Lesson 8 of 12

ICMP

21 min read

ICMP — Internet Control Message Protocol

When a packet cannot reach its destination, something needs to tell the sender what went wrong. IP (Internet Protocol) itself has no mechanism for this — it sends packets and hopes for the best. ICMP (Internet Control Message Protocol) fills that gap. It is the error-reporting and diagnostic layer of the TCP/IP (Transmission Control Protocol / Internet Protocol) suite, and the protocol behind two of the most fundamental network troubleshooting tools you will ever use: ping and traceroute.

What ICMP Is

ICMP is a supporting protocol in the TCP/IP suite. It carries error messages and operational information about network conditions between network devices. Unlike TCP and UDP (User Datagram Protocol), ICMP does not carry application data — it carries control messages. You will never see ICMP transporting a web page or an email. Instead, you see it reporting problems: a destination is unreachable, a packet's TTL (Time to Live) has expired, a packet is too large for a link along the path.

ICMP is defined in RFC (Request for Comments) 792, published in September 1981. It operates at the Internet Layer of the TCP/IP model — equivalent to Layer 3 (the Network Layer) in the OSI (Open Systems Interconnection) model. ICMP messages are encapsulated directly in IP packets; there is no TCP or UDP wrapper around them.

Crucially: ICMP does not use ports. When you work with TCP or UDP, you specify ports to identify which application or service should receive the traffic. ICMP has no such concept. Firewall rules that allow or block ICMP apply to the protocol itself, not to port numbers.

ICMPv6 (ICMP for IPv6), defined in RFC 4443, is the IPv6 (Internet Protocol version 6) counterpart. It covers the same error-reporting functions and also handles Neighbor Discovery — the IPv6 equivalent of ARP (Address Resolution Protocol), which maps IP addresses to MAC (Media Access Control) addresses on a local network.

Why ICMP Exists

IP is a best-effort delivery protocol. It makes no guarantees. If a router cannot forward a packet — because the destination network does not exist, because the TTL counter reached zero, because the packet is larger than the link can carry and cannot be fragmented — the router needs a way to tell the original sender what happened. Without that feedback, the sender would simply wait indefinitely, with no idea whether the packet was delivered, lost in transit, or rejected.

ICMP provides that feedback channel. It is the part of the network that can say: "I received your packet, but I could not deliver it, and here is why."

Beyond error reporting, ICMP also carries diagnostic messages — the echo request and echo reply messages used by ping, and the time-exceeded messages that make traceroute possible.

ICMP Message Structure

Every ICMP message has the same three fields at the start, followed by additional fields and data that vary depending on the type and code:

Field	Size	Purpose
Type	8 bits	Identifies the category of message
Code	8 bits	Further specifies the message within that type
Checksum	16 bits	Error detection — ensures the ICMP message itself was not corrupted in transit

After these three fields, additional content varies by type and code. An echo request carries an identifier and sequence number so replies can be matched to requests. A destination unreachable message includes as much of the original packet's header as possible, so the sender knows which packet triggered the error.

Understanding type and code together is the key to reading ICMP. Type identifies the broad category; code specifies the exact situation within that category.

The Most Important ICMP Types and Codes

Type 0 — Echo Reply

This is the response to a ping request. When a host receives an ICMP Echo Request (Type 8), it sends back an Echo Reply (Type 0). The presence of a reply tells you the host is reachable and responded. The absence of a reply could mean the host is down, the host is blocking ICMP, or something along the path is blocking ICMP.

Type 3 — Destination Unreachable

This is the family of messages that tell the sender a packet could not be delivered. The code field specifies exactly why:

Code 0: Network unreachable. The router has no route to the destination network. It does not know how to forward the packet at all.
Code 1: Host unreachable. The router knows the destination network but cannot reach the specific host within it.
Code 3: Port unreachable. The destination host received the packet but no application is listening on the UDP port the packet was addressed to. This is how UDP learns a port is closed — unlike TCP, UDP has no connection handshake to reject a connection, so ICMP carries the rejection. When you scan UDP ports with a tool like Nmap, a Type 3 Code 3 response means the port is closed.
Code 4: Fragmentation needed but DF bit is set. The packet is too large for a link along the path, and the DF (Don't Fragment) bit in the IP header is set — meaning the sender explicitly said "do not fragment this packet." The router drops it and sends this message back. This is the mechanism that makes Path MTU Discovery work. MTU stands for Maximum Transmission Unit — the largest payload a given link can carry.
Code 13: Communication administratively prohibited. A firewall filtered the packet. If you see this response, a firewall exists along the path and is actively rejecting the traffic rather than silently dropping it.

Type 5 — Redirect

A router sends Type 5 to tell a host that there is a better route to a destination — one that goes through a different router. Rather than continuing to relay traffic through itself unnecessarily, the router informs the host directly.

ICMP Redirect is a legitimate mechanism, but it has been abused. An attacker on a local network can send forged ICMP Redirect messages to convince hosts to route traffic through the attacker's machine. Modern operating systems can be configured to ignore ICMP Redirects for this reason.

