I. Overview:
1. ICMP allows the host or route to report errors and provide relevant exceptions. ICMP is a standard protocol for the Internet, but ICMP is not a high-level protocol, but an IP layer protocol. Generally, ICMP packets are used by the IP layer or higher-level protocols (TCP or UDP. Some ICMP messages return error messages to the user process.
2. The ICMP packet is used as the data of the IP layer datagram, And the header of the datagram is added to form the datagram to be sent out.
3. There are two types of ICMP packets, namely, ICMP Error Report and ICMP Query Packets.
Ii. ICMP Message format
1. Type: 8 digits
2. Code: 8 digits
3. Inspection: 16 places
Note: The first four bytes of all ICMP packets are the same, but the remaining bytes are different.
4. All other fields have different ICMP message types.
1> the first four bytes of an ICMP packet are in a unified format. There are three fields: type, code, and verification.
2> the 8-bit type and the 8-bit code field determine the ICMP packet type.
Type 8, code 0: indicates the echo request (Ping request ).
Type 0, code 0: Indicates echo response (Ping response)
Type 11, code 0: timeout
3> 16-bit test and field: Test of the entire ICMP packet, including data. The calculation method is the same as that of the IP header test.
ICMP packets are divided into query messages and error messages (ICMP error messages sometimes need special processing, so they need to be differentiated. For example, when an ICMP error message is responded, no other ICMP error message is generated. Otherwise, an endless loop occurs)
Iii. ICMP error message (56 bytes)
1. Five types of ICMP Error Report packets
1> endpoints inaccessible: Network inaccessible, host inaccessible, protocol inaccessible, and port inaccessible. partitions are required, but DF bit is set to 1, in six cases, such as source route failure, the code fields are set to 0 to 5. When the preceding six conditions occur, the end-point inaccessible packet is sent to the origin site.
Note:
Port accessibility: One of the UDP rules is: if the UDP datagram is received and the destination port is inconsistent with a process in use, UDP returns an ICMP inaccessible packet.
2> Origin Site suppression: When a router or host discards data reports due to congestion, it sends an origin site suppression message to the origin site so that the origin site knows that the datagram transmission rate should be slowed down.
3> time exceeded: When the router receives a data report with zero survival time, in addition to discarding the data packet, it must also send the time to the origin site more than the packet. When the target station cannot receive all the datagram slices of a datagram within the specified time period, it discards all the received datagram slices and sends the packets to the source station for a time that exceeds the packet length.
4> parameter problem: when the value of the field in the header of the datagram received by the router or the target host is incorrect, the datagram is discarded and a parameter problem message is sent to the source station.
5> changing the routing (redirection) vro sends the changed routing message to the host so that the host knows that the next time the datagram is sent to another vro.
Note:
ICMP error messages are not generated in the following situations:
1> ICMP error packets (however, ICMP Query Packets may generate ICMP error packets)
2> the destination address is the IP datagram of the broadcast address or multicast address.
3> As a datagram for Link Layer Broadcast
4> not the first IP segment
5> the source address is not a datagram of a single host. That is, the source address cannot be zero, loop address, broadcast address, or multicast address.
These rules are used to prevent the broadcast storms caused by the past Allow ICMP error messages to respond to broadcast groups.
2. All data fields in the ICMP error report have the same format. Extract the first eight bytes of the IP datagram header and data field to be reported as the data field of the ICMP packet. In addition, the first eight bytes of the response ICMP error report constitute the ICMP Error Report. The first eight bytes of the data field of the received datagram are extracted to obtain the port number (for TCP and UDP) of the transport layer and the sending serial number (for TCP) of the transport layer ).
Note: In this case, no ICMP error report message is sent.
3. ICMP Query Packets (40 bytes)
1. There are four types of ICMP Query Packets: Send and reply, timestamp request and answer, mask address request and answer, and router request and pass.
1> An ICMP return request message is a query sent from a host or router to a specific target host. The machine that receives the packet must send an ICMP reply packet to the source host. This type of query message is used to test whether the target site is accessible and to understand its status.
2> the ICMP timestamp request allows the system to query the current time from another system. The benefit of this ICMP packet is that it provides millisecond-level resolution, while other methods can only provide second-level resolution for obtaining time from other hosts. The requester fills in the initiation time and sends the message. When receiving the request message, the system must enter the receiving Timestamp and the sending timestamp when sending the response. Most of the implementations are to set the following two fields to the same value.
3> the host uses an ICMP address mask to request packets. You can obtain an interface address mask from the subnet mask server. The system broadcasts its ICMP request packets. The identifier and serial number fields in the ICMP message are set by the sender. These values are returned in the response, so that the sender can match the response with the request.
4> the host uses an ICMP router to query and use packets to check whether the vro connected to the network works normally. The host broadcasts router Query Packets (or multicast ). When one or several routers receive the query message, they use the router to broadcast their route selection information through the message.
4. Ping program
1. Overview
1> the Ping program is used to test whether another host is reachable. The program sends an ICMP echo request packet to the host, and waits for the returned ICMP echo response.
2> the Ping program can also measure the round-trip time of the host to show how far the host is from us.
2. The Ping program that sends the echo request is called the customer, and the host that is pinged is called the server.
3. ICMP echo request and echo Response Message format:
1> when the UNIX system implements the Ping program, it sets the Identifier Field in the ICMP packet to the ID of the sending process. In this way, even if multiple Ping program instances are run on the same host, the Ping program can identify the returned information.
2> the serial number starts from 0. Each time a new echo request is sent, 1 is added. The Ping program prints the serial number of each returned group and allows us to check whether the group is lost, out of order, or duplicate ..
3> the Ping program calculates the round-trip time by storing the time value of the request sent in the ICMP message. When a response is returned, the current time is used to subtract the time value stored in the ICMP message, that is, the round-trip time.
4> when an ICMP echo response is returned, print the serial number and TTL and calculate the round-trip time. TTL is in the TTL field of the IP address header. The Ping program calculates the round-trip time by storing the request sending time value in the ICMP data segment. When a response is returned, the current time is used to subtract the time value stored in the ICMP message, that is, the round-trip time.
ICMP Packet Analysis