"Author's homepage": Shibie Sanri wyx
"About the author": CSDN top100, Alibaba Cloud blog expert, Huawei Cloud Sharing expert, high-quality creator in the field of network security
"Recommended column": Friends who are interested in network security can follow the column "Network Security Beginner to Master"
Analysis purpose: Analyze the data format, message type and function of the ICMP protocol.
Operating system: Windows 10 Enterprise Edition
Packet capture tool: Wireshark 4.0.8
Step 1: Capture ICMP packets
The bottom layer of the ping command uses the ICMP protocol. Using the ping command, you can observe the "work flow" of ICMP .
1) After Wireshark "turns on packet capture" , ping our gateway to trigger the ICMP protocol.
- Execute command in cmd:
ping 192.168.2.1 -n 1
2) Filter icmp in Wireshark’s “Display Filter”
- Two packets were captured: the top is the ICMP "request packet" and the bottom is the ICMP "response packet" .
- Because I only pinged once, I only captured a pair of packets, which is more convenient for analysis.
3) Find the ICMP packet
- From top to bottom are the protocols used in the physical layer, data link layer, network layer, and application layer in this data packet.
- At the bottom
Internet Control Message Protocol
, the "initial letters" connected together are ICMP, which is the ICMP protocol we are looking for. Other protocols are also in this form.
Step 2: Analyze message type
The ICMP protocol uses two fields, Type and Code , to represent the "message type" . The receiver performs corresponding operations based on the message type to achieve the "control" effect.
Therefore, here we first look at the two fields Type and Code .
1) Let’s look at the first package first, focusing on the fields in my circle:
- The Type field indicates the type of message, and request indicates that this is a "request" message.
- The Code field indicates the code of the message.
- Type=8, Code=0, indicating that this is an echo request (Ping request)
2) Look at the second package again, focusing on the fields in my circle
- The Type field indicates the type of message, and reply indicates that this is a "response" message.
- The Code field indicates the code of the message.
- Type=0, Code=0, indicating that this is an echo response (Ping response)
Step 3: Analyze the datagram format
Next, let’s take a look at the ICMP message data format. In addition to the Type and Code just mentioned, there are other fields.
1) "Checksum" is the Checksum field, used to verify whether the message is correct
- Checksum Status = Good, indicating that the checksum status is good and the message is correct.
2) The ICMP response will carry "Response time" . The response time returned by the Ping command is obtained from here.
3) How many "bytes" are sent , you can also see it in the Data field
4) The four fields BE and LE are used to correspond to the relationship between requests and responses.
- In requests and responses, these four fields are the same and are used to identify this request. For example, if I send you a 1 and you reply me a 1, I will know that we both have the same request; if you send me a 2, I will know that we are not the same request and you are replying to someone else. Not given to me.
For daily use, we mainly look at the two fields Type and Code, and just know the ICMP message type.
There are many types of ICMP messages. For details, please refer to my other article: Functions and implementation principles of the ICMP protocol, ICMP protocol message types