ICMP (Internet Control Message Protocol)

Hi Rene,

I know that we can not skip any layer of the OSI so what are the protocol that we use in layer 4 if we use ICMP Type 8 (echo request) or ICMP Type 0 (echo reply) ? in wireshark captures above I didn’t see any layer 4 encapsulation ? can you please explain why ?

Regards,
Hussein Samir

Hello Hussein!

ICMP is a Layer 3 protocol. It actually never reaches Layer 4. So Wireshark doesn’t display any Layer 4 encapsulation because there is none.

The encapsulation process starts at Layer 3, where source and destination IP addresses are assigned as usual, and gets encapsulated to layer 2 (where Ethernet, MAC addresses and PPP live to name a few) and then it is placed on the medium. Deencapsuation occurs at the destination up to layer three where the source and destination IP addresses are read. The ICMP protocol adds a header AFTER the IP header with additional information necessary for the protocol to function (echo request, echo reply etc). Once deencapsulation occurs at layer 3 there are no more layers to deencapsulate. The ICMP packet has done its job.

Notice that Wireshark, after the IP header, displays the ICMP header and its contents. It is important to note that this is not a Layer 4 header that is displayed, but it is an additional header on layer 3.

I hope this helps!

Laz

1 Like

Thanks Lazaros that very useful information, I know that ICMP is a layer 3 protocol and it’s adds a header after the IP header, as well as I know in wireshark captures the ICMP header is not layer 4 encapsulation, so my question was about the layer 4 function in the ICMP (echo request, echo reply etc), in the other word what is the layer 4 protocol that we use in ICMP (echo request, echo reply etc) ?

Hello Hussein.

ICMP has no layer 4 functionality because it is completely unaware of anything above layer 3. Layer 4 for ICMP does not exist. Both echo request and echo reply are functions that are included in the ICMP header which is on layer 3. If layer 4 were involved, you would see an additional header on Wireshark which would include ports, TCP or UDP information etc… So unless I misunderstand your question, ICMP, including echo requests and replies, does not use any layer 4 protocols, nor does it function AT ALL on layer 4.

I hope this has been helpful!

Laz

1 Like

Thank you very much lazaros I know everything that you said except :-
1 - layer 4 for ICMP does not exist.
2 - ICMP, including echo requests and replies, does not use any layer 4 protocols, nor does it function AT ALL on layer 4.
So this mean that layer 4 is skipped for ICMP, and that contrary to what I have learned about OSI model that we can’t skip any layers, so I need to analyze or interpret to this contradiction !!!

Hello Hussein.

You are correct when you say that you cannot skip an OSI layer when communicating on the network. However, we can BEGIN our communication at layer 3 and go down to layer 1. In this case we are not skipping layers 4-7. Let me express this in an example:

When you start an FTP file transfer from your computer, you are BEGINNING your communication at the Application layer, or layer 7. As you go down the OSI stack, you cannot skip layer 2 for example. MAC addresses must be placed in the L2 header and appropriate header information must be included. You can’t get to layer 1 otherwise. All 7 layers must be traversed because you’re starting from layer 7. It’s like getting in an elevator on the 7th floor and you want to go to the ground floor. You can’t skip floor 2!!

However, if you happen to be on the third floor, you can enter the elevator and go to the ground floor. You’re not skipping floors 7-4, you just happen to be starting at floor 3 and going down. That’s what ICMP is doing.

Similarly, ARP is a layer 3 protocol and does not know layers 4-7 exist as are all routing protocols (EIGRP, RIP, OSPF etc). CDP, VTP and LACP are examples of protocols that exist only on layer 2 and know nothing of upper layers.

Using the elevator analogy, you can see that we are not skipping layers, we are just getting on the elevator at a different “floor” to start our journey down.

I hope this has been helpful!

Laz

3 Likes

Great explanation, that’s very usefull to me, thank you again Lazaros.
One more question :-
If there are more than one host that pinging or telent to the same destination ( router for example ) that mean we have more than one session and that sessions are separate from each other ( layer 6 function ), if that’s right, so who is deal with this function if we started from layer 3 and layer 6 does not exsist !!??

Hello Hussein.

If you have two hosts pinging the same destination, you are not creating sessions. Sessions are created by TCP on layer 4 with a three way handshake, port numbers, windowing and other functionality. Here there are no sessions. There is just a series of packets that are sent from a host to the destination (the router in your example). Packets are responded to on a first come first serve basis regardless of which host they came from.

This detailed sequence may help:

Host A wants to send a ping (echo request) to IP address 10.10.10.1 (the router). The encapsulation process begins at layer 3 where the source IP address (10.10.10.2) and the destination IP address (10.10.10.1) are placed in the header. This is then encapsulated in a frame where source and destination MACs are placed in the frame header. This is then placed into the physical layer where information is converted to bits and those bits into electrical signals on the wire.

