Become a cyber pro by building your skills in the National Cyber League!
What is ICMP?
ICMP (Internet Control Message Protocol) is a network protocol in the TCP/IP suite. It is used mostly for testing, checking network connectivity, network diagnostics, and keepalive for routers. It is implemented in all operating systems (Windows, MacOS, Linux). A common use of ICMP is to send a "ping" to a device and wait for a response back. A response means that the device is "alive" and on the network. A timeout indicates that the device could be offline or the ping message is getting lost somewhere along the way.
Networking Background
Let's start with some networking background. The well-known OSI (Open Systems Interconnection) model is shown below and can be used to identify the different technology layers required to handle a network communication between devices. This represents, at least theoretically, the whole network stack. The network stack would be implemented by every networking device — basically every computer, phone, IoT device, etc. that wants to get on the network. Each layer transparently communicates with the corresponding layer. Data from the sender device "flows" down all the layer 1, gets transferred to the receiver device and then "flows" back up to the corresponding layer.
Each layer is briefly described next.
- The Physical layer indicates how bits are actually transferred. Examples are Ethernet and Wi-Fi.
- The Data Link layer indicates how data is transferred between two devices which are connected to each other. Examples are MAC (Media Access Control) and ARP (Address Resolution Protocol)
- The Network layer indicates how data is routed from point A to point B, where A and B are not directly connected (this is done by the Data Link layer). Examples of protocols in this layer are IP (Internet Protocol) and ICMP.
- The Transport layer provides reliability, flow control, congestion control, and quality of service. Two widely-used protocols are TCP (Transport Control Protocol) and UDP (User Datagram Protocol).
- The Session layer establishes or terminates a connection between two devices.
- The Presentation layer indicates how data should be encoded or decoded at the next layer, which is the Application layer.
- The Application layer are the actual applications run by users or the operating systems. Examples are DNS (Domain Name System), Email, web, etc.
Unfortunately, the OSI model is not used much in practice. The TCP/IP model is widely implemented, although the OSI model is widely cited. The first four layers are the same. The Session, Presentation, and Application layers in the OSI model are merged into one layer known as the Application or Data layer in the TCP/IP model.
ICMP is implemented at the network layer. This means that most users or applications do not have to deal with ICMP. ICMP is thus used for network diagnostics and by network routers to talk to each other.
Format
The size of each ICMP message is at least 32 bits or four bytes. The header of every ICMP message is four bytes. The first 8 bits indicate the Type, the next 8 bits the Code, and the remaining 16 bits are the Checksum.
The Type of the message can be 0 for "Echo Reply", 3 for "Destination Unreachable", 8 for "Echo Request", 9 for "Router Advertisement", 11 for "Time Exceeded", and 30 for "Traceroute", among many other types. In a standard ping request, type 8 will be used by the device that is attempting to connect and type 0 is used by the device that is responding to the ping request.
Each Type usually has only one code, which is 0. However, the type number 3, "Destination Unreachable", can have 15 codes such as 0 for "network unreachable", 1 for "host unreachable", 6 for "network unknown", and so on.
The rest of the ICMP message is data which can vary based on the Type and Code. It can also be blank, e.g. for an "Echo Request" or "Echo Reply".
A full list of ICMP types and codes can be found on Wikipedia.
Uses
ICMP is widely used by routers for route advertisements and for keep-alive messages. If a router doesn't respond to a keep-alive message, it is assumed to be dead and new routes need to be advertised.
ICMP is also used to test networks and diagnose network problems. As a user, the two most common uses of ICMP would be ping and traceroute.
A ping message will usually solicit an echo response. This can be used to test if a network interface is up. The RTT (Round Trip Time) can also be calculated based on when the ping was sent and when the response was received. This can be used to measure the latency between two devices.
Traceroutes allow for tracing the router from the sender to the receiver, tagging every hop and IP address along the way. Traceroutes can be used to determine the path a message would take and diagnose any issues. For example, a message from Chicago to San Francisco going through Iceland would be unusual.
The way a traceroute works is that it will send an ICMP packet with a TTL (time-to-live) of 1 hop. It will then record the response at the end, which in this case, is just the next hop. Then it will send an ICMP packet with a TTL of 2. The response will be from the router two hops away. This process continues until the destination is reached.
Some firewalls block ICMP, thus pings and traceroute will fail even if the network interface is reachable.
Since ICMP messages can contain data which are variable in size, two other rarer uses of ICMP are described next.
The ping of death is a Denial of Service attack on servers as large ICMP packets can be sent.
ICMP tunnels have also been set up where data is transferred using ICMP instead of at the Application layer. Intrusion Detection Systems or other network monitoring systems might not pay close attention to ICMP since it's mostly used for network diagnostics.
V6
ICMPv6 is the ICMP implementation for IPv6. ICMPv6 is actually closely integrated with IPv6. It can be used for NDP (Neighbor Discovery Protocol) which is the replacement for ARP (Address Resolution Protocol) to find other nodes/routers on the network.
How-To
A few common usage of ICMP will be shown next.
Open up a Terminal window and type the following command.
ping 8.8.8.8
After executing that command, you will see output similar to the screenshot below. If you are using Linux, the command will keep ping-ing 8.8.8.8, which is Google's DNS server, continuously. To stop, hold down the Ctrl key and press the letter c — Ctrl+C. This will terminate the ping process.
In the example shown, three ICMP requests/pings are sent and three responses are received. Each response took about 2 milliseconds.
Here is another ping usage.
-4 means use ICMPv4 or IPv4.
-c means how many pings to send. In this case, we are sending five.
-i means the interval time between pings. In this case, wait 1.5 seconds before sending the next ping.
After all pings have been sent, a summary result is also shown, showing the number of pings sent, number lost, the total time, and the average RTT.
To perform a traceroute, type the following command.
traceroute 8.8.8.8
It might take a few seconds but you should then see output similar to the screenshot below. Note that IP addresses are blurred for privacy reasons.
It can be seen that it took 10 hops to reach the destination IP address. The time at each hop is also given. As previously mentioned, some devices will not respond to ICMP, so you might see "*" for no response.
Published by DECT