ICMP is an error-reporting protocol that network devices use to diagnose problems with data delivery. It is also used by popular diagnostic utilities such as ping and traceroute.
Each ICMP message has a header that contains parameters that help network devices identify the type and code of the error or query.
Type 1: Unreachable
The Internet control message protocol is one of the primary protocols within the IP suite and supports network diagnostics, status queries, and other essential functions. While ICMP is encapsulated in IP packets, it is considered a lower-layer protocol than the upper-layer transport protocols like Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).
The ICMP header contains a type and code field that specify a specific message type and provides additional context. The data portion of an ICMP packet is variable in size and contains the information that pertains to the type specified by the type and code fields.
For example, suppose a router receives a data packet that exceeds its maximum data size limit. In that case, it will send a destination unreachable ICMP message to the source device to inform them of this issue. Other ICMP messages include time-exceeded errors and query messages that provide information from intermediate devices to the source device, such as route calculation. The command-line utility ping and the traceroute tool use these ICMP error and query messages to obtain helpful information about network connectivity.
Type 2: Packet Too Big
As data travels through multiple routers and devices in an IP network, there are times when a packet is too big to fit into the system. When that happens, the router or device discards the data and sends an ICMP error message back to the source.
The ICMP header includes a checksum for error detection, followed by a variable-length field that points to the byte value in the original data that caused the ICMP error message. The last section of the ICMP header contains the IP header of the original datagram.
ICMP types can also be used for network management and administration, including ping and traceroute. These command-line utilities use ICMP echo-request and echo-reply messages to determine network availability and latency between devices.
However, ICMP can also be exploited for malicious attacks such as ping floods or smurf attacks. These attacks use ICMP to create covert channels for attackers to communicate secretly with compromised hosts in the target network. ICMP can also monitor an organization’s cloud environment for misconfigurations that can open a door for attackers to gain access.
Type 3: Destination Unreachable
The ICMP message type 3 is a destination unreachable error. It occurs when the user device or its gateways cannot find a route to the destination network or host. Network or firewall configurations or administrative actions can cause it.
You can use Wireshark to capture the ICMP packet in our test network to understand what is happening. It will show us the ICMP header, code, and destination address.
It can help us troubleshoot the problem. As we can see in the image below, the ICMP header contains an 8-bit one’s complement sum of the 16-bit data portion. The ICMP message type also indicates the purpose of the ICMP packet. The message code provides further information on the type of ICMP message. Different ICMP messages have different codes, ranging from the ICMP destination unreachable message to time stamp request and reply messages. The ICMP protocol operates at the Internet layer of the OSI model. Other protocol layers transport the data, such as TCP (Transmission Control Protocol). ICMP communicates status information between the Internet layer and the upper layers.
Type 4: Maximum Packet Size
ICMP provides error-reporting functionality between devices connected to the internet, and it’s also used in diagnostic utilities such as ping and traceroute. However, ICMP can also perform malicious attacks such as Smurf attacks and the notorious “ping of death.”
Each ICMP message type has a specific code, an 8-bit value that determines what kind of information the ICMP message contains. This information is then accompanied by an ICMP checksum, ensuring the correct message type.
Besides error reporting, ICMP can be used for other purposes, such as router advertisement and path MTU discovery. It helps avoid IP fragmentation by determining the maximum transmission unit size on network devices that connect the source and destination to prevent packets from being too large to send.
While attackers can use ICMP to exploit networks, it should be considered carefully when implementing supplementary layers of protection against these threats. A thorough assessment of each network device is required to determine which ICMP message types should be disabled and which remain enabled for optimum network performance.
Type 5: MTU Discovery
The four-byte ICMP header includes an 8-bit “type” field that defines the message type and an 8-bit code field. Message types indicate what kind of notification the packet is, and the code tells additional information. The ICMP checksum is a 16-bit check that ensures the correctness of the notification.
ICMP can be used for diagnostic purposes to test devices on a network. The command-line utility ping relies on ICMP echo requests and echo reply messages to determine the availability of devices. The utility also uses ICMP to display the routing path between two Internet devices, using the IP packets’ Time to Live (TTL) field.
Unlike TCP and UDP, which operate at the transport layer, ICMP operates at the Internet Layer of the OSI model. ICMP can’t be carried inside data-carrying packets but rather exists at a higher level of the operating structure of switches. It is often abused in attacks like the ping of death and Smurf attack, which use large or fragmented ICMP packets to degrade network performance. ICMP also supports router functionality, such as the advertisement (type 9) and solicitation (type 10) messages that enable routers to advertise their routes to other devices on the local network.
