ICMP (Internet Control Message Protocol)

This topic is to discuss the following lesson:

1 Like

If R3 will reply with a type 3 destination unreachable message then how come you mentioned At least R1 now knows that 192.168.23.3 is reachable at the end?

Hi Lynkaran,

When R3 sends the IP packet, it will use 192.168.23.3 as the source address. You can see this in the wireshark capture.

Rene

Hi Rene,

How Can I block Traceroute, if dst port not fixed ?? What will be the exact Port number . You mentioned the dst port number will be 33434 and increase by 1 but I found from host the port is 51890 and dont increase by one . Please do me clear on it .Thanks a lot

br//
zaman

Hi Zaman,

It depends on which traceroute you want to block. Cisco IOS uses a different traceroute than Microsoft Windows does.

Rene

Hi Rene,

Why do we need to use UDP in traceroute? We have other commands like nmap to check if a particular port is listening for connections. I was thinking traceroute is used to just check IP connectivity, for which ICMP is sufficient.

Hi Rakesh,

You don’t have to use it. There are versions of traceroute that use ICMP, UDP or even TCP. Microsoft Windows uses ICMP by default, Linux and MAC OS use UDP by default.

Rene

Hi Rene,

I have a question on how does R1 knows R2 and R3 are the next hops, once we type the traceroute 192.168.23.3 command. If it is the routing table in R1 points to R2, then would the routing table in R2 points to R3. Is this how R1 discover the hops on its way to the destination?

Thanks
Palani

Palani,
A device doing a trace route will learn about each hop along the way by careful use of the TTL (time to live) of the ICMP packet. For example, suppose you had a simple network like this:

Host - Router 1 - Router 2 - Router 3 - Server

The host is doing a trace to the server. The first thing it would do, is set the TTL to 1. This means, the ICMP packet is allowed to go one hop, and once the next hop device (Router 1 in this case), receives the packet, it decrements the TTL to 0. When this happens, the ICMP packet is not allowed to move any further, so Router 1 drops it. Router 1 then sends an ICMP message (Time Exceed) back to the Host saying, “I dropped your packet because the TTL expired.” When the host receives this Time Exceed ICMP back from Router 1, it knows the details of Router 1 (since it received a packet from it).

Now, the Host repeats this trick, but increases the TTL of the ICMP packet to 2. The same process happens with Router 2. This technique will continue until finally the Server responds. At this point, the Host knows all the hops of the path.

Hi Rene,

Shouldn´t R3 reply with a type 0 and code 3, because in fact R3 was reachable?.

Thanks,
Best regards,
Fernando

Hi Fernando,

This is a UDP traceroute and nothing is listening to port 33435 on R3. That’s why it reports it as “port unreachable”.

Rene

Hi Rene,

Thanks a lot!

Fernando

Hi Rene,

From the above explanation, I understand that traceroute for cisco router uses UDP, and once it reaches destination, it sends type:3(Destination unreachable with code as port unreachable) icmp message for a successful traceroute attempt. Am I right?
I have other query. The above traceroute shows from router to other router. Could you please clarify, how traceroute would work from a PC host to other host.
PC1-R1-R2-R3-PC2.
I understood your explanation about ttl incrementation on each hop, just wanted to know, once after reaching the destination address, what message will it send? Is it icmp echo reply message.
Whether my understanding is correct? Please confirm.

Regards,
Durga

Durga,
You are correct in your understanding Cisco’s use of UDP. Cisco picks a random destination UDP port and once the packet arrives at the intended target, the target replies back with a Type 3 ICMP (Destination Unreachable) because it is likely that the target device does not have the randomly chosen UDP port open.

For your next question, it depends on what you mean by “PC.” If it is a Linux/Unix based operating system, it behaves the same as Cisco. If you are talking about a Windows PC, then instead of sending out a UDP payload, it sends out an ICMP Type 8 (Echo). The reason that Cisco/Unix/Linux do not do this is in case there is an intermediate firewall that filters on ICMP. In this case, the Windows tracert will not get through, but the Cisco/Unix/Linux probably would.

In the case of Windows, assuming there is no ICMP filtering, the target would respond with an ICMP Type 0 (echo reply)

Hi Andrew,

Thanks a lot for clarifying.

Regards,
Durga

Hi Rene,

I know that we can not skip any layer of the OSI so what are the protocol that we use in layer 4 if we use ICMP Type 8 (echo request) or ICMP Type 0 (echo reply) ? in wireshark captures above I didn’t see any layer 4 encapsulation ? can you please explain why ?

Regards,
Hussein Samir

Hello Hussein!

ICMP is a Layer 3 protocol. It actually never reaches Layer 4. So Wireshark doesn’t display any Layer 4 encapsulation because there is none.

The encapsulation process starts at Layer 3, where source and destination IP addresses are assigned as usual, and gets encapsulated to layer 2 (where Ethernet, MAC addresses and PPP live to name a few) and then it is placed on the medium. Deencapsuation occurs at the destination up to layer three where the source and destination IP addresses are read. The ICMP protocol adds a header AFTER the IP header with additional information necessary for the protocol to function (echo request, echo reply etc). Once deencapsulation occurs at layer 3 there are no more layers to deencapsulate. The ICMP packet has done its job.

Notice that Wireshark, after the IP header, displays the ICMP header and its contents. It is important to note that this is not a Layer 4 header that is displayed, but it is an additional header on layer 3.

I hope this helps!

Laz

1 Like

Thanks Lazaros that very useful information, I know that ICMP is a layer 3 protocol and it’s adds a header after the IP header, as well as I know in wireshark captures the ICMP header is not layer 4 encapsulation, so my question was about the layer 4 function in the ICMP (echo request, echo reply etc), in the other word what is the layer 4 protocol that we use in ICMP (echo request, echo reply etc) ?

Hello Hussein.

ICMP has no layer 4 functionality because it is completely unaware of anything above layer 3. Layer 4 for ICMP does not exist. Both echo request and echo reply are functions that are included in the ICMP header which is on layer 3. If layer 4 were involved, you would see an additional header on Wireshark which would include ports, TCP or UDP information etc… So unless I misunderstand your question, ICMP, including echo requests and replies, does not use any layer 4 protocols, nor does it function AT ALL on layer 4.

I hope this has been helpful!

Laz

1 Like

Thank you very much lazaros I know everything that you said except :-
1 - layer 4 for ICMP does not exist.
2 - ICMP, including echo requests and replies, does not use any layer 4 protocols, nor does it function AT ALL on layer 4.
So this mean that layer 4 is skipped for ICMP, and that contrary to what I have learned about OSI model that we can’t skip any layers, so I need to analyze or interpret to this contradiction !!!