ICMP Packet Analysis

I. Overview:

1. ICMP agrees to report errors on the host or route and provides relevant exceptions. ICMP is a standard protocol for the Internet, but ICMP is not a high-level protocol, but an IP layer protocol. Generally, ICMP packets are used by the IP layer or higher-level protocols (TCP or UDP. Some ICMP messages return error messages to the user process.

2. The ICMP packet is used as the data of the IP layer datagram, And the header of the datagram is added to form the datagram to be sent out.

3. There are two types of ICMP packets, namely, ICMP Error Report and ICMP Query Packets.

Ii. ICMP Message format

1. Type: 8 digits

2. Code: 8 digits

3. Inspection: 16 places

Note: The first four bytes of all ICMP packets are the same, but the remaining bytes are different from each other.

4. All other fields have different ICMP message types.

1> the first four bytes of an ICMP packet are in a unified format and have three fields: type, code, and verification.

2> the 8-bit type and the 8-bit code field determine the ICMP packet type.

Type 8, code 0: indicates the echo request (Ping request ).

Type 0, code 0: Indicates echo response (Ping response)

Type 11, code 0: timeout

3> 16-bit test and field: Test of the entire ICMP data packet including data. The calculation method is the same as that of the IP header test.

ICMP packets are divided into query messages and error messages (ICMP error messages sometimes need special processing, so they must be differentiated. For example, when an ICMP error message is responded, an ICMP error message will never be generated. Otherwise, an endless loop will occur)

Iii. ICMP error message (56 bytes)

1. Five types of ICMP Error Report packets

1> inaccessible end point: inaccessible network, host, protocol, and port. parts are required, but DF bit is set to 1, in six cases, such as source route failure, the code fields are set to 0 to 5. When the preceding six conditions occur, the end-point inaccessible packet is sent to the origin site.

Note:

Port inaccessibility: One of the UDP rules is: assume that the UDP datagram is received and the destination port is inconsistent with a process in use, UDP returns an ICMP inaccessibility packet.

2> Origin Site suppression: When a router or host discards data reports due to congestion, it sends an origin site suppression message to the origin site so that the origin site knows that the rate of data transmission should be slowed down.

3> time exceeded: When the router receives a data report with zero survival time, in addition to discarding the data packet, it must also send the time to the origin site more than the packet. When the target station cannot receive all the datagram slices of a datagram within the specified time period, it discards all the received datagram slices and sends the packets to the source station for a time that exceeds the packet length.

4> Number of workers: when the value of the field in the header of the datagram received by the router or the target host is incorrect, the datagram is discarded and the number of workers is sent to the source station.

5> changing the routing (redirection) vro sends the changed routing message to the host so that the host knows that the next time the datagram is sent to another vro.

Note:

ICMP error messages will not be generated in the following situations

1> ICMP error packets (however, ICMP Query Packets may generate ICMP error packets)

2> the destination address is the IP datagram of the broadcast address or multicast address.

3> As a datagram for Link Layer Broadcast

4> not the first IP segment

5> the source address is not a datagram of a single host. That is, the source address cannot be zero, loop address, broadcast address, or multicast address.

These rules are used to prevent broadcast storms caused by the previous acceptance of ICMP error messages to broadcast group responses.

2. All data fields in the ICMP error report are in the same format. Extract the first eight bytes of the IP datagram header and data field to be reported as the data field of the ICMP packet. In addition, the first eight bytes of the response ICMP error report constitute the ICMP Error Report. The first eight bytes of the data field of the received datagram are extracted to obtain the port number of the transport layer (for TCP and UDP) and the send serial number of the transport layer (for TCP ).

Note: In this case, no ICMP error report message is sent.

3. ICMP Query Packets (40 bytes)

1. There are four types of ICMP Query Packets: Send and reply, timestamp request and answer, mask address request and answer, and router request and pass.

1> An ICMP return request message is a query sent from a host or router to a specific target host. The machine that receives the packet must send an ICMP reply packet to the source host. This type of query message is used to test whether the target site is accessible and to understand its status.

2> the ICMP timestamp request allows the system to query the current time from another system. The advantage of this ICMP packet is that it provides millisecond-level resolution, while other methods can only provide second-level resolution from other hosts. The requester fills in the initiation time and sends the message. When receiving the request message, the system must enter the receiving Timestamp and the sending timestamp when sending the response. Most of the implementations are to set the following two fields to the same value.

3> the host uses the ICMP address mask to obtain the Address Mask of an interface from the subnet mask server. The system broadcasts its ICMP request packets. The identifier and Serial Number Fields in ICMP packets are randomly set by the sender. These values will be returned in the response, so that the sender can match the response with the request.

4> the host uses an ICMP router to query and use packets to check whether the vro connected to the network works normally. The host broadcasts router Query Packets (or multicast ). When one or several routers receive the query message, they use the router to broadcast their route selection information through the message.

4. Ping program

1. Overview

1> the Ping program is used to test whether a host is reachable. The program sends an ICMP echo request packet to the host, and waits for the returned ICMP echo response.

2> the Ping program can also roll out the round-trip time to this host to show how far the host is from us.

2. The Ping program that sends the echo request is called the customer, and the host that is pinged is called the server.

3. ICMP echo request and echo Response Message format:

1> when the UNIX system implements the Ping program, it sets the Identifier Field in the ICMP packet to the ID of the sending process. In this way, even if multiple Ping program instances are executed on the same host at the same time, the Ping program can also identify the returned information.

2> the serial number starts from 0. Each time a new echo request is sent, 1 is added. The Ping program prints the serial number of each returned group and agrees to check whether the group is lost, out of order, or repeated ..

3> the Ping program calculates the round-trip time by storing the time value of the request sent in the ICMP message. When a response is returned, the current time is used to subtract the time value stored in the ICMP message, that is, the round-trip time.

4> when an ICMP echo response is returned, print the serial number and TTL and calculate the round-trip time. TTL is in the TTL field of the IP address header. The Ping program calculates the round-trip time by storing the request sending time value in the ICMP data segment. When a response is returned, the current time is used to subtract the time value stored in the ICMP message, that is, the round-trip time.

ICMP Packet Analysis