What is ICMP?
The Internet Control Message Protocol (ICMP) is a network-layer support protocol used by network devices β routers, hosts, and gateways β to send error messages and operational information about network conditions. It is defined in RFC 792 (IPv4) and RFC 4443 (ICMPv6).
Unlike TCP or UDP, ICMP does not carry application data. Instead, it acts as the diagnostic and control layer of the internet β the messenger that tells routers and hosts when things go wrong.
Why Do We Need ICMP?
π Error Reporting
When a packet cannot be delivered (e.g., host unreachable, TTL expired), ICMP sends an error back to the source.
π‘ Network Diagnostics
Tools like ping and traceroute rely entirely on ICMP to test reachability and map network paths.
β±οΈ Congestion & Flow Control
Source Quench messages (Type 4, now deprecated) were used to signal congestion to sending hosts.
π Redirect Routing
Routers send ICMP Redirect messages to inform hosts of a better route for a specific destination.
ICMP in the Protocol Stack
π±ApplicationHTTP, DNS, FTPβ¦
β
πTransportTCP / UDP
β
πNetwork β ICMPLives inside IP (Proto 1)
β
π§Data LinkEthernet, Wi-Fi
β
β‘PhysicalCables, Radio
π Key fact: ICMP is encapsulated directly inside an IP datagram with Protocol Number 1 (ICMPv6 uses Protocol Number 58). It is not a transport-layer protocol β it lives at the network layer alongside IP.
ICMP vs. Other Protocols
| Feature | ICMP | TCP | UDP |
|---|---|---|---|
| Layer | Network (3) | Transport (4) | Transport (4) |
| Purpose | Control & Error Messages | Reliable Data Transfer | Fast Data Transfer |
| Carries App Data? | β No | β Yes | β Yes |
| Connection? | Connectionless | Connection-oriented | Connectionless |
| IP Protocol # | 1 (ICMPv6: 58) | 6 | 17 |
| Common tools | ping, traceroute | HTTP, SSH, FTP | DNS, DHCP, streaming |
Versions of ICMP
ICMPv4 RFC 792
Used with IPv4. Protocol number 1. The classic protocol behind ping and traceroute on most networks today.
ICMPv6 RFC 4443
Enhanced version for IPv6. Protocol number 58. Adds Neighbor Discovery Protocol (NDP) and Multicast Listener Discovery (MLD) β functions that replaced ARP in IPv6.
How ICMP Works
ICMP operates as a companion to IP. When an IP packet encounters a problem in transit, the device that detects the problem generates an ICMP message, wraps it in an IP packet, and sends it back to the original source of the failed packet.
Ping: Echo Request / Echo Reply
The most familiar use of ICMP is the ping command:
1 Echo Request (Type 8)
Source sends an ICMP Echo Request to the destination.
Source sends an ICMP Echo Request to the destination.
2 IP Encapsulation
The ICMP message is wrapped inside an IPv4 datagram with Protocol = 1.
The ICMP message is wrapped inside an IPv4 datagram with Protocol = 1.
3 Network Transit
Routers forward the IP packet hop-by-hop toward the destination.
Routers forward the IP packet hop-by-hop toward the destination.
4 Echo Reply (Type 0)
Destination receives the request and sends back a matching Echo Reply.
Destination receives the request and sends back a matching Echo Reply.
5 RTT Measured
Source calculates Round-Trip Time (RTT) β time from request to reply.
Source calculates Round-Trip Time (RTT) β time from request to reply.
Traceroute: Mapping the Path
Traceroute exploits the Time-To-Live (TTL) field in the IP header:
1Send packet with TTL = 1 β Router 1 decrements TTL to 0 β sends back ICMP Time Exceeded (Type 11).
2Send packet with TTL = 2 β Router 2 decrements TTL to 0 β sends back ICMP Time Exceeded.
3Continue incrementing TTL each round until the destination replies (or max hops reached).
4Each hop's IP address and RTT reveals the full path across the network.
Error Reporting Flow
π»Source HostSends IP packet
β
πRouter / GatewayDetects problem
β
πICMP MessageGenerated & sent back
β
π»Source HostReceives error notice
Important ICMP Rules
β When ICMP CAN be generated
- Destination unreachable
- TTL expired in transit
- Fragmentation needed but DF bit set
- Echo Request received
- Router redirect needed
π« When ICMP CANNOT be generated
- In response to another ICMP error
- For broadcast or multicast destination packets
- For fragment other than the first fragment
- For packets with source address of 0.0.0.0
π Security Note: ICMP is commonly blocked or rate-limited by firewalls because it can be exploited in ICMP flood attacks (ping of death, smurf attacks) and used for covert channel communications. Network engineers must balance diagnostic utility with security.
