ICMP (Internet Control Message Protocol)

Great explanation, that’s very usefull to me, thank you again Lazaros.
One more question :-
If there are more than one host that pinging or telent to the same destination ( router for example ) that mean we have more than one session and that sessions are separate from each other ( layer 6 function ), if that’s right, so who is deal with this function if we started from layer 3 and layer 6 does not exsist !!??

Hello Hussein.

If you have two hosts pinging the same destination, you are not creating sessions. Sessions are created by TCP on layer 4 with a three way handshake, port numbers, windowing and other functionality. Here there are no sessions. There is just a series of packets that are sent from a host to the destination (the router in your example). Packets are responded to on a first come first serve basis regardless of which host they came from.

This detailed sequence may help:

Host A wants to send a ping (echo request) to IP address (the router). The encapsulation process begins at layer 3 where the source IP address ( and the destination IP address ( are placed in the header. This is then encapsulated in a frame where source and destination MACs are placed in the frame header. This is then placed into the physical layer where information is converted to bits and those bits into electrical signals on the wire.

When these electrical signals reach the destination, deencapsulation begins. The frame header is read, source and destination MAC addresses are read and the device confirms that the frame belongs to it. Deencapsulation continues where the source and destination IP addresses are read in layer 3 as well as the ICMP header information where an echo request has been recorded. The device doesn’t deencapsulate any further because there are no additional headers to deencapsulate. No sessions are created as a result.

The router then creates an ICMP echo reply placing the appropriate information in the header, places IP addresses in the IP header, encapsulates to layer two with MAC addresses and placed on the physical layer to be sent over the wire.

The process is reversed at the host when the packet reaches its destination.

Keep in mind that layer 3 protocols (IP essentially) are connectionless. This means no session is created. The packets are sent and “forgotten” without any mechanism of tracking each individual one.

I hope this has been helpful!


1 Like

This is very clear explanation, now every thing is good for me, thank you very very much Lazaros.

Hello Hussein.

I’m glad it was helpful!


1 Like

Hi again Lazaros,
I have a small question about what you said to me before :-
“If you have two hosts pinging the same destination, you are not creating sessions. Sessions are created by TCP on layer 4 with a three way handshake, port numbers, windowing and other functionality”
You tell me that sessions are created by TCP on layer 4 and Rene explain in the introduction to the OSI Model lesson that session layer that holds this function, So can you please explain the relationship between what you said and what Rene said ??

Best regards,
Hussein samir

Hello Hussein.

That’s a very good question. The different use of terms can become confusing. First of all, when using protocols such as TCP/IP, we are actually using the TCP/IP protocol stack which has four layers: Network Access, Internet, Transport and Application. However, when we speak about the layers in which protocols function, we always use the OSI model. For example, we say “layer 3” (of the OSI) for the IP protocol, even though it’s “layer 2” in the TCP/IP model. For TCP and UDP, we say they function at layer 4 of the OSI even though they are at layer 3 of the TCP/IP protocol stack.

What makes it more confusing is the fact that for the Transport layer, TCP creates what is called a TCP session. This is not to be confused with the Session layer 5 of the OSI model. The session begins with a 3-way handshake between the two hosts that are communicating to signify the beginning of the session. Data is exchanged during the session and it ends with a four way handshake that terminates the session.

The Session layer of the OSI model isn’t actually used when using TCP, because TCP/IP does not follow the OSI model. To find out more about the Session layer of the OSI model, check this out: http://www.cisco.com/cpress/cc/td/cpress/fund/ith/ith01gb.htm#xtocid1668415. Keep in mind however, that in the world of TCP/IP, this layer is non existent.

I hope this has been helpful!


Your are amazing Lazaros because you have helped me in a lot of questions as well as your answer certainly been helpful for me thank you very much.

Hello Hussein.

I’m really glad I could be of help!


