ICMP protocol is needed for troubleshooting.
For an TCP/IP stack here is what ICMP request looks like in a frame:
Even though ICMP belongs itself to the network layer.
If there is some problem during any requst (HTTP, FTP or any other request on any other layer), ICMP error response might be sent. Its type can help in troubleshooting.
Message Types
Each message type will have a different header.
0/8 Echo Reply and Echo
This message can be triggered with a ping
command. It this case of type 0 (Echo reply) identifier will match that of the corresponding Echo’s message (request). It’s the only message type that is not seen in the normal traffic flow unless it’s a ping
command. Here is the header:
I’ve ping
ed firewall.cx
and here is the result, that can help mathcing this theoretical information to the real life example:
First, DNS name must be resolved from firewall.cx
to 162.254.144.167
. Then, the requests sent. On Windows 4 packets are sent by default, on UNIX systems they just keep being sent until you stop it maually (^C
).
Variable data in my case (macOS ping
) is the following sequence of bytes:
0030 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 0040 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 0050 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 0060 36 37
which is mostly garbage and ASCII chars from !
to number 7
. I don’t know what would that be for another machine.
3 Destination unreachable
Here is the header structure specific for this message type:
Code | Meaning |
---|---|
0 | ð Network unreachable. Gateway doesn’t know, how to get to the network in question. May be something is wrong with the IP tables? |
1 | ð Host unreachable. Remote gateway doesn’t know where the host is. |
2 | ð Protocol unreachable. |
3 | ð Port unreachable. Service listening on this port might be down. Port closed by client. |
4 | ð Fragmentation needed. However, DF is set. |
5 | ð Source route failed. |
6 | Network unknown. |
7 | Host unknown. |
8 | ??? |
9 | Network admin prohibited. |
10 | Host admin prohibited. |
11 | ??? |
12 | ??? |
13 | Communication admin prohibited. Filtered by firewall. |
ð - can be received from a gateway.
ð - can be received from a host.
Internet header 32 bits + 62 bit of data. It means that the header that in the request (for troubleshooting).
It may be received, for example, if a DNS service is unavailable and DNS queries fail. When DNS fail, a Windows machine might fall back to NetBIOS.
4 Source Quench Message
Generated only by the gateway or destination host when it can’t keep up with the traffic. There are several reasons for this message to appear:
- Gateway or host doesn’t have enough buffer to queue the datagram.
- Datagrams arrive to fast.
- The PC approaches its capacity limit.
Internet header 32 bits + 62 bit of data. It means that the header that in the request (for troubleshooting).
5 Redirect
Imagine you have a problem. For example, you’ve broken your PC and there is none who could help. However, your spouse or a friend knows someone and calls him or her. The person on the phone âïļ wants to speak directly to you since you are close and it’s your PC anyway. That’s roughly how it looks like in this situation.
The header is slightly different from Type 4 and 3, but not drastically. Gateways to talk to is specified instead of unused 32 bits in the cases above.
11 Time Exceeded Message
For gateways and routers (code 0) and hosts (code 1).
As you might remember, TTL field (see the screeshot from ping
command) means time to live. But does that mean? To avoid any loops when two are just saying something over and over again in an endless loop, this field was intriduced. Originally it’s set to some value (64 in the above case). Each hop (when the message is redirected by a host or gateway) this field is decremented by 1. So, there can be at most 64 hosts between the sender and the receiver. If there are more and TTL is out, message is discarded and ICMP Type 11 Code 0 is sent. This is usually a case for routers and gateways.
Fragmented flag of IP header. If a host is reassembling datagrams and misses parts, it sends this message in return and discard what’s already assembled and an ICMP message Type 11 Code 1 is sent in return.