ICMP Message Types
Every ICMP message is identified by a Type (1 byte) and a Code (1 byte). The Type identifies the broad category; the Code provides more specific detail within that type.
Click any message type to learn more
Type 0 Β· Code 0
Echo Reply
Response to a ping Echo Request
Type 3 Β· Codes 0β15
Destination Unreachable
Packet could not reach destination
Type 4 Β· Code 0
Source Quench (Deprecated)
Request sender to slow down (RFC 1812)
Type 5 Β· Codes 0β3
Redirect
Inform host of a better route
Type 8 Β· Code 0
Echo Request
Ping β test host reachability
Type 9 Β· Code 0
Router Advertisement
Router announces its presence
Type 10 Β· Code 0
Router Solicitation
Host requests router info
Type 11 Β· Codes 0β1
Time Exceeded
TTL expired β used by traceroute
Type 12 Β· Codes 0β2
Parameter Problem
Bad IP header field detected
Type 13/14 Β· Code 0
Timestamp Request/Reply
Synchronize clocks between hosts
Echo Reply (Type 0, Code 0)
Sent in response to an ICMP Echo Request. Contains the same Identifier and Sequence Number as the request. Used by
Sent in response to an ICMP Echo Request. Contains the same Identifier and Sequence Number as the request. Used by
ping to confirm that a host is reachable and measure round-trip time. If a host receives an Echo Request and is operational, it MUST send an Echo Reply.
Destination Unreachable (Type 3)
Generated when a router or host cannot deliver a packet. The Code field specifies the reason:
Generated when a router or host cannot deliver a packet. The Code field specifies the reason:
| Code | Meaning |
|---|---|
| 0 | Net Unreachable |
| 1 | Host Unreachable |
| 2 | Protocol Unreachable |
| 3 | Port Unreachable |
| 4 | Fragmentation Needed & DF Set |
| 5 | Source Route Failed |
| 13 | Communication Administratively Prohibited |
Source Quench (Type 4, Code 0) Deprecated
Originally sent by a router experiencing congestion to request the source slow its transmission rate. Deprecated in RFC 1812 (1995) and formally obsoleted in RFC 6633 (2012) because it caused more harm than good β often resulting in TCP retransmissions that worsened congestion.
Originally sent by a router experiencing congestion to request the source slow its transmission rate. Deprecated in RFC 1812 (1995) and formally obsoleted in RFC 6633 (2012) because it caused more harm than good β often resulting in TCP retransmissions that worsened congestion.
Redirect (Type 5)
Sent by a router when it knows a better path for a destination exists. Tells the host to update its routing table. Codes: 0 = Redirect for Network, 1 = Redirect for Host, 2 = Redirect for Type of Service & Network, 3 = Redirect for Type of Service & Host.
Sent by a router when it knows a better path for a destination exists. Tells the host to update its routing table. Codes: 0 = Redirect for Network, 1 = Redirect for Host, 2 = Redirect for Type of Service & Network, 3 = Redirect for Type of Service & Host.
Echo Request (Type 8, Code 0)
The foundation of the
The foundation of the
ping command. Contains an Identifier (to match replies), a Sequence Number (to detect lost packets), and optional Data. The destination must respond with an Echo Reply containing the same Identifier and Sequence Number.
Router Advertisement (Type 9, Code 0)
Routers broadcast or multicast this message to announce their existence and routing capabilities. Hosts use these to automatically discover default gateways without manual configuration. Part of the IRDP (ICMP Router Discovery Protocol).
Routers broadcast or multicast this message to announce their existence and routing capabilities. Hosts use these to automatically discover default gateways without manual configuration. Part of the IRDP (ICMP Router Discovery Protocol).
Router Solicitation (Type 10, Code 0)
A host sends this message on startup to request immediate Router Advertisements rather than waiting for the periodic broadcast. Enables faster network configuration after boot. Part of IRDP.
A host sends this message on startup to request immediate Router Advertisements rather than waiting for the periodic broadcast. Enables faster network configuration after boot. Part of IRDP.
Time Exceeded (Type 11)
Code 0 β TTL Expired in Transit: A router decremented the IP TTL to zero and discarded the packet. This is the core mechanism
Code 1 β Fragment Reassembly Time Exceeded: Not all fragments of a fragmented IP datagram arrived within the reassembly timeout window.
