Understanding ICMP Types

Understanding ICMP types is an essential step in troubleshooting network issues. ICMP is stationed at the network layer of the TCP/IP protocol stack and is used by popular services such as traceroute and ping.

ICMP packets include a type field that tells you what kind of notification the packet is. There is also a code field that provides further information about the packet.

Type 1: Destination Unreachable

ICMP is the Internet Control Message Protocol, closely tied to the Internet Protocol (IP). ICMP runs at Layer 4, although many argue it doesn’t have its level in the OSI model since its messages are carried within IP packets.

For example, a colossal data packet might be too large for a router to handle; in that case, the router discards the packet and sends an ICMP message to the original device that sent it. ICMP also facilitates the ping utility, which tests network performance and connectivity.

An ICMP message contains a Type field and an 8-bit Code field. The Type field defines the message type; the Code field identifies what went wrong with the message. Learning ICMP types and codes is essential. ICMP relays information about data that did not arrive or arrived in the wrong order. It is similar to the communication between a carpenter building a house and the home improvement store, which provides studs, floorboards, roof materials, and insulation.

Type 2: Destination Access Denied

The most common use of ICMP is error reporting between network devices. For example, if a router detects that it is receiving data packets too fast, it can send a source quench message to the source of those packets, asking it to slow down.

Another good use of ICMP is to help make routing more efficient. Suppose a router knows that a host on one of its local networks is having trouble communicating with its host’s gateway. In that case, it can send a redirect message to the host, telling it to use a different router to reach its destination. Unlike TCP, which uses connection-oriented processes to transfer data, ICMP is stationed at the Internet Layer and doesn’t allow the device to open a handshake with the device receiving the message. Instead, ICMP uses a variable-length header to encapsulate its information, with an 8-bit type field and an 8-bit code field.

Type 3: Destination Unreachable

ICMP error messages come in different forms, and the first 8 bits of an ICMP packet header tell you what type of message it is. ICMP parameters act like shipping labels for IP packets so that network tools and protocols can understand the errors they are seeing and how to respond.

As the name suggests, ICMP Destination Unreachable messages are returned to the sender when the network does not reach the destination host. This can happen for many reasons, such as the receiver being down, the wrong destination address, or a router not knowing how to reach the destination network.

The Destination Unreachable error message is an ICMP packet that begins with type 3 and one of the 16 unique codes. One such code is code 3, meaning the host is not listening on a particular port.

Type 4: Time-To-Live Exceeded

The Internet Control Message Protocol exists at the Internet Layer, so it does not exist inside data-carrying IP packets. It performs several essential functions, including router advertisement and path MTU discovery.

Unlike TCP and UDP, which require devices to establish connections with each other before sending messages, ICMP is connectionless. It enables network administrators to similarly send error information or updates to other devices.

Type 5: Time-To-Live Invalid

The ICMP header contains two fields determining the type of control message sent: a Type field and a Code field. These two fields have a total size of eight bits. The ICMP data portion contains a pointer that points to the location in the original IP packet where the problem occurred.

Because ICMP sits at the Internet Layer, it can report errors between any two devices connected through the Internet. ICMP is also useful as a diagnostic tool and can even be used to evaluate network performance.

ICMP can be used in many ways to gather information about the network, such as Echo Requests, Timestamp Requests, and Address Mask Requests. This information can then be used for determining live hosts, discovering the network’s topology, OS fingerprinting, and identifying ACLs. ACL and ICMP can be utilized to perform attacks that flood network equipment with oversized ICMP packets to attack them.

Type 6: Time-To-Live Invalid

One of the most common diagnostic tools in a network is ping, which sends an ICMP echo request to a device and waits for an ICMP echo reply. This can help identify problems with a link or network equipment. It can also be used to trace the path of a packet across a network.

An internet datagram has a time-to-live value set when sent and reduced at each point along the route. It is destroyed if the time-to-live value reaches zero before the datagram reaches its destination.

ICMP has become a favorite attack target for malicious actors looking to compromise networks and devices.