When these electrical signals reach the destination, deencapsulation begins. The frame header is read, source and destination MAC addresses are read and the device confirms that the frame belongs to it. Deencapsulation continues where the source and destination IP addresses are read in layer 3 as well as the ICMP header information where an echo request has been recorded. The device doesn’t deencapsulate any further because there are no additional headers to deencapsulate. No sessions are created as a result.

The router then creates an ICMP echo reply placing the appropriate information in the header, places IP addresses in the IP header, encapsulates to layer two with MAC addresses and placed on the physical layer to be sent over the wire.

The process is reversed at the host when the packet reaches its destination.

Keep in mind that layer 3 protocols (IP essentially) are connectionless. This means no session is created. The packets are sent and “forgotten” without any mechanism of tracking each individual one.

I hope this has been helpful!

Laz

1 Like

This is very clear explanation, now every thing is good for me, thank you very very much Lazaros.

Hello Hussein.

I’m glad it was helpful!

Laz

1 Like

Hi again Lazaros,
I have a small question about what you said to me before :-
“If you have two hosts pinging the same destination, you are not creating sessions. Sessions are created by TCP on layer 4 with a three way handshake, port numbers, windowing and other functionality”
You tell me that sessions are created by TCP on layer 4 and Rene explain in the introduction to the OSI Model lesson that session layer that holds this function, So can you please explain the relationship between what you said and what Rene said ??

Best regards,
Hussein samir

Hello Hussein.

That’s a very good question. The different use of terms can become confusing. First of all, when using protocols such as TCP/IP, we are actually using the TCP/IP protocol stack which has four layers: Network Access, Internet, Transport and Application. However, when we speak about the layers in which protocols function, we always use the OSI model. For example, we say “layer 3” (of the OSI) for the IP protocol, even though it’s “layer 2” in the TCP/IP model. For TCP and UDP, we say they function at layer 4 of the OSI even though they are at layer 3 of the TCP/IP protocol stack.

What makes it more confusing is the fact that for the Transport layer, TCP creates what is called a TCP session. This is not to be confused with the Session layer 5 of the OSI model. The session begins with a 3-way handshake between the two hosts that are communicating to signify the beginning of the session. Data is exchanged during the session and it ends with a four way handshake that terminates the session.

The Session layer of the OSI model isn’t actually used when using TCP, because TCP/IP does not follow the OSI model. To find out more about the Session layer of the OSI model, check this out: http://www.cisco.com/cpress/cc/td/cpress/fund/ith/ith01gb.htm#xtocid1668415. Keep in mind however, that in the world of TCP/IP, this layer is non existent.

I hope this has been helpful!

Laz

Your are amazing Lazaros because you have helped me in a lot of questions as well as your answer certainly been helpful for me thank you very much.

Hello Hussein.

I’m really glad I could be of help!

Laz

Hi Andrew,

In your reply to Durga “The reason that Cisco/Unix/Linux do not do this is in case there is an intermediate firewall that filters on ICMP. In this case, the Windows tracert will not get through, but the Cisco/Unix/Linux probably would.”

As an administrator i wont open any port until unless its necessary , All will be explicitely denied so How a UDP packet will cross my firewall.?

Ajay,
So to be clear here, we are talking about two types of devices: 1) The target of trace route and 2) the devices through which the trace route is travelling (for example, ISP equipment). For type #2 devices, there won’t be filtering on what kinds TCP or UDP ports will be allowed to pass across them (which is different than saying what kinds of TCP or UDP ports they will accept TO them). Although TCP and UDP traffic can almost always flow freely through an Internet provider’s network, sometimes ICMP is blocked by that ISP. This would break a trace route that depends solely on ICMP that attempts to traverse that provider’s network.

In your case, you are not a service provider. Your firewall would likely be a destination rather than a transit point for other Internet traffic, so it doesn’t matter that you block the UDP port. In fact, Cisco/Linux/Unix is betting that you have blocked it–that’s the point of picking a random UDP port. The UDP based trace route is expecting the port to be blocked so it gets the return path information.

Are we assuming in this case that both R1 and R3 have static routes in places to reach each others networks? I just wanted to clarify as I am confused why packets would know how to reach R3 and back and forth. It may sound a stupid question but please can you help.

Hello TAIMOOR

First of all there is no such thing as a stupid question. Secondly, yes, you are correct. R1 and R3 must have some sort of routing (either static or dynamic) to be able to find each other’s networks.

I hope this has been helpful!

Laz

19 posts were merged into an existing topic: ICMP (Internet Control Message Protocol)

Hi Laz,

Thank you for your explanation. It really helped me to understand how encapsulation happens. But I have a slightly different question. Can we start a communication from Layer-2? Just as we created ICMP packet from Layer-3 is there any way we can create a Frame from Layer-2 directly?

Thank you.