Code 0 β TTL Expired in Transit: A router decremented the IP TTL to zero and discarded the packet. This is the core mechanism
traceroute uses to discover each hop.Code 1 β Fragment Reassembly Time Exceeded: Not all fragments of a fragmented IP datagram arrived within the reassembly timeout window.
Parameter Problem (Type 12)
Sent when a router or host finds a problem with an IP header field. Includes a Pointer field indicating which byte caused the problem. Code 0 = Pointer indicates error, Code 1 = Missing required option, Code 2 = Bad length.
Sent when a router or host finds a problem with an IP header field. Includes a Pointer field indicating which byte caused the problem. Code 0 = Pointer indicates error, Code 1 = Missing required option, Code 2 = Bad length.
Timestamp Request/Reply (Type 13/14, Code 0)
Used to synchronize clocks between network devices. The Request includes the sender's originate timestamp; the Reply adds the receive timestamp and transmit timestamp. Largely replaced by NTP (Network Time Protocol) in modern networks, but still present in some diagnostic tools.
Used to synchronize clocks between network devices. The Request includes the sender's originate timestamp; the Reply adds the receive timestamp and transmit timestamp. Largely replaced by NTP (Network Time Protocol) in modern networks, but still present in some diagnostic tools.
ICMP Header Format
Every ICMP message has a fixed 4-byte header followed by a variable-length data section. The content of the data section depends on the message Type and Code.
ICMP Header Structure (4 bytes minimum)
| Bits 0β7 | Bits 8β15 | Bits 16β23 | Bits 24β31 | |||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Byte | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 |
| 0β3 | Type (8 bits) | Code (8 bits) | Checksum (16 bits) | |||||||||||||||||||||||||||||
| 4β7 | Rest of Header / Data (varies by Type) | |||||||||||||||||||||||||||||||
| 8βn | Optional Data Payload (e.g., original IP header + first 8 bytes of original datagram for errors) | |||||||||||||||||||||||||||||||
Core Header Fields
-
Type
8 bits. Identifies the ICMP message category. Common values: 0 (Echo Reply), 3 (Destination Unreachable), 8 (Echo Request), 11 (Time Exceeded).
-
Code
8 bits. Provides a sub-type within the Type category. For Echo Request/Reply, Code is always 0. For Destination Unreachable, Code specifies the exact reason (0=Net Unreachable, 1=Host Unreachable, etc.).
-
Checksum
16 bits. Internet checksum covering the entire ICMP message (header + data). Computed with the checksum field set to zero, then the one's complement sum of all 16-bit words is taken.
-
Rest of Header
32 bits. Content depends on Type/Code. For Echo messages: upper 16 bits = Identifier, lower 16 bits = Sequence Number. For Destination Unreachable and Time Exceeded: this field is unused (set to 0).
Echo Request / Echo Reply β Expanded Header
| Bits 0β15 | Bits 16β31 | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 0β3 | Type (0 or 8) | Code (0) | Checksum | |||||||||||||||||||||||||||||
| 4β7 | Identifier | Sequence Number | ||||||||||||||||||||||||||||||
| 8βn | Optional Data (Payload β often timestamps or arbitrary bytes) | |||||||||||||||||||||||||||||||
Destination Unreachable β Expanded Header
| Bits 0β15 | Bits 16β31 | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 0β3 | Type (3) | Code (0β15) | Checksum | |||||||||||||||||||||||||||||
| 4β7 | Unused (must be 0) | |||||||||||||||||||||||||||||||
| 8β35 | Original IP Header (20 bytes) + First 8 bytes of original datagram | |||||||||||||||||||||||||||||||
π Why include the original IP header? Attaching the original IP header plus the first 8 bytes of the failed datagram allows the source host to determine which upper-layer protocol (TCP/UDP) and which socket was affected, enabling proper error handling at the application layer.
ICMP Checksum Algorithm
- Set the Checksum field to
0x0000 - Treat the entire ICMP message as a sequence of 16-bit words
- Sum all 16-bit words using one's complement arithmetic (carry bits wrap around)
- Take the one's complement of the result β this is the Checksum
- On receipt: sum all 16-bit words including the Checksum. Result must equal
0xFFFF
ICMP Packet Builder & Ping Simulator
π¨ Build an ICMP Message
π¦ Packet Structure
β Configure and click Build ICMP Packet
π‘ Ping Simulator
Ready. Configure options and click Run Ping.
πΊοΈ Traceroute Simulator
Ready. Click Run Traceroute to simulate.
ICMP Knowledge Quiz
Test your understanding of ICMP! Select an answer for each question, then check your score.