Protocol cluster: ICMP analysis

Introduction

ICMP is short for Internet Control Message Protocol. It is mainly used to debug problems in the network communication environment.

For example, when IP packets cannot always be sent to the destination address normally, when the gateway does not have enough buffers to forward the corresponding packets, etc.

It is worth mentioning that it belongs to the network layer, not the transport layer. That is to say it is at the same level as the IP protocol, but not at the same level as TCP / UDP.

Message format

ICMP protocol to transmit data using IP protocol up specific data is some of the provisions of ICMP packets, we then introduced one by one ....

Because ICMP IP format and the same, here we briefly refer to each of the following fields in detail. Protocol stack: IPv4 Detailed

Several fields that need special attention, and their values:

1. Version: 4
2. Type of Service: 0
3. Protocol: ICMP = 1

Next, let's take a look at common examples of ICMP messages

Destionation Unreachable Message

The meaning and value of each field:

1. Type：3
2. Code:
   0 = net unreachable
   1 = host unreachable
   2 = protocol unreachable
   3 = port unreachable
   4 = fragmentation needed and DF set
   5 = source route failed
3. Checksum: Checksum
4. Internet Header + 64 bits of Data Datagram: This field stores the original ICMP request in order to correspond the current ICMP message with the request message.

description

1. When it is inferred that the network address is unreachable according to the oil spill table of the gateway, the gateway may return this ICMP message.
2. The destination end received an IP data packet, but the data packet could not be transmitted to the corresponding port normally (the port may not be enabled). The destination end may return this ICMP message
3. When the data packet must be fragmented before it can be sent to the destination normally, the current data packet is set with the Don't Fragment flag. At this time, the gateway may return this ICMP message.

Examples

I use the ping 192.168.1.44 command on my machine to get the Destination unreachable message packet. Here we analyze the following

1. First pay attention to the content of the top IP protocol data. The value of the Protocol field is 1, indicating that the current data packet is an ICMP message. The destination address and source address are the same, indicating that the address 192.168.1.44 cannot be resolved from my local routing table.
2. Next is an ICMP message. This message is carried on the IP protocol data packet as the Data field of the IP protocol.
3. The type of ICMP message is 3, which is exactly Destionation Unreachable Message
4. Code is 1, indicating that the host is unreachable
5. The Internet Header + 64 bits of Data Datagram field contains the IP packet of the ICMP request we sent. From the source and destination addresses of this IP packet, I know that it is 192.168.1.35 locally, and I pinged the host 192.168.1.44. As for this ICMP request, we will not analyze it first, and we will analyze it later.

Time Exceeded Message

Its packet format is the same as Destionation Unreachable Message, so I wo n’t go into details here.

The meaning and value of each field:

1. Type：11
2. Code:
   0 = time to live exceeded in transit
   1 = fragment reassembly time exceeded

description

1. The IP protocol stipulates that when the value of the TimeToLive field decreases to 0 during the transmission of a packet, the packet should be discarded. At the same time, the gateway that dropped the packet may send this ICMP message to the source host to notify the The packet is dropped.
2. When the destination receives the fragmented packet, but due to the loss of some fragments, the packet reassembly cannot be completed within the specified time, then the packet will be discarded. ICMP message to inform that the packet was dropped.

Examples

The author used the ping -i 2 baidu.com command to capture this type of ICMP packet. Here we omit the part that is repeated in the previous article and directly paste the relevant information of the ICMP packet.

1. Note here that the value of the Time to live field in the IP header is 1, not 0. The guess is because the intermediate node processing the packet found that it is not the destination address of the packet, and time to live is already 1 After reducing the value by 1 after processing, the time to live of the packet is 0, so the node sent us a time exceeded message.

Parameter Problem Message

The meaning and value of each field:

1. Type：12
2. Code:
   0 = pointer indicates the error
3. Pointer: When code == 0, this field indicates the location of the byte in error.

description

When the gateway or the target host cannot parse this packet correctly according to the IP header, it will discard the packet and send this ICMP message.

The possible cause of this problem is the wrong use of Option.

Source Quench Message

Its packet format is the same as Destionation Unreachable Message, so I wo n’t go into details here.

The meaning and value of each field:

1. Type：4
2. Code: 0

description

When the network management or the target host does not have enough buffer to process the corresponding data packet, it will discard the data packet and send this ICMP message

Redirect Message

The meaning and value of each field:

1. Type：5
2. Code:
   0 = Redirect datagrams for the Network
   1 = Redirect datagrams for the Host
   2 = Redirect datagrams for the Type of Service and Network
   3 = Redirect datagrams for the Type of Service and Host
3. Gateway Internet Address: This field indicates that all packets sent to the current destination host should be sent to the gateway specified by Gateway Internet Address

description

This ICMP message will be sent under the following circumstances:
suppose gateway G1 receives a data packet from a connected host or gateway, G1 checks its routing table to find that the data packet should be forwarded to gateway G2, and then G2 continues to forward Until the packet reaches the host X. But if G2 and the source address of the packet are on the same network, then G1 will send this ICMP message to suggest that the source host will send all the packets sent to X directly to G2, In this way, the route length is the shortest, and the data transmission speed is faster.

Echo or Echo Reply Message

The meaning and value of each field:

1. Type：
   8 = Echo Message
   0 = Echo Reply Message
2. Code: 0
3. Identifier and sequence number: When code = 0, use Identifier and sequence number to help map Echo Message and Echo Reply Mesage

description

As we have seen earlier, when we receive an ICMP response, the response ICMP packet will contain the corresponding Echo Message.

Examples

The following shows the structure of an Echo Message. The structure

of the corresponding Echo Reply Message is

worth noting: The identifier and sequence number fields in the Echo Message and Echo Reply Message are the same. In this way, we know that the two packets are mutually Correspondence.

And we received the Echo Reply Message, which proves that our link to the corresponding destination host is working.

Timestamp or Timestamp Reply Message

The meaning and value of each field:

1. Type：
   13 = Timestamp Message
   14 = Timestamp Reply Message
2. Code: 0
3. Identifier 和 sequence number: 同 Echo Message 和 Echo Reply Message.
4. Originate Timestamp: The sender sent the last timestamp to modify this packet
5. Receive Timestamp: The timestamp at which the receiver receives this packet
6. Transmit Timestamp: The receiver last modified the timestamp of this packet

Information Request or Information Reply Message

The meaning and value of each field:

1. Type：
   15 = Information Request Message
   16 = Information Reply Message
2. Code: 0
3. Identifier 和 sequence number: 同 Echo Message 和 Echo Reply Message.

description

The destination address field is not filled in when this packet is sent, and the receiver fills in his address information in the reply message.

Using this packet can be used to discover all the host address information in the current network.

END!