Version 2

    Internet Control Message Protocol (ICMP) works at the Network layer and is used by IP for many different services. ICMP is basically a management protocol and messaging service provider for IP. Its messages are carried as IP datagrams. RFC 1256 is an annex to ICMP, which gives hosts extended capability in discovering routes to gateways. ICMP packets have the following characteristics:


    • They can provide hosts with information about network problems.
    • They are encapsulated within IP datagrams.


    The following are some common events and messages that ICMP relates to:


    Destination unreachable - if a router can’t send an IP datagram any further, it uses ICMP to send a message back to the sender, advising it of the situation. For example, take a look at Figure 3.17, which shows that interface E0 of the Lab_B router is down. When Host A sends a packet destined for Host B, the Lab_B router will send an ICMP destination unreachable message back to the sending device, which is Host A in this example.




    Buffer full/source quench - If a router’s memory buffer for receiving incoming datagrams is full, it will use ICMP to send out this message alert until the congestion abates.


    Hops/time exceeded - Each IP datagram is allotted a certain number of routers, called hops, to pass through. If it reaches its limit of hops before arriving at its destination, the last router to receive that datagram deletes it. The executioner router then uses ICMP to send an obituary message, informing the sending machine of the demise of its datagram.


    Ping - Packet Internet Groper (Ping) uses ICMP echo request and reply messages to check the physical and logical connectivity of machines on an internetwork. Traceroute - Using ICMP time-outs, Traceroute is used to discover the path a packet takes as it traverses an internetwork.


    NOTE: Both Ping and Traceroute are usually just called Trace. Microsoft Windows uses tracert to allow you to verify address configurations in your internetwork.

    The following data is from a network analyzer catching an ICMP echo request:

    Flags: 0x00

    Status: 0x00

    Packet Length: 78

    Timestamp: 14:04:25.967000 12/20/03

    Ethernet Header

    Destination: 00:a0:24:6e:0f:a8

    Source: 00:80:c7:a8:f0:3d

    Ether-Type: 08-00 IP

    IP Header - Internet Protocol Datagram

    Version: 4

    Header Length: 5

    Precedence: 0

    Type of Service: %000

    Unused: %00

    Total Length: 60

    Identifier: 56325

    Fragmentation Flags: %000

    Fragment Offset: 0

    Time To Live: 32

    IP Type: 0x01 ICMP

    Header Checksum: 0x2df0

    Source IP Address:

    Dest. IP Address:

    No Internet Datagram Options

    ICMP - Internet Control Messages Protocol

    ICMP Type: 8 Echo Request

    Code: 0

    Checksum: 0x395c

    Identifier: 0x0300

    Sequence Number: 4352

    ICMP Data Area:

    abcdefghijklmnop 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70

    qrstuvwabcdefghi 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69

    Frame Check Sequence: 0x00000000

    Notice anything unusual? Did you catch the fact that even though ICMP works at the Internet (Network) layer, it still uses IP to do the Ping request? The Type field in the IP header is 0x01, which specifies that the data we’re carrying is owned by the ICMP protocol. Remember, just as all roads lead to Rome, all segments or data must go through IP!


    NOTE: The Ping program uses the alphabet in the data portion of the packet as a payload, typically around 100 bytes by default, unless, of course, you are pinging from a Windows device, which thinks the alphabet stops at the letter W (and doesn’t include X, Y, or Z) and then starts at A again. Go figure!

    If you remember reading about the Data Link layer and the different frame types in Chapter 2, “Ethernet Technologies and Data Encapsulation,” you should be able to look at the preceding trace and tell what type of Ethernet frame this is. The only fields are destination hardware address, source hardware address, and Ether-Type. The only frame that uses an Ether-Type field exclusively is an Ethernet_II frame.

    We’ll move on soon, but before we get into the ARP protocol, let’s take another look at ICMP in action. Figure 3.18 shows an internetwork—it has a router, so it’s an internetwork, right?


    Server1 ( telnets to from a DOS prompt. What do you think Server1 will receive as a response? Server1 will send the Telnet data to the default gateway, which is the router, and the router will drop the packet because there isn’t a network in the routing table. Because of this, Server1 will receive an ICMP destination unreachable back from the router.


    From CCNA® Routing and Switching Study Guide; Copyright © 2013 by John Wiley & Sons, Inc., Indianapolis, Indiana. Used in arrangement with John Wiley & Sons, Inc.