Wireshark packet capture analysis ICMP protocol

"Author's homepage": Shibie Sanri wyx
"About the author": CSDN top100, Alibaba Cloud blog expert, Huawei Cloud Sharing expert, high-quality creator in the field of network security
"Recommended column": Friends who are interested in network security can follow the column "Network Security Beginner to Master"

Analysis purpose: Analyze the data format, message type and function of the ICMP protocol.
Operating system: Windows 10 Enterprise Edition
Packet capture tool: Wireshark 4.0.8

Step 1: Capture ICMP packets

The bottom layer of the ping command uses the ICMP protocol. Using the ping command, you can observe the "work flow" of ICMP .

1) After Wireshark "turns on packet capture" , ping our gateway to trigger the ICMP protocol.

  • Execute command in cmd:ping 192.168.2.1 -n 1

Insert image description here

2) Filter icmp in Wireshark’s “Display Filter”

  • Two packets were captured: the top is the ICMP "request packet" and the bottom is the ICMP "response packet" .
  • Because I only pinged once, I only captured a pair of packets, which is more convenient for analysis.

Insert image description here


3) Find the ICMP packet

  • From top to bottom are the protocols used in the physical layer, data link layer, network layer, and application layer in this data packet.
  • At the bottom Internet Control Message Protocol, the "initial letters" connected together are ICMP, which is the ICMP protocol we are looking for. Other protocols are also in this form.

Insert image description here


Step 2: Analyze message type

The ICMP protocol uses two fields, Type and Code , to represent the "message type" . The receiver performs corresponding operations based on the message type to achieve the "control" effect.

Therefore, here we first look at the two fields Type and Code .

1) Let’s look at the first package first, focusing on the fields in my circle:

  • The Type field indicates the type of message, and request indicates that this is a "request" message.
  • The Code field indicates the code of the message.
  • Type=8, Code=0, indicating that this is an echo request (Ping request)

Insert image description here


2) Look at the second package again, focusing on the fields in my circle

  • The Type field indicates the type of message, and reply indicates that this is a "response" message.
  • The Code field indicates the code of the message.
  • Type=0, Code=0, indicating that this is an echo response (Ping response)

Insert image description here

Step 3: Analyze the datagram format

Next, let’s take a look at the ICMP message data format. In addition to the Type and Code just mentioned, there are other fields.

Insert image description here

1) "Checksum" is the Checksum field, used to verify whether the message is correct

  • Checksum Status = Good, indicating that the checksum status is good and the message is correct.

Insert image description here

2) The ICMP response will carry "Response time" . The response time returned by the Ping command is obtained from here.

Insert image description here


3) How many "bytes" are sent , you can also see it in the Data field

Insert image description here


4) The four fields BE and LE are used to correspond to the relationship between requests and responses.

  • In requests and responses, these four fields are the same and are used to identify this request. For example, if I send you a 1 and you reply me a 1, I will know that we both have the same request; if you send me a 2, I will know that we are not the same request and you are replying to someone else. Not given to me.

Insert image description here

For daily use, we mainly look at the two fields Type and Code, and just know the ICMP message type.

There are many types of ICMP messages. For details, please refer to my other article: Functions and implementation principles of the ICMP protocol, ICMP protocol message types

Guess you like

Origin blog.csdn.net/wangyuxiang946/article/details/124572256