ICMP Protocol Analysis: Understanding Messages and Ping

Overview

ICMP protocol analysis reveals its role as a point-to-point communication protocol operating at the IP layer. It facilitates the transmission of error messages and critical notifications, ensuring smoother network operations. Typically, ICMP messages are utilized by the IP layer or higher-layer protocols like UDP and are encapsulated within IP data packets. Since the IP protocol is inherently unreliable, lacking mechanisms for error control or guaranteed delivery, the ICMP protocol enhances its functionality by providing essential support for these tasks.

The structure of Icmp:

Above the IP layer, it does not contain any socket information;

Type: An 8-bit type field indicating the ICMP packet type;

Code: An 8-bit code field, indicating a function in a specified type. If there is only one function in a type, the code field is set to 0;

Checksum: A 16-bit checksum on the ICMP portion of the packet;

Data: Different types and codes have different data.

Take the ping message as an example:

The data of a Ping message is a string of values ​​sent by the source end, and the other party’s response must carry the same string of values.

Category of Icmp

There are generally two types of ICMP messages: two-way messages and one-way messages.

Bidirectional messages, such as the commonly used ping message, are used to test the reachability of a network. The initiator is the source device, and the responder is the terminal device or a node router in the data transmission path.

One-way messages are usually alarm error messages (type 3) or Redirect messages (type 5). Since one-way messages are used to notify the source host of an error, the initiator is the node router through which the data packet passes.

ICMP messages can be roughly divided into two categories: error messages and query messages. The main message types are shown in the following table:

Error messages are unidirectional, and query messages are bidirectional.

icmp error message

The following is an analysis of the types of ICMP error messages:

ICMP Destination Unreachable Message: When an IP router cannot send an IP datagram to the destination address, it returns a Destination Unreachable ICMP message to the sending host and displays the specific reason for the unreachability in this message.

ICMP redirect message: If the router finds that the sending host uses a suboptimal path to send data, it will return an ICMP redirect message to the host. This message contains the most appropriate routing information and source data. This mainly happens when the router has better routing information. The router will use this ICMP redirect message to give the sending host a more appropriate sending route.

ICMP timeout message: There is a TTL (Time to live) field in the IP data packet, and its value decreases by 1 each time it passes through a router until it reaches 0 and the IP data packet is discarded. At this time, the IP router will send an ICMP timeout message to the sending host and notify that the packet has been discarded.

Source Quench Message: When a TCP/IP host sends data to another host, if the speed reaches the saturation state of the router or link, the router sends an ICMP source quench message.

ICMP query message

—-ICMP echo message: a message used between communicating hosts or routers to determine whether a sent data packet has successfully reached the other end. You can send an echo request message to the other host, or receive an echo reply message from the other host.

—-ICMP address mask message: Mainly used when a host or router wants to know the subnet mask. You can send ICMP address mask request messages to those hosts or routers, and then obtain the subnet mask information by receiving ICMP address mask reply messages.

—-ICMP Timestamp Message: You can send ICMP Timestamp Request messages to those hosts or routers, and then obtain time information by receiving ICMP Timestamp Reply messages.

Ping Command Analysis

Ping command is a two-way query message under ICMP protocol, which is used to test whether the communication between two points is normal. Usually, the caller sends a series of test packets with corresponding ID and sequence number, and the tested party returns the corresponding test packets with correct ID and sequence number.

Note that BE and LE shown in Wireshark here are the values ​​of two data storage methods, which physically correspond to a piece of data.

The Request message is as shown above:

The reply message is as follows:

Similarly, the next request message id remains unchanged, and the sequence number increases

Ping scenarios:

No outbound routing

As shown in the figure above, when there is no corresponding routing table entry and no outgoing circuit is available, the transmission fails.

time out

Generally, it is a ttl exceeded message. When a network node receives a packet with ttl=1, it will send a ttl exceeded message to the source IP. If it is an intranet IP, it is generally a routing loop problem.

