Internet Control Message Protocol

Words, as always, pose a problem. When people talk about TCP/IP protocols, they say that The Internet is based on then. Now, this is a misnomer for the very simple reason that when people say that the Internet is based on the TCP/IP, what they really mean is the Internet Protocol suite of which TCP and IP are two components. There is also another extremely important component called the ICMP: the Internet Control Message Protocol. Now, a protocol is nothing but a set of rules. Within the Internet Protocol, data is carried by the TCP, UDP etc. We however also need something to tell us whether the part of the Internet we are connected to or want to access is in working condition or not. This is done by ICMP. Thus all that ICMP does is perform diagnostic tasks on the Internet, and is not used to carry any data. In this sense, the structure of ICMP is a lot like IP. In fact, ICMP is always carried by the IP or encapsulated within the IP data packets.

Normally ICMP is used and implemented more in routers than in individual computers on the Internet. On the other hand, TCP is implemented in the individual computers and not in routers. ICMP is an extremely simplistic protocol. The first four bytes of any ICMP message always have the same format. The rest of the message depends upon the version of IP being used. ICMP is closely tied to IP. The new version of IP, IPv6 has a completely new ICMP protocol. The reason ICMP changes with every version of IP is because it deals with IP and routing error messages most of the time and when the base technology evolves, ICMP has to mutate to keep up.

The ICMP protocol is quite simple. In the present format the first byte is a number that tells us the Type of the ICMP packet. The second byte is called Code. From a combination of Type and Code, we can determine the exact nature of any problem on the Internet. These two bytes are followed by two bytes used for Checksum which is calculated taking into account the entire ICMP packet.

The best way to understand ICMP, is to understand the working of two programs which we wrote using ICMP. These programs are called Ping and Traceroute and we've done these in the WinSock tutorial.

The Ping program first creates a normal healthy IP header and it adds the ICMP headers to that. The Protocol field in the IP header is set to 1 to indicate that the packet is an ICMP datagram.

The ICMP header looks like this:

TypeCodeChecksumChecksum   id      id   seqnoseqnoOptional Data for the Type


In a Ping program, the first ICMP packet starts off with an 8 which stands for 'Echo Request'. This means we're asking the destination server to Echo the packet back to us when it receives it. In this way we can both time the packet and check the reliability of the link. This first byte is known as the Type Field.

The next byte is a zero and stands for the Code.

After that come two bytes for the Checksum and right after that come another two bytes for the IDentification number. The ID has to be unique, so most UNIX boxes set the ID's to the number of the current process.

The next two bytes constitute the Sequence Number.

Finally, we can add any optional data if we so desire. The data added will be echoed back to us so that we can check the reliability of the line. The optional data MUST NOT be more than 64 KB in size or the machine at the other end may hang!! This is known as the Ping of Death and it occurs when we send more than 64 Kb of data (the upper limit specified in the ICMP RFC). The extra data we send exceeds the size of the buffers and often ends up overwriting other information in memory. This causes the machine at the other end to do all sorts of strange and interesting things! This programming bug is specific to certain Operating Systems only.

Once we're through creating both the headers and the packet, we shoot is across to the router or server we want to test. If the machine at the other end is up, it responds immediately. When it receives an ICMP Echo Request, it'll respond with an ICMP Echo Reply. While generating the reply, the computer will simply swap the source and destination IP addresses in the IP header and replace the 8 in the ICMP Type Field with a 0 (for Echo Reply). It'll then slap in the optional data it's received (if any) and recalculate all the checksums. The reply will then be shot back to us.

When we receive the packet, we store the time and compare that with the time the Echo Request was sent. In this way we can calculate the round trip time of the packet. We can also check the data for changes and gauge the dependability of the link

The method we used to create the Ping program in the basic WinSock tutorial used WinSock functions. We really don't have much control over the packet that way and all we did was supply the functions with adquate data and let them do all the work. There is a way around this limitation however and it's called RAW Sockets. Raw Sockets enable you to manipulate parts of the packet headers. Unfortunatly, Microsoft's TCP/IP stack (The WinSock) doesn't allow you to create raw sockets. If you really want to, you can use Trumpet Winsock and the SOCK_RAW option to make your own raw sockets. Try it.

Another way out would be sending the raw bytes yourself over the Ethernet or the phonelines taking care of the headers and many more details involved i.e working at the Data Link Layer. Have a look at the programs we have written where we have adopted this technique.


A traceroute is just a modified Ping program. There is a one byte field in the IP header called the Time To Live or TTL. This field holds the largest number of routers that particular packet can meet on the way to it's destination. This field was implemented to make sure that a packet that went AWOL wouldn't end up wandering the Internet forever. So if the value of the TTL is 10, then the packet see's only 9 routers. That's because each router decrements the value in the TTL field and when the nineth router gets the packet, it decrements the TTL by one (1-1=0) and then discards it when it see's that the TTL's zero. When the packet is discarded, the router sends us a 'TTL Expired' ICMP error message (the Type Field is 11).

