ICMP, what is it for?
I sometimes write about networking related topics as a means to teach myself and then when I forget I can search our own site for a refresher course. In this case ICMP it is one of the four core protocols, the other three being TCP, IP and UDP. Currently we are trying to hunt down a network issue effecting RDP sessions and that is prompting us to brush up on our understanding of protocols.
Here is a depiction of the OSI reference model:
Application Layer Protocols like HTTP, SMTP, FTP
Presentation Layer Protocols like JPEG, MPEG
Session Layer Protocols like NFS, SQL, RPC
Transport Layer Protocols like TCP, and UDP
Network Layer Protocols like IP and ICMP
Data Link Layer Protocols like HDLC and PPP
Physical Layer No protocols at this layer
ICMP is therefore on the Network Layer with IP, actually encapsulated in the IP datagram. A ping request to see if an IP is on a specific computer is a common use of the ICMP ping packet. I will install wireshark today on one of the servers and take a look a packet and dissected and write about it as a way to become more familiar with what a sniffer might tell us.
ICMP Basics
Internet Control Message Protocol (ICMP) is an error reporting and diagnostic utility and is considered a required part of any IP implementation. Understanding ICMP and knowing what can possibly generate a specific type of ICMP is useful in diagnosing network problems.
ICMPs are used by routers, intermediary devices, or hosts to communicate updates or error information to other routers, intermediary devices, or hosts.
Each ICMP message contains three fields that define its purpose and provide a checksum. They are TYPE, CODE, and CHECKSUM fields. The TYPE field identifies the ICMP message, the CODE field provides further information about the associated TYPE field, and the CHECKSUM provides a method for determining the integrity of the message.
The TYPES defined are:
TYPE Description ---- ----------- 0 Echo Reply 3 Destination Unreachable 4 Source Quench 5 Redirect Message 8 Echo Request 11 Time Exceeded 12 Parameter Problem 13 Timestamp Request 14 Timestamp Reply 15 Information Request (No Longer Used) 16 Information Reply (No Longer Used) 17 Address Mask Request 18 Address Mask Reply
Echo Request & Echo Reply
This is the ICMP most used to test IP connectivity commonly known as PING. The Echo Request ICMP will have a Type field of 8 and a Code field of 0. Echo Replies have a Type field of 0 and a Code field of 0.
Destination Unreachable
When a packet is undeliverable, a Destination Unreachable, Type 3, ICMP is generated. Type 3 ICMPs can have a Code value of 0 to 15:
Type 3 Code Value Description ----- ----------- 0 Network Unreachable 1 Host Unreachable 2 Protocol Unreachable 3 Port Unreachable 4 Fragmentation needed and DF (Don't Fragment) set 5 Source route failed 6 Destination Network unknown 7 Destination Host unknown 8 Source Host isolated 9 Communication with Destination Network Administratively Prohibited 10 Communication with Destination Host Administratively Prohibited 11 Network Unreachable for Type Of Service 12 Host Unreachable for Type Of Service 13 Communication Administratively Prohibited by Filtering 14 Host Precedence Violation 15 Precedence Cutoff in Effect
Source Quench
An ICMP Source Quench message has a Type field of 4 and Code 0. Source Quench messages are sent when the destination is unable to process traffic as fast as the source is sending it. The Source Quench ICMP tells the source to cut back the rate at which it is sending data. The destination will continue to generate Source Quench ICMPs until the source is sending at an acceptable speed.
Redirect Message
An intermediary device will generate an ICMP Redirect Message when it determines that a route being requested can be reached either locally or through a better path. Redirect Message ICMPs are Type 5 and are further defined by the following Code field values:
Type 5 Code Value Description ----- ----------- 0 Redirect datagrams for the Network 1 Redirect datagrams for the Host 2 Redirect datagrams for the Type of Service and Network 3 Redirect datagrams for the Type of Service and Host
Time Exceeded
If a router or host discards a packet due to a time-out, it will generate a Time Exceeded Type 11 ICMP. The Time Exceeded ICMP will have a Code value of either 0 or 1. A Code 0 is generated when the hop count of a datagram is exceeded and the packet is discarded. A Code 1 is generated when the reassemble of a fragmented packet exceeds the time-out value.
Parameter Problem
When an intermediary device or host discards a datagram due to inability to process, an ICMP 12 is generated. Common causes of this ICMP are corrupt header information or missing options. If the reason for the ICMP is a required missing option, the ICMP will have a Code value of 1. If the Code value is 0, the Pointer field will contain the octet of the discarded datagram’s header where the error was detected.
Timestamp Request & Timestamp Reply
Timestamp Request and Timestamp Reply is a rudimentary method for synchronizing the time maintained on different devices. The Request has a Type field of 13 and the Reply is Type 14. This method for time synchronization is crude and unreliable. Therefore, it is not heavily used.
Information Request & Information Reply
These ICMP types were originally designed to allow a booting host to discover an IP address. This method is obsolete and is no longer used. Most common methods for IP address discovery are BOOTP (bootstrap protocol) and DHCP (dynamic host configuration protocol). BOOTP is defined by RFC1542, and DHCP is defined by RFC1541.
Address Mask Request & Address Mask Reply
A booting computer to determine the subnet mask in use on the local network uses the Address Mask Request ICMP Type 17. An intermediary device or computer acting as an intermediary device will reply with a Type 18 ICMP Address Mask Reply ICMP.
