packet to display at the first hop.
HostA> tracert 192.168.10.2 Type escape sequence to abort. Tracing the route to 192.168.10.2 1 10.0.0.2 4 msec 4 msec 4 msec

32

Advanced Windows Network Programming

10/30/13

10.0.0.0/8 Host A . 1 . 2
TTL = 1

172.16.0.0/16 RTB . 1 . 2 RTC

192.168.10.0/24 Host D . 1 . 2

DA = 192.168.10.2,

ICMP Time Exceeded, SA = 10.0.0.2 DA = 192.168.10.2, TTL = 2

Data Link Header (Layer 2) Data Link Data Link Destination Source Address Address

!!

IP Header (Layer 3) Source IP Add. 10.0.0.1 Dest. IP Add. 192.168.10.2 Protocol field 1 TTL 2

ICMP Message - Echo Request (trace) Type 8 Code 0 Chk sum ID Seq. Num Data

DataLink Tr. FCS

HostA
!!

The traceroute program increments the TTL by 1 (now 2 ) and resends the ICMP Echo Request packet.

33

Advanced Windows Network Programming

10/30/13

10.0.0.0/8 Host A . 1 . 2
TTL = 1

172.16.0.0/16 RTB . 1 . 2 RTC

192.168.10.0/24 Host D . 1 . 2

DA = 192.168.10.2,

ICMP Time Exceeded, SA = 10.0.0.2 DA = 192.168.10.2, TTL = 2

ICMP Time Exceeded, SA = 172.16.0.2

RTB !! This time RTB decrements the TTL by 1 and it is NOT 0. (It is 1.) !! So it looks up the destination ip address in its routing table and forwards it on to the next router. RTC !! RTC however decrements the TTL by 1 and it is 0. !! RTC notices the TTL is 0 and sends back the ICMP Time Exceeded message back to the source. !! RTCs IP header includes its own IP address (source IP) and the sending hosts IP address (destination IP address of RTA). !! The sending host, RTA, will use the source IP address of this ICMP Time Exceeded message to display at the second hop. 34
Advanced Windows Network Programming 10/30/13

10.0.0.0/8 Host A . 1 . 2
TTL = 1

172.16.0.0/16 RTB . 1 . 2 RTC

192.168.10.0/24 Host D . 1 . 2

DA = 192.168.10.2,

ICMP Time Exceeded, SA = 10.0.0.2 DA = 192.168.10.2, TTL = 2

HostA to RTB
Data Link Header (Layer 2) Data Link Data Link Destination Source Address Address !!

ICMP Time Exceeded, SA = 172.16.0.2

IP Header (Layer 3) Source IP Add. 10.0.0.1 Dest. IP Add. 192.168.10.2 Protocol field 1 TTL 2 ICMP Message - Echo Request (trace) Type 8 Code 0 Chk sum ID Seq. Num Data DataLink Tr. FCS

RTB to RTC
Data Link Header (Layer 2) Data Link Data Link Destination Source Address Address !! IP Header (Layer 3) Source IP Add. 10.0.0.1 Dest. IP Add. 192.168.10.2 Protocol field 1 TTL 1 ICMP Message - Echo Request (trace) Type 8 Code 0 Chk sum ID Seq. Num Data DataLink Tr. FCS

.
Data Link Header (Layer 2) Data Link Data Link Destination Source Address Address !.

35

Advanced Windows Network Programming

IP Header (Layer 3) Source IP Add. 172.16.0.2 Dest. IP Add. 10.0.0.1 Protocol field 1

ICMP Message - Time Exceeded Type 11 Code 0 Chk sum 0 0 Data

DataLink Tr. FCS

10/30/13

TraceRT output -2
The sending host, Host A:
!!

The traceroute program uses this information (Source IP Address) and displays the second hop.

HostA> tracert 192.168.10.2 Type escape sequence to abort. Tracing the route to 192.168.10.2 1 10.0.0.2 4 msec 4 msec 4 msec 2 172.16.0.2 20 msec 16 msec 16 msec

36

Advanced Windows Network Programming

10/30/13

10.0.0.0/8 Host A . 1 . 2
TTL = 1

172.16.0.0/16 RTB . 1 . 2 RTC

192.168.10.0/24 Host D . 1 . 2

DA = 192.168.10.2,

ICMP Time Exceeded, SA = 10.0.0.2 DA = 192.168.10.2, TTL = 2

ICMP Time Exceeded, SA = 172.16.0.2 DA = 192.168.10.2, TTL = 3

Data Link Header (Layer 2) Data Link Data Link Destination Source Address Address

!!

IP Header (Layer 3) Source IP Add. 10.0.0.1 Dest. IP Add. 192.168.10.2 Protocol field 1 TTL 3

ICMP Message - Echo Request (trace) Type 8 Code 0 Chk sum ID Seq. Num Data

DataLink Tr. FCS

The sending host, HostA:

!!

The traceroute program increments the TTL by 1 (now 3 ) and resends the Packet.
Advanced Windows Network Programming 10/30/13

37

10.0.0.0/8 Host A . 1 . 2
TTL = 1

172.16.0.0/16 RTB . 1 . 2 RTC

192.168.10.0/24 Host D . 1 . 2

DA = 192.168.10.2,

ICMP Time Exceeded, SA = 10.0.0.2 DA = 192.168.10.2, TTL = 2

ICMP Time Exceeded, SA = 172.16.0.2

HostA to RTB

DA = 192.168.10.2,

TTL = 3

Data Link Header (Layer 2) Data Link Data Link Destination Source Address Address

!!

