ICMP packet-Practical Analysis

Yesterday, a brother who studied network programming was vague about some protocols and concepts in TCP/IP. He wanted me to explain ICMP to him.

This is not empty, so I grabbed an ICMP packet and analyzed it for him:

(The previous conceptual things are basic and mandatory !)

An ICMP packet is contained in an IP address datagram. The IP address header is in front of the ICMP packet.

Therefore, an ICMP packet includes an IP header, an ICMP header, and an ICMP packet (see the chart, the structure of the ICMP packet, and several common ICMP packet formats)

If the Protocol value of the IP header is 1, it indicates that this is an ICMP packet. The type field in the ICMP header is used to describe the role and format of the ICMP packet,

In addition, a code domain is used to describe the type of an ICMP packet. All data is behind the ICMP header.

RFC defines 13 ICMP message formats as follows:

(Think: You can look for the package below to see how much type code is captured below. If I cannot ping the host, will there be ICMP packets ?)

Type code type description

0 response (echo-reply)
3 inaccessible
4. Source Suppression
5 redirection
8. Response Request)
11 timeout
12 parameter failure
13. Timestamp Request
14 timestamp response
15. Information Request (* expired)
16. Information Response (* expired)
17. Address Mask Request
18 Address Mask response

Information packets with codes 15 and 16 have been voided.

Below are several common ICMP messages:

1. Response Request

The most commonly used Ping is the Response Request (type = 8) and response (type = 0). A host sends an ICMP request with type = 8 to a node.

Packet. If there is no exception (for example, the router discards the packet, the target does not respond to ICMP or the transmission fails), the target returns an ICMP packet of type = 0,

This indicates that the host exists. In more detail, tracert uses the node used to calculate ICMP packets to determine the network distance between the host and the target.

2. The target cannot be reached, the source is blocked, and the report is received.

The format of the three types of packets is the same. The type of the destination inaccessible packet (type = 3) is used when the router or host cannot transmit data reports.

For example, if we want to connect to a non-existing system port of the other party (the port number is smaller than 1024), the ICMP packet with type = 3 and code = 3 will be returned,

It will tell us: "Hey, don't connect. I'm not at home !", Common types of unaccessibility include network unaccessibility (code = 0 ),

The host cannot be reached (code = 1) or the Protocol cannot be reached (code = 2. Source suppression acts as a traffic control role,

It notifies the host to reduce the datagram traffic. Because ICMP does not resume the transmission of packets, as long as the message is stopped, the host will gradually restore the transmission rate.

Finally, the problem with a non-connection network is that the datagram will be lost, or the target cannot be found after a long time wandering in the network,

Or congestion causes the host to be unable to restructure the datagram segment within the specified time. In this case, the generation of ICMP timeout packets is triggered.

The code field of the timeout message has two values: code = 0 indicates the transmission has timed out, and code = 1 indicates the reorganization segment has timed out.

3. Timestamp

The timestamp request message (type = 13) and timestamp Response Message (type = 14) are used to test the time at which the datagram is transmitted back and forth between two hosts.

During transmission, the host fills in the original timestamp. After receiving the request, the receiver fills in the timestamp and returns it in the message format of type = 14,

The sender calculates the time difference. Some systems do not respond to such messages.

Theoretically speaking, the following is the local data packet I captured using wildpackets omnipeek on the command line:

1. Open wildpackets omnipeek, click New, select ICMP in filters, and click Start capture on the right:

2. Click Start/run in sequence, and Enter cmd to open the command line:

3. Enter Ping www.qq.com on the command line and press Enter. When Ping is sent once, the system immediately terminates the operation by CTR + C. In this case, there are two ICMP packets in omnipeek:

4. Return to omnipeek. There are two rows of records:

5. Double-click to open the first packet. The content is as follows:

In this way, a complete ICMP request packet is displayed in front of us.

6. The following are the data packets returned from the host and the 2nd packets captured (which can be distinguished from the source IP address and DeST. IP address ),

I will not explain these options, such as each item of the data packet. Take a look at them horizontally:

The above is all the content of the ICMP packet. It is best to capture packets while reading the book, so that learning can deepen the image!