TCP/IP Study Notes (4) – ICMP, Ping, Traceroute

Introduction to ICMP Protocol

When there is an error in transmitting IP packets – for example, host unreachable, route unreachable, etc., the ICMP protocol will encapsulate the error information and send it back to the host. This gives the host a chance to handle the error, which is why it is said that protocols built on top of the IP layer can be made secure. ICMP packets consist of an 8-bit error type, an 8-bit code, and a 16-bit checksum. The first 16 bits comprise the information that ICMP needs to convey. Figure 6-3 in the book clearly shows the meaning of the combinations of error types and codes.

Although in most cases, an ICMP message should be sent for error packets, in special cases, ICMP error messages are not generated, such as:

1. ICMP error messages will not generate ICMP error messages (from IMCP query messages) (to prevent infinite generation and transmission of IMCP).

2. IP datagrams with a destination address that is a broadcast or multicast address.

3. Datagrams that are link-layer broadcasts.

4. Not the first fragment of an IP.

5. The source address is not a single host’s datagram. This means that the source address cannot be zero, loopback, broadcast, or multicast address. Although some of these rules are not very clear now, all these regulations are defined to prevent the infinite propagation of ICMP messages.

ICMP protocols can be roughly divided into two categories: query messages and error messages. The query messages have the following purposes:

1. Ping query (don’t tell me you don’t know the ping program)

2. Subnet mask query (used to initialize the subnet mask when a diskless workstation initializes itself)

3. Timestamp query (can be used to synchronize time)

Error messages are generated when there is an error in data transmission. I won’t elaborate on that.

Application of ICMP – Ping

Ping can be said to be the most famous application of ICMP. When we cannot access a certain website, we usually ping that website. Ping will echo some useful information. General information is as follows:

Reply from 10.4.24.1: bytes=32 time<1ms TTL=255
Reply from 10.4.24.1: bytes=32 time<1ms TTL=255
Reply from 10.4.24.1: bytes=32 time<1ms TTL=255
Reply from 10.4.24.1: bytes=32 time<1ms TTL=255

Ping statistics for 10.4.24.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

The word ping comes from sonar positioning, and this program indeed serves that purpose; it uses ICMP protocol packets to detect whether another host is reachable. The principle is to send an ICMP request with a type code of 0, and the responding host will reply with an ICMP response with a type code of 8. The ping program calculates the interval time and counts how many packets were delivered. The user can assess the general state of the network. We can see that ping provides the transmission time and TTL data. The example I provided is not very good because it traverses few routers; if interested, you can ping foreign websites like sf.net to observe some packet loss phenomena, and the execution time will be longer.

Ping also gives us a chance to see the route from the host to the destination host. This is because the ICMP ping request datagram adds the IP of each router it passes through. The destination host then copies this IP list into the response ICMP packet sent back to the host. However, regardless, the IP header can only record a limited routing list. If we want to observe the route, we still need to use a better tool, which brings us to Traceroute (known as tracert in Windows).

Application of ICMP – Traceroute

Traceroute is an important tool for detecting the routing situation between a host and a destination host, and it is also the most convenient tool. As mentioned earlier, although the ping tool can also perform detection, due to the limitation of the IP header, ping cannot completely record the routers it has passed through. Therefore, Traceroute perfectly fills this gap.

The principle of Traceroute is very interesting. It sends a UDP (you’ll learn what UDP is later) datagram with TTL=1 to the destination host. When the first router that the packet passes through receives this datagram, it automatically decrements the TTL by 1. When the TTL becomes 0, the router discards the packet and simultaneously generates an ICMP datagram indicating that the host is unreachable. After receiving this datagram, the host sends a UDP datagram with TTL=2 to the destination host, which prompts the second router to send an ICMP datagram to the host. This process continues until it reaches the destination host, and thus Traceroute obtains the IPs of all the routers, avoiding the limitation of the IP header that can only record a limited number of routing IPs.

Someone might ask, how do I know if UDP reached the destination host? This involves a trick; TCP and UDP protocols have a port number definition, and ordinary network programs only monitor a few smaller port numbers, such as 80, 23, etc. Traceroute sends UDP packets with port numbers >30000 (quite extreme), so when it reaches the destination host, the host can only send an ICMP datagram indicating that the port is unreachable back to the host. After receiving this report, the host knows it has arrived, so it is not an exaggeration to say that Traceroute is a trickster 🙂

The Traceroute program provides some very useful options, including options for IP routing selection; please refer to the man documentation for more information, and I won’t elaborate here.