IP Header (Layer 3) Source IP Add. 10.0.0.1 Dest. IP Add. 192.168.10.2 Protocol field 1 TTL 3

ICMP Message - Echo Request (trace) Type 8 Code 0 Chk sum ID Seq. Num Data

DataLink Tr. FCS

Data Link Header (Layer 2) Data Link Data Link Destination Source Address Address

RTB to RTC
!!

IP Header (Layer 3) Source IP Add. 10.0.0.1 Dest. IP Add. 192.168.10.2 Protocol field 1 TTL 2

ICMP Message - Echo Request (trace) Type 8 Code 0 Chk sum ID Seq. Num Data

DataLink Tr. FCS

RTC to HostD
Data Link Header (Layer 2) Data Link Data Link Destination Source Address Address !! IP Header (Layer 3) Source IP Add. 10.0.0.1 Dest. IP Add. 192.168.10.2 Protocol field 1 TTL 1 ICMP Message - Echo Request (trace) Type 8 Code 0 Chk sum ID Seq. Num Data DataLink Tr. FCS

38

Advanced Windows Network Programming

10/30/13

HostD ! HostA
10.0.0.0/8 Host A . 1 . 2
TTL = 1

172.16.0.0/16 RTB . 1 . 2 RTC

192.168.10.0/24 Host D . 1 . 2

DA = 192.168.10.2,

ICMP Time Exceeded, SA = 10.0.0.2 DA = 192.168.10.2, TTL = 2

ICMP Time Exceeded, SA = 172.16.0.2 ICMP Echo Request,DA = 192.168.10.2, TTL = 3

ICMP Echo Reply, SA = 192.168.10.2

Data Link Header (Layer 2) Data Link Data Link Destination Source Address Address

!.

IP Header (Layer 3) Source IP Add. 192.168.10.2 Dest. IP Add. 10.0.0.1 Protocol field 1

ICMP Message Echo Reply Type 0 Code 0 Chk sum ID Seq. Num Data

DataLink Tr. FCS

39

Advanced Windows Network Programming

10/30/13

Tracing to HostD
RTB !! This time RTB decrements the TTL by 1 and it is NOT 0. (It is 2.) !! So it looks up the destination ip address in its routing table and forwards it on to the next router. RTC !! This time RTC decrements the TTL by 1 and it is NOT 0. (It is 1.) !! So it looks up the destination ip address in its routing table and forwards it on to the next router. HostD !! HostD however decrements the TTL by 1 and it is 0. !! However, HostD notices that the Destination IP Address of 192.168.0.2 is its own interface. !! Since it does not need to forward the packet, the TTL of 0 has no affect. !! HostD sends the ICMP Echo Reply message to HostA.

40

Advanced Windows Network Programming

10/30/13

TraceRT output -3
Sending host, HostA !! HostA receives the ICMP Echo Reply message. !! The traceroute program uses this information (Source IP Address) and displays the third hop. !! The traceroute program also recognizes this ICMP Echo Reply as meaning this is the destination it was tracing ( it knows this is the final hop and does not send any more echo requests). !! HostA, the sending host, now displays the third hop. HostA> tracert 192.168.10.2 Type escape sequence to abort. Tracing the route to 192.168.10.2 1 10.0.0.2 4 msec 4 msec 4 msec 2 172.16.0.2 20 msec 16 msec 16 msec 3 192.168.10.2 16 msec 16 msec 16 msec
41
Advanced Windows Network Programming 10/30/13

UDP tracing on Linux/Cisco IOS

192.168.10.0/2 4

10.0.0.0/8 RTA . 1
DA = 192.168.10.2, ICMP Time Exceeded, SA =

172.16.0.0/16 RTB . 2 . 1 . 2 RTC . 1

RTD

. 2

TTL = 1 10.0.0.2

DA = 192.168.10.2,

TTL = 2 172.16.0.2

ICMP Time Exceeded, SA =

UDP, Port=35000, DA = 192.168.10.2, TTL = 3 ICMP Port Unreachable, SA = 192.168.10.2

42

Advanced Windows Network Programming

10/30/13

ICMP Port Unreachable on RTD

Data Link Header (Layer 2) Data Link Data Link Destination Source Address Address !! IP Header (Layer 3) Source IP Add. 10.0.0.1 Dest. IP Add. 192.168.10.2 Protocol field 0x11 TTL 1 UDP (Layer 4) DestPort 35,000 DataLink Tr. FCS

Data Link Header (Layer 2) Data Link Data Link Destination Source Address Address

!.

RTD !! RTD sends the packet to the UDP process. !! UDP examines the unrecognizable port number of 35,000 and sends back an ICMP Port Unreachable message to the sender, RTA, using Type 3 and Code 3.
43
Advanced Windows Network Programming 10/30/13

IP Header (Layer 3) Source IP Add. 192.168.10.2 Dest. IP Add. 10.0.0.1 Protocol field 1

ICMP Message Port Unreachable Type 3 Code 3 Chk sum 0 0 Data

DataLink Tr. FCS

TraceRoute

44

Advanced Windows Network Programming

10/30/13

References
!! !! !! !! !! !!
!!

RFC 792 - Internet Control Message Protocol RFC1393 - Traceroute Using an IP Option Internet Control Message Protocol (ICMP) Parameters:
http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xml

RFC1574 - Essential Tools for the OSI Internet http://en.wikipedia.org/wiki/Traceroute http://www.cs.virginia.edu/~itlab/book/

CISCO: Understanding the Ping and Traceroute Commands:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/ products_tech_note09186a00800a6057.shtml

45

Advanced Windows Network Programming

10/30/13