ICMP protocol actual combat
Recently, I want to study the TCP/IP protocol systematically. I used to read books and read technical documents, but now I am going to practice it automatically. According to my own experience in learning 3GPP LTE and other protocols, if you want to learn a protocol, especially the protocol on the data plane, you must actually analyze the format of the data protocol, so that you can quickly grasp the essence of the protocol.
Let's start with a simple protocol stack, the ICMP packet, which is the familiar Ping packet.
The ICMP protocol is the control part of the IP protocol and has two main functions:
- error notification;
- Information query.
In terms of protocol format, the ICMP protocol is an upper-layer protocol of the IP protocol, and ICMP protocol data is transmitted as IP protocol data.
The specific protocol format is:
The first 20 bytes are the IP protocol header, in which the protocol field is used to indicate that the data packet is an ICMP data packet. The remaining part is ICMP protocol data, and the important fields are type and code. ICMP packets are used for error notification and information query, which are realized through the combination of two fields, type and code.
See the table below for combinations:
| TYPE |
CODE |
Description |
Query |
Error |
| 0 |
0 |
Echo Reply - echo response (Ping response) |
x |
|
| 3 |
0 |
Network Unreachable—— The network is unreachable |
|
x |
| 3 |
1 |
Host Unreachable—— The host is unreachable |
|
x |
| 3 |
2 |
Protocol Unreachable—— The protocol is unreachable |
|
x |
| 3 |
3 |
Port Unreachable—— The port is unreachable |
|
x |
| 3 |
4 |
Fragmentation needed but no frag. bit set - Fragmentation is required but no fragmentation bit is set |
|
x |
| 3 |
5 |
Source routing failed—— source route selection failed |
|
x |
| 3 |
6 |
Destination network unknown—— The destination network is unknown |
|
x |
| 3 |
7 |
Destination host unknown—— The destination host is unknown |
|
x |
| 3 |
8 |
Source host isolated (obsolete)—— The source host is isolated (obsolete) |
|
x |
| 3 |
9 |
Destination network administratively prohibited—— The destination network is forcibly prohibited |
|
x |
| 3 |
10 |
Destination host administratively prohibited—— The destination host is forcibly prohibited |
|
x |
| 3 |
11 |
Network unreachable for TOS—— The network is unreachable due to the type of service TOS |
|
x |
| 3 |
12 |
Host unreachable for TOS - due to service type TOS, the host is unreachable |
|
x |
| 3 |
13 |
Communication administratively prohibited by filtering—— communication is forcibly prohibited due to filtering |
|
x |
| 3 |
14 |
Host precedence violation—— host privilege violation |
|
x |
| 3 |
15 |
Precedence cutoff in effect—— priority cutoff takes effect |
|
x |
| 4 |
0 |
Source quench - the source is closed (basic flow control) |
|
|
| 5 |
0 |
Redirect for network - redirection to the network |
|
|
| 5 |
1 |
Redirect for host—— redirect the host |
|
|
| 5 |
2 |
Redirect for TOS and network—— redirect to service type and network |
|
|
| 5 |
3 |
Redirect for TOS and host—— redirect the service type and host |
|
|
| 8 |
0 |
Echo request - echo request (Ping request) |
x |
|
| 9 |
0 |
Router advertisement—— router advertisement |
|
|
| 10 |
0 |
Route solicitation - router request |
|
|
| 11 |
0 |
TTL equals 0 during transit - the time to live during transit is 0 |
|
x |
| 11 |
1 |
TTL equals 0 during reassembly - time to live is 0 during datagram assembly |
|
x |
| 12 |
0 |
IP header bad (catchall error) - bad IP header (including various errors) |
|
x |
| 12 |
1 |
Required options missing - missing required options |
|
x |
| 13 |
0 |
Timestamp request (obsolete)—— timestamp request (obsolete) |
x |
|
| 14 |
|
Timestamp reply (obsolete)—— Timestamp reply (obsolete) |
x |
|
| 15 |
0 |
Information request (obsolete)—— information request (obsolete) |
x |
|
| 16 |
0 |
Information reply (obsolete)—— Information reply (obsolete) |
x |
|
| 17 |
0 |
Address mask request—— Address mask request |
x |
|
| 18 |
0 |
Address mask reply—— address mask reply |
x |
下面我们使用WireShark抓包软件抓取Ping包过程中的ICMP包进行分析,首先我们选择Ping包的目的地址,目的地址选择百度的服务器,通过在终端中运行“ping www.baidu.com”找到百度服务器的地址。百度服务器的地址为“36.152.44.95”,然后在WireShark中设置过滤条件“ip.dst==36.152.44.95 or ip.src==36.152.44.95“。
然后在终端中进行ping包,抓取的数据包如下:
其中我的电脑的地址为192.168.2.127。
我们先分析下上面的第一个数据包,该数据包的Type为8,Code为0,根据上面的表格可以知道这个是一个回显请求包。
接着分析下第二个数据包,该数据包的Type为0,Code为0,根据上面的表格可以知道这个是一个回显应答包。可以看出这个数据包为上一个数据包的Ping回包。
可以进一步看下Ping包中的data字段,可以看到请求包和回包中的data字段是一样的,从协议中可以看出,这个data字段是随机的数据。
