ICMP Explained and Packet Format
What is ICMP (Internet Control Message Protocol)
ICMP is an IP protocol used to verify network connectivity between endpoints or network layer 3 capable nodes.
ICMP is part of the Internet protocol suite as defined in RFC 792. ICMP messages are typically used for diagnostic or control purposes or generated in response to errors in IP operations. ICMP errors are directed to the source IP address of the originating packet.
The related ping utility is implemented using the ICMP echo request and echo reply messages.
ICMP uses the basic support of IP as if it were a higher-level protocol, however, ICMP is actually an integral part of IP. Although ICMP messages are contained within standard IP packets, ICMP messages are usually processed as a special case, distinguished from normal IP processing.
In many cases, it is necessary to inspect the contents of the ICMP message and deliver the appropriate error message to the application responsible for transmitting the IP packet that prompted the ICMP message to be sent.
ICMP is a network-layer protocol. There is no TCP or UDP port number associated with ICMP packets as these numbers are associated with the transport layer above.
ICMP Header format
The ICMP packet is encapsulated in an IPv4 packet. The packet consists of header and data (payload) sections, the Header is 8 Bytes in length, the fields of the ICMP Header are detailed below:
The ICMP header starts after the IPv4 header and is identified by IP protocol number ‘1’. All ICMP packets have an 8-byte header and variable-sized data section. The first 4 bytes of the header have a fixed format, while the last 4 bytes depend on the type/code of that ICMP packet.
1 for IPv4 and 3 for IPv6
ICMP Header codes:
ICMP Data Section
ICMP error messages contain a data section that includes a copy of the entire IPv4 header of the sent packet, plus at least the first eight bytes of data from the IPv4 packet that caused the error message.
The length of ICMP error messages should not exceed 576 bytes. This data is used by the host to match the message to the appropriate process. If a higher-level protocol uses port numbers, they are assumed to be in the first eight bytes of the original datagram’s data.
ICMP Datagram Analysis in Wireshark
When a ping command is sent to the host, the datagram is encapsulating the Ethernet header, IP header, ICMP header, and payload too. The minimum size of an IPv4 header is 20 bytes and the maximum size is 60 bytes.
ICMP Packet Format
The default size of payload data in ping in windows is 32 bytes. Let’s add 20 bytes of IP header in it and 8 bytes of ICMP header. 32+20+8, it comes out to be 60 bytes.
But, when we analyze ping in Wireshark, the size of the frame written in the log is 74 bytes. This is because while pinging, we would need the destination and source MAC address as well, which is available in the Ethernet header.
So, 14 + 20 + 8 + 32 = 74 bytes.
So, ping sends an encapsulated IP packet which is a combination of:
Ethernet header (14 bytes) + IP header(20 bytes) + ICMP header(8 bytes) + ICMP payload (32 bytes)