Hi Andrew,

In your reply to Durga “The reason that Cisco/Unix/Linux do not do this is in case there is an intermediate firewall that filters on ICMP. In this case, the Windows tracert will not get through, but the Cisco/Unix/Linux probably would.”

As an administrator i wont open any port until unless its necessary , All will be explicitely denied so How a UDP packet will cross my firewall.?

So to be clear here, we are talking about two types of devices: 1) The target of trace route and 2) the devices through which the trace route is travelling (for example, ISP equipment). For type #2 devices, there won’t be filtering on what kinds TCP or UDP ports will be allowed to pass across them (which is different than saying what kinds of TCP or UDP ports they will accept TO them). Although TCP and UDP traffic can almost always flow freely through an Internet provider’s network, sometimes ICMP is blocked by that ISP. This would break a trace route that depends solely on ICMP that attempts to traverse that provider’s network.

In your case, you are not a service provider. Your firewall would likely be a destination rather than a transit point for other Internet traffic, so it doesn’t matter that you block the UDP port. In fact, Cisco/Linux/Unix is betting that you have blocked it–that’s the point of picking a random UDP port. The UDP based trace route is expecting the port to be blocked so it gets the return path information.

Are we assuming in this case that both R1 and R3 have static routes in places to reach each others networks? I just wanted to clarify as I am confused why packets would know how to reach R3 and back and forth. It may sound a stupid question but please can you help.


First of all there is no such thing as a stupid question. Secondly, yes, you are correct. R1 and R3 must have some sort of routing (either static or dynamic) to be able to find each other’s networks.

I hope this has been helpful!


19 posts were merged into an existing topic: ICMP (Internet Control Message Protocol)

Hi Laz,

Thank you for your explanation. It really helped me to understand how encapsulation happens. But I have a slightly different question. Can we start a communication from Layer-2? Just as we created ICMP packet from Layer-3 is there any way we can create a Frame from Layer-2 directly?

Thank you.

Hi Rene,

Thank you for your amazing tutorials. I have few doubts and I am sorry if I have missed it in your explanation. You have mentioned that Cisco router will try multiple probes and we are restricting to one by mentioning probe =1.

  1. Does probe means the number of attempts?
    I did a “tracert” on cmd and it showed a list of hops to google’s dns server.

  2. Why R3 replies port 33435 as unreachable? Why is the port number increased on each attempt of traceroute? Same port number can exist on all hosts.

Hello Rosna

There are protocols that “live” at Layer 2 and do not go any higher on the OSI model. STP uses BPDUs which are layer 2 frames that are exchanged for the functionality of spanning tree protocol. ARP is an exclusively layer 2 protocol. Cisco Discovery Protocol (CDP) is also a layer 2 protocol. PPP and L2TP are also layer 2 protocols that exchange frames at layer 2 to function. All of these initiate communication at layer 2 and do not go higher on the OSI model.

I hope this has been helpful!


Hello again Rosna

In traceroute, a probe is the number of ICMP echo requests sent to each individual hop. So if a traceroute has 7 hops to the destination, the Cisco device will send three probes, or three ICMP echo requests to each of the 7 hops for a total of 21 ICMP echo requests. If you select one probe, a single ICMP request will be sent to each hop. You won’t actually see a difference in the traceroute output.

By default, Cisco begins its traceroute on port 33434. Each hop that it traverses, it increments the destination port by one. This is how the traceroute command has been designed. You can adjust the default starting destination port by using the extended traceroute commands.

You can find out more information about the traceroute command on Cisco devices at this Cisco documentation

I hope this has been helpful!


Thank you, Laz. I understood now.

Hi Liz, One last question on working of Traceroute. How the initial host (which generates icmp/ udp packets) knows that it has found the target? I mean what is special in a “Port Unreachable” message which makes it think that the packet has reached the destination. ( i. the corresponding port is not active on the destination ii. The packet is intended for it. Hence it sends port unreachable message, do I make sense???)

Hi rene

Can you please expalian me why we need 3 probes for traceroute as we can do it with 1 probe only…