Below: Use 192.168.205.201/24, gateway 192.168.205.1 IP to ping 192.168.211.2

After capturing the packet, the following figure is shown:

Tracert results:

The trace result shows that the port of the corresponding VLAN of the Layer 3 switch is down, causing the direct route to disappear. The packet is sent back and forth between the Layer 3 switch 192.168.212.2 and the router 192.168.212.1 until the router receives the packet with ttl=1.

tracert Command

Tracert first sends a response data packet with a TTL of 1. When the TTL on the data packet is received by the router, the TTL is automatically reduced by 1. Once a router reduces the TTL by 1 and it equals 0, the router should send an “ICMP Time Exceeded” message back to the source computer. The source computer will determine the router reached and the time taken based on the received information. The next time the data packet is sent again, the TTL is incremented by 1, and the above test is continued until the target responds or the TTL reaches the maximum value, thereby determining the route. The route is determined by checking the “ICMP Timed Out” message sent back by the intermediate router. Some routers directly discard TTL expired data packets without asking, which cannot be seen in the Tracert utility. We will display the request information of the request timeout.

The request message will be sent three times (using the same ttl value). If no reply message is returned, the ttl will be increased by 1 and the message will continue to be sent until the terminal responds.

The process is as follows:

A ping packet is sent, the MAC address is the gateway address, the destination IP is 117.23.6.86, and the TTL is 1. Each TTL value is sent 3 times.

Received icmp one-way message from the router, ttl exceeded message.

pathping command

Similar to tracert, it sends a ping request message, but only once. After receiving a ttl exceed message, it increases the ttl by 1 and sends it again. When there is no response and the ttl exceed value is not received, it stops sending ping request messages and uses the maximum valid ttl value at this time to test several recorded router IPs.

Udp port unreachable message

Similar to tracert, it sends a ping request message, but only once. After receiving a ttl exceed message, it increases the ttl by 1 and sends it again. When there is no response and the ttl exceed value is not received, it stops sending ping request messages and uses the maximum valid ttl value at this time to test several recorded router IPs.

When the Udp port is not open, an icmp port unreachable message is issued

Test environment: IAD registers SIP users with PC, the default port is 5060. IAD’s IP is 18.250.153,

The IP address of PC is 18.250.0.145

Iad configuration interface:

The process is:

The ports on the PC are displayed as follows

The udp port is not open, and the icmp layer returns a port unreachable message.

Icmp routing redirection simulation

ICMP redirect messages are a type of ICMP control messages. In certain situations, when a router detects that a machine is using a non-optimized route, it will send an ICMP redirect message to the host, requesting the host to change the route. The router will also forward the initial data packet to its destination.

ICMP redirection usually occurs in two situations:

1) When a router receives data from an interface and needs to forward the data from the same interface;

2) When the router receives data from a certain interface to a remote network, it finds that the source IP address belongs to the same network segment as the next hop.

A’s MAC address is 44:37:e6:8c:94:27, B’s MAC address is 44:37:e6:8e:cf:77

The MAC address of the router is 70:ba:ef:e3:5e:12

After B starts pinging A, the process is as shown in Figure 123 above. The router sends an icmp routing redirect message to 1. The captured packet is shown in the figure below:

Process analysis:

B’s routing table is as follows:

A’s routing table:

When B pings A, it first looks up the direct routing table entry in B. It ANDs A’s address with 255.255.255.224 in the routing table to get 192.168.206.145, which has no match in B’s direct routing table. So it takes the default route and sends it to the mac address of the gateway ip192.168.206.1.

The gateway checks its routing table and thinks that B should be sent directly to A, so it notifies A with a redirect message.

The router checks its own routing table and finds that it is its own directly connected route, so it also forwards the packet. After A receives it, it checks its own routing table and finds that it matches its own directly connected route table entry, so it sends a reply message.

When the TCP protocol port is not open, no icmp message is sent, and the rst message is directly replied
As shown in the figure below: pc18.250.0.145 runs an http server, and another terminal 18.250.0.31 accesses it. After the syn handshake, rst is sent to interrupt the handshake.

The filter item is ip.addr==18.250.0.31 || icmp message. It is found that no icmp message is sent at this time.

Check if port 8080 is open?

---