BSD DevCenter
oreilly.comSafari Books Online.Conferences.


FreeBSD Basics

Examining ICMP Packets


In the past few articles, we examined the frames that were captured by the tcpdump utility during a brief telnet session. We've had a chance to look at IP headers, TCP headers, and ARP packets and had left off at the ICMP packets. Before we take a look at these packets, let's do a brief overview of the ICMP protocol.

ICMP stands for the Internet Control Message Protocol, and it was designed to send control messages between routers and hosts. For example, an ICMP packet may be sent when a router is experiencing congestion or when a destination host is unavailable.

An ICMP packet has a slightly different structure than we've seen before. An ICMP header follows the IP header in an IP packet, but it is not considered to be a Layer 4 header like TCP or UDP. Instead, ICMP is considered to be an integral part of IP; in fact, every vendor's implementation of IP is required to include ICMP.

Here is a picture of the fields an ICMP header adds to an IP packet:
8 16 32 bits
Type Code Checksum
Identifier Sequence number

You'll note that an ICMP header is composed of six fields. Interestingly, the Data field does not contain the actual ICMP "message." Instead, the Type and the Code fields contain numeric values, and each numeric value represents a specific ICMP message. Every ICMP packet must have a Type value, but only some ICMP types have an associated non-zero Code value.

RFC 1700 contains the possible values for each ICMP type and code; I've summarized these into the following table:

Type Name Code(s)
0 Echo reply 0 - none
1 Unassigned  
2 Unassigned  
3 Destination unreachable 0 - Net unreachable
    1 - Host unreachable
    2 - Protocol unreachable
    3 - Port unreachable
    4 - Fragmentation needed and DF bit set
    5 - Source route failed
    6 - Destination network unknown
    7 - Destination host unknown
    8 - Source host isolated
    9 - Communication with destination network is administratively prohibited
    10 - Communication with destination host is administratively prohibited
    11 - Destination network unreachable for TOS
    12 - Destination host unreachable for TOS
4 Source quench 0 - none
5 Redirect 0 - Redirect datagram for the network
    1 - Redirect datagram for the host
    2 - Redirect datagram for the TOS and network
    3 - Redirect datagram for the TOS and host
6 Alternate host address 0 - Alternate address for host
7 Unassigned  
8 Echo 0 - None
9 Router advertisement 0 - None
10 Router selection 0 - None
11 Time Exceeded 0 - Time to live exceeded in transit
    1 - Fragment reassembly time exceeded
12 Parameter problem 0 - Pointer indicates the error
    1 - Missing a required option
    2 - Bad length
13 Timestamp 0 - None
14 Timestamp reply 0 - None
15 Information request 0 - None
16 Information reply 0 - None
17 Address mask request 0 - None
18 Address mask reply 0 - None
19 Reserved (for security)  
20-29 Reserved (for robustness experiment)  
30 Traceroute  
31 Datagram conversion error  
32 Mobile host redirect  
33 IPv6 where-are-you  
34 IPv6 I-am-here  
35 Mobile registration request  
36 Mobile registration reply  
37-255 Reserved  

You'll note that the ICMP types that do have associated codes use the Code field to further explain the message value in the Type field. For example, ICMP Type 3 represents "destination unreachable." There can be many reasons why a destination is unreachable; accordingly, every ICMP Type 3 packet will also use one of the codes to explain why the destination was unreachable.

Pages: 1, 2

Next Pagearrow

Sponsored by: