IP Network - ICMP

 

 

 

ICMP stands for Internet Control Message Protocol. To many people, ICMP would considered to be same as 'Ping', but 'Ping' is only one of ICMP functionality. A list of ICMP features (types) can be categorized as follows.

  • Query
  • Error Report
  • Redirection

Even though ICMP would one of the simplest protocol in IP world, it would be a huge task to get full understanding and it requires a lot of experience as well. I would like you to use this page as a cheatsheet for your task. This is just beginning and the topics will (hopefully -:)) get extended gradually.

 

 

 

ICMP Segment Structure

 

 

Bits

 

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

2 Bytes

Type (ICMP Type)

Code

2 Bytes

Checksum

2 Bytes

Rest of Header

2 Bytes

(This field varies depending on Type and Code )

 

 

ICMP Message - Type and Code

 

Following is the ICMP messages which is determined by Type field and Code field. In real application, it would be important to understand what is meant by each of these message. You would not understand clearly unless you experience all of these cases by yourself and try to get the practical meaning. So it would take years to understand all of these in practical sense. Be patient.

 

I will try to explain these messages in practical manner and with some example so that you can take this page as a quick reference for troubleshooting. However, this task would take long time.. and I will just add one by one as I get some real examples.

 

Type

Code

Description

0 Echo Reply 0 Echo reply (used to ping)
1 and 2 Reserved
3 Destination Unreachable 0 Destination network unreachable
1 Destination host unreachable
2 Destination protocol unreachable
3 Destination port unreachable
4 Fragmentation required, and DF flag set
5 Source route failed
6 Destination network unknown
7 Destination host unknown
8 Source host isolated
9 Network administratively prohibited
10 Host administratively prohibited
11 Network unreachable for TOS
12 Host unreachable for TOS
13 Communication administratively prohibited
14 Host Precedence Violation
15 Precedence cutoff in effect
4 Source Quench 0 Source quench (congestion control)
5 Redirect Message 0 Redirect Datagram for the Network
1 Redirect Datagram for the Host
2 Redirect Datagram for the TOS & network
3 Redirect Datagram for the TOS & host
6 Alternate Host Address
7 Reserved
8 Echo Request 0 Echo request (used to ping)
9 Router Advertisement 0 Router Advertisement
10 Router Solicitation 0 Router discovery/selection/solicitation
11 Time Exceeded 0 TTL expired in transit
1 Fragment reassembly time exceeded
12 Parameter Problem: Bad IP header 0 Pointer indicates the error
1 Missing a required option
2 Bad length
13 Timestamp 0 Timestamp
14 Timestamp Reply 0 Timestamp reply
15 Information Request 0 Information Request
16 Information Reply 0 Information Reply
17 Address Mask Request 0 Address Mask Request
18 Address Mask Reply 0 Address Mask Reply
19 Reserved for security
20 through 29 Reserved for robustness experiment
30 Traceroute 0 Information Request
31 Datagram Conversion Error
32 Mobile Host Redirect
33 Where-Are-You (originally meant for IPv6)
34 Here-I-Am (originally meant for IPv6)
35 Mobile Registration Request
36 Mobile Registration Reply
37 Domain Name Request
38 Domain Name Reply
39 SKIP Algorithm Discovery Protocol, Simple Key-Management for Internet Protocol
40 Photuris, Security failures
41 ICMP for experimental mobility protocols
42 through 255 Reserved

 

 

Ping

 

The description on normal ping operation will be posted later.

 

When ping give you 'Request timed out' ?

: This mean that the ping command (query) does not get any feedback from anywhere. What would be the cause of this case ?

 

Followings are several cases we can easily think of.. but there may be other cause as well.

    i) External Firewall : The ping request got dropped by the external firewall in between the source and destination. So the message didn't reach the destination.

    ii) Internal Firewall on destination : These days a lot of PC (most of the PC) has its own Firewall. If the firewall is configured so that it would not allow ping query. It would drop the ping query message and the ICMP message would not reach the destination.

    iii) No physical connection between source and destination : It is also possible that physical connection between the source and destination does not exists. For example, LAN cable is pulled out.

 

Does the successful ping from one direction guarantee ping in opposite direction ?

 

When you ping from A to B and you got ping reply from B, does this mean that ping from B to A will always work ?

The answer is "Not Always". There can be some cases where ping works only in one direction. The typical case is where a firewall allows a PC to do only ping request, but does not allow ping reply.

 

 

Destination Unreacheable

 

For good summary based on RFC about Destinatin Unreacheable, refer to this page ICMP type 3, Destination unreachable message. Also see this blog : ICMP - Destination Unreachable Message Analysis

 

1 Host Unreacheable

 

This error happens when the packet reached a host router but the host router failed to discover the destination host. Then the remote router sent this message.

 

Case 1 : Before IP packets is sent to next hop, the sender would perform ARP (if the next hop is not in the arp list). If ARP fails, the sender may send back this message.

 

 

3 Port Unreacheable

 

This message may be sent by host in which the specified port is not active or has some other issue with the port. It means the packet is delivered at least to the host (but failed to reach specific application/port).

 

Case 1 : The destination port specified in the UDP or TCP header was invalid.

 

Troubleshoot tip 1 : Try 'netstat' on the destination if possible to see if the destination port is active when you have this problem.

 

Troubleshoot tip 2 : To figure out which packet is causing this error, find the packet that contains the data in the DATA field of ICMP error packet.

    Internet Control Message Protocol

        Type: 3 (Destination unreachable)

        Code: 3 (Port unreachable)

        Checksum: 0x811b [correct]

        Internet Protocol, Src: 80.167.113.76 (80.167.113.76), Dst: 192.168.1.2 (192.168.1.2)

            Version: 4

            Header length: 20 bytes

            ...

        User Datagram Protocol, Src Port: 61846 (61846), Dst Port: 25660 (25660)

            Source port: 61846 (61846)

            Destination port: 25660 (25660)

            Length: 111

            ...

        Data (103 bytes)

     

    Data: 64313a6164323a696432303abe916abba14b8cb8a7167ce0... <-- find the back containing this

 

Example 1 >

 

 

 

 

 

13 Communication administratively prohibited

: Offical description from RFC 1812 is as follows

 

13 = Communication Administratively Prohibited - generated if a router cannot forward a packet due to administrative filtering

 

This is the code value for an administrative denial, which indicates that a router is filtering a port and is not permitting traffic to pass. The packet is typically seen when traffic is refused to pass through a router or a firewall.

 

e.g 1 > a firewall or a router is blocking TCP port 53, the error indicates the reason for the failing Domain Name System (DNS) queries.

e.g 2 > a firewall or a router is blocking User Datagram Protocol (UDP) port 53, the error indicates the reason for the failing Domain Name System (DNS) queries.

 

Refer to Microsoft Support : Internet Control Message Protocol "Destination Unreachable" (Code = 0x0D) Packets for more details.