Understanding the ICMP Protocol (Part 1)

by Don Parker [Published on 18 Aug. 2005 / Last Updated on 18 Aug. 2005]

Can you imagine a world where there are no traffic lights, stop signs, and other ways to control daily life? Well, just imagine what the Internet would be like then without the ICMP protocol. It would quickly become an unwieldy mess without it. In this article we will explore just what the ICMP protocol is, and how it works.

If you would like to read the next article in this series then please check out Understanding the ICMP Protocol (Part 2).

Just what is ICMP, and what does it stand for? Well, first off, ICMP stands for Internet Control Message Protocol. What does it do? You may be surprised after reading this article, at just how much ICMP actually does for us. Call it the unheralded hero of the four core protocols. The four core protocols being IP, TCP, UDP, and ICMP. If you think about it, all of these protocols, in actuality, are the work horses of the computer-to-computer communications world.

What exactly are you going to cover?

That is a good question. In this article on ICMP we will define just where ICMP resides in the OSI reference model, and go over various packet types containing the ICMP protocol. Lastly, the various error conditions being communicated by this protocol will be explained so as to expand upon them. You may have come to the conclusion by now that the more you learn about computer protocols, the more you will be able to understand just how a computer communicates. Much like any field of study it helps to first achieve a critical mass of knowledge. Once this critical mass has been achieved a great many other concepts become clearer, and therefore understood at the theoretical level. Hopefully once you have finished reading the series of articles that I have written about the TCP/IP core protocols you will have attained just that; a critical mass of knowledge.

Let's get on with it then!

Using the OSI reference model once again as our template to bring some order to this mass of knowledge, just where does ICMP fit in? Well many consider it to be part of the network layer where IP resides. Though that being said some ICMP error conditions may be acted upon at the Transport layer i.e.: TCP and UDP. In case you have never seen the OSI reference model included below is a slimmed down version of it.

Application Layer     Protocols like HTTP, SMTP, FTP
Presentation Layer    Protocols like JPEG, MPEG
Session Layer         Protocols like NFS, SQL, RPC
Transport Layer       Protocols like TCP, and UDP
Network Layer         Protocols like IP and ICMP
Data Link Layer       Protocols like HDLC and PPP
Physical Layer        No protocols at this layer

Now ICMP error messages are themselves actually encapsulated in an IP datagram. It is a rather funky looking packet actually, and tends to be confusing to those just starting to learn about ICMP. Fear not though, for we will cover various types of ICMP error messages at the packet level. The first four bytes of an ICMP error message always have the same format. What follows though can vary as it is dependent upon the error condition being reported. That being said the ICMP echo request, echo reply packet is different as it relates to the header itself. The ping packet as ICMP echo request/echo are also known as, have a header size of eight bytes vice four. This is because other specific information is required. More on that ICMP quirk to follow later on. On that note let’s see the layout of the first four bytes that remain the same.

1 byte   1 byte   2 bytes
_____________________
| Type  | Code  |Checksum |
--------------------------------           

So we can see that there are four bytes in an ICMP error message that remain constant. If you check the TCP/IP and tcpdump flyer that I recommended you download, you will see a representation like the one above. Please remember that it is found under “Additional Resources” at the bottom of the page.

Behold, the ICMP packet!

00:00:09.696930 192.168.1.100 > 192.168.1.200: icmp: echo request (ttl 126, id 6655, len 60)
0x0000      4500 003c 19ff 0000 7e01 1ce8 c0a8 0164  E..<....~.......
0x0010      c0a8 01c8 0800 d9c3 0300 7889 3031 3233  ..........x.0123
0x0020      3435 3637 3839 6162 6364 6566 6768 696a  456789abcdefghij
0x0030      6b6c 6d6e 6f70 7172 7374 7576            klmnopqrstuv

What we have above us is probably one of the best known types of ICMP packet. Care to take a guess as to what this type is? This ICMP packet is the much talked about “ping” packet. What is the “echo request” used for though? Well primarily the ping packet is used to confirm if an IP address is assigned or not i.e.: is there a computer at a specific IP address? If there is then a reply will be issued by that IP address, and if not then an ICMP error message will be generated and returned. This is one of the few instances where an ICMP packet will elicit an ICMP error message in return. Normally an ICMP error message will not in turn generate another one. Would be a bit of an endless loop wouldn’t it, if that could happen. The exception to this rule is the above seen ICMP echo request packet.

Well what does the response to an ICMP echo request look like though? Not only that, but how does the computer who sent the originating ICMP echo request know that the incoming ICMP response is for its initial echo request? That is a very good question actually. Let’s look at the packet below to get an answer then!

00:00:09.697192 192.168.1.100 > 192.168.1.200: icmp: echo reply (ttl 255, id 6655, len 60)
0x0000      4500 003c 19ff 0000 ff01 9be7 c0a8 01c8  E..<............
0x0010      c0a8 0164 0000 e1c3 0300 7889 3031 3233  ..........x.0123
0x0020      3435 3637 3839 6162 6364 6566 6768 696a  456789abcdefghij
0x0030      6b6c 6d6e 6f70 7172 7374 7576            klmnopqrstuv

Let’s quickly recap what the metrics seen above are. From the first line on the left we have our timestamp as noted by the receiving computer. Then the source address, and source port. This is followed by the destination address and destination port. The actual ICMP message as noted in ASCII. Then we have the ttl value, the ID number assigned to the ICMP error message, and overall packet length.

So, let’s now look at the ICMP packet header, and go through the values. They are underlined as seen in the packet directly above.

0000

The first two bytes seen above relate to the type and code field in the ICMP packet header. If you go to the bottom of the TCP/IP cheat sheet that I recommended you download you will see a section for PING (Echo/Echo Reply). The 00 then means that this is a Echo Reply, and the following byte of 00 breaks out to the code value. The code value of 00 then is as it should be 00. The other hex values are what is being sent in the ASCII payload ie: x.0123456 and so on as seen in the ASCII. That will wrap up this article, and in the last part we will cover other types of ICMP error messages at the packet level, and explain what they actually mean. Till then!

If you would like to read the next article in this series then please check out Understanding the ICMP Protocol (Part 2).

See Also

Featured Links