If we were to set the TTL to 1 and then dispatch a packet to a server like, it'll be dropped by the first router in it's path (TTL - 1=0). That router will then send us a TTL Expired message. From that error message we can discover the identity (the IP address) of the router and from the IP address we can get the name of that machine. The next packet we send will have a TTL of 2 and will be dropped by the second router, which will then dispatch an error message and so on till the packet reaches the server. The server will see that the ICMP packet is an Echo Request and it'll send us an Echo Reply. In this way we can trace the exact route our packets will take to and fro from a certain site. The bytes received when we generated the packet explains all that there is to understand traceroute.

Another way of doing the same thing is to turn on a little known options in the IP header. This option is a request to all the routers the packet meets, to place their IP address in the IP header. However, an IP header can be only 60 bytes long and since the header data takes up 20 bytes, the maximum number of IP address that can be stored is 10. Conversely, we can specify the exact route that a packet should take. We can have Strict routing in which the packet must follow the specified route or face extinction. If the packet cannot follow the route, the last router on it's specified route sends us an error message.Check out the programs where we generate a packet having the IP header of 60 bytes and follows strict routing.

Loose Routing on the other hand, is far more flexible. Instead of specifying all the routers, only the routers at both ends and maybe a couple in-between are stated. It's up to the intervening routers to decide the rest of the packet route.

The general consensus among Internet proffesionals is that Strict and Loose routing are much to dangerous. These options can be used to bypass a Firewall (a router which stops unauthorised IP packets), by routing packets around it. However, these options can also be used to bypass a slow link in the router chain or a busy router and speed up the connection.

Another possible use of ICMP is to retrieve Subnet masks from remote mahines.IP addresses we're originally cut up into three Classes, Class A, Class B and Class C (Read all about it here). A part of the bits in the IP address were decided by IANA adb the rest by us. The first portion was called the Network portion and the part under our control was called the Host portion.

By using a subnet mask we can hide the details of our network from external routers and increase efficiancy. Infact, the subnet mask is of more importance to routers than individual machines.

The subnet mask is more important to routers than to individual machines. Subnetting reduces the size of the Routing Tables .From a Subnet Mask Return the 0's determine how many bits are used by the host for internal configuration while the 1's correspond to the physical network which is used by routers for identification. Assuming only the last 8 bytes were used for host ID, when we send a subnetmask request of message type 17 ,we would get a subnet mask reply type 18 of FF.FF.FF.OO which is the same as 1111.1111.1111.0000 . In case our internal network is larger, we may use say 10 bits for our network , and create a mask of FF.FF.FF.FC which will be obtained in the Subnet Reply.

What exactly is a subnet mask? It's just a simple techneque using which you can cut up your network into server subnets and have a router for each.

For example, you have a rather large of over 65,000 computers, your router may fizzle if everyone logs on at one time. So we cut up the host ID into different subnets. As the diagram below shows, the director of the company has decided to cut up his host ID into two equal halves. This means that now he'll have 256 smaller networks, each with 254 IP address.

|-------------------subnet mask------------------|----------------|
|-------------------network id--------------------|---host id------|

How will this help? Well, now my main router needs to know of only 256 IP addresses (belonging to the routers) and not 65535 addresses as was the case under the previous arraignment. The other 256 routers in turn will know only the 254 addresses under them and the address of the main router. This is where the subnet mask comes in. I don't necessarily have to cut up the host ID fifty-fifty, I can cut if up like so..

|------------subnet mask------------|----------------------------|
|------------network id--------------|-------host id--------------|

...with 4 bits for the network and 12 bits for the hosts. So a subnet mask tells us the details of how a network is divided. The mask for this network will be 11111111 11111111 11110000 00000000 ( The only restriction on the use of subnet masks is that the same mask must be used by all the computers (hosts) connected to the network.

A Class C network is usually not divided into subnets because you only have 254 IP address any way. So the subnet mask, if required will be

If you still don't get it, read our General Overview of the Internet.

Another group of ICMP messages are called the Time Stamp Request and the Time Stamp Reply. When we send a packet with this option (13 in the Type Field), we add three extra fields in the ICMP header. The first field is the Originate Time Stamp where we fill in the time we sent the packet. It's up to the router or the host to fill up the next two fields, the Receive and Transmit Time Stamps. The Receive Time Stamp will contain the exact time the router received the packet and the Transmit Time Stamp will contain the exact time the router discharged the packet. Most routers as well as hosts set up both fields to the same time because there's very little time lag. However, we might be able to use this to determine if a router's malfunctioning. In that case, the Receive and Transmit Time Stamps may be less than the Originate Time.

One ICMP message we don't see very often is the Redirect Error Message. Imagine a scenario where a router, A, is connected to two other routers, B and C. If a packet bound for a network connected to B is accidentally sent by A to C, the route C will respond with this error, imploring A to send these packets to B, not C.

A set of ICMP messages that B should use more often is Router Advertisement. When a new router goes on-line, it advertises it's position and connections to all other routers. Other routers respond with Router Solicitation Messages, to inquire about the details of the new routers capabilities.

We couldn't write a program to test this out cause we're too po' to afford three routers!

The above tutorial is a joint effort of

Mr. Vijay Mukhi
Ms. Sonal Kotecha
Mr. Arsalan Zaidi
Mr. Vinod Rasquinha

Back to the main page

Vijay Mukhi's Computer Institute
VMCI, B-13, Everest Building, Tardeo, Mumbai 400 034, India
Tel : 91-22-496 4335 /6/7/8/9     Fax : 91-22-307 28 59
e-mail :