Type 8 — Echo Request

This is the ping request. When you run ping, your machine sends ICMP Echo Request packets to the target. Each packet carries an identifier and a sequence number so that when replies arrive, they can be matched to the requests that generated them. The TTL field in the enclosing IP packet decrements at each hop — which is how traceroute exploits this message type.

Type 11 — Time Exceeded

A router sends Type 11 when a packet's TTL reaches zero. The router drops the packet and sends this message back to the original sender, including the router's own IP address as the source. This is the mechanism that makes traceroute work.

Code 0: TTL expired in transit. The TTL counter reached zero while the packet was being forwarded between routers.
Code 1: Fragment reassembly time exceeded. A packet was fragmented into pieces, and not all fragments arrived within the allowed time window. The fragments that did arrive are discarded.

Type 12 — Parameter Problem

A router or host encountered a malformed IP packet header that it cannot process. The packet may have invalid options, a bad header length, or other structural errors. The ICMP response includes a pointer to the byte in the original packet's header that caused the problem.

Ping — The Most Common Use of ICMP

Ping is the most basic network reachability test in existence. It answers one question: is a host reachable, and if so, how long does the round trip take?

Ping sends ICMP Echo Request (Type 8) packets to a target and waits for ICMP Echo Reply (Type 0) responses. It is pure ICMP — no TCP, no UDP, no ports.

Basic Syntax

ping 192.168.1.1
ping google.com
ping -c 4 192.168.1.1      # Linux/macOS: send exactly 4 packets then stop
ping -n 4 192.168.1.1      # Windows: send exactly 4 packets then stop

On Windows, ping sends 4 packets by default and stops. On Linux and macOS, ping runs until you press Ctrl+C unless you specify a count with the -c flag.

Reading Ping Output

A successful ping response on Linux looks something like this:

PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=1.23 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=1.18 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=1.31 ms
64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 time=1.22 ms

--- 192.168.1.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 1.18/1.235/1.31/0.048 ms

What each element tells you:

icmp_seq: The sequence number. If a sequence number is missing in the output, that packet was lost.
ttl: The TTL value in the reply packet as it arrived. This is the TTL the target started with, minus the number of hops the packet traveled to reach you. A TTL of 64 in a response from a single-hop local router suggests the router started with a TTL of 64 or 65. A TTL of 127 suggests a Windows machine (which defaults to 128) one hop away.
time: The RTT (Round-Trip Time) in milliseconds. This is how long it took for the Echo Request to travel to the target and for the Echo Reply to travel back. Low and stable RTT means a healthy connection. High RTT means distance or congestion. Variable RTT (jitter) suggests congestion or routing instability.
Packet loss: Any non-zero packet loss indicates a problem. Even 1% loss on a local network suggests hardware issues, an overloaded device, or cable problems.

If ping produces no replies, the host is either unreachable, powered off, or configured to block ICMP. Ping cannot distinguish between these conditions on its own.

TTL — Time to Live in Depth

TTL is a field in every IP packet header — a counter set by the sending device that prevents packets from circulating forever in routing loops. Every router that receives and forwards a packet decrements the TTL by 1. If a router receives a packet with a TTL of 1 and needs to forward it (decrementing would bring it to 0), the router drops the packet and sends ICMP Time Exceeded (Type 11, Code 0) back to the source.

Why TTL Exists

Before TTL, a routing loop — where two or more routers kept passing a packet back and forth to each other — could cause the packet to circulate indefinitely, consuming bandwidth and processing capacity on every device in the loop. TTL guarantees that every packet eventually dies if it does not reach its destination.

Common Default TTL Values by Operating System

Different operating systems set different default TTL values in outgoing packets:

Operating System	Default TTL
Linux	64
macOS	64
Windows	128
Cisco network devices	255

These defaults matter in security work. If you receive a packet with a TTL of 127, it almost certainly came from a Windows machine that started with TTL 128 and passed through exactly one router. A TTL of 63 suggests a Linux or macOS machine one hop away. This passive OS fingerprinting technique requires no active probing — you can infer the operating system simply by looking at TTL values in traffic you receive.

TTL and Traceroute

The fact that routers send ICMP Time Exceeded back to the source when TTL expires — including their own IP address as the source of the ICMP message — is exactly what traceroute exploits. By incrementing TTL from 1 upward, traceroute provokes each successive router to identify itself.

Traceroute — Mapping the Path to a Destination

Traceroute reveals every router hop on the path from your machine to a destination. It is invaluable for diagnosing where a network problem is occurring and for mapping network topology.

Basic Syntax

On Linux and macOS:

traceroute google.com
traceroute 8.8.8.8

On Windows:

tracert google.com
tracert 8.8.8.8

How Traceroute Works, Step by Step

Traceroute deliberately exploits TTL expiration to provoke each router along the path into revealing itself:

TTL=1. Traceroute sends a probe packet with TTL set to 1. The very first router in the path decrements TTL to 0, drops the packet, and sends ICMP Time Exceeded back to your machine. The source IP of that ICMP message is the first router's IP address. Traceroute records that address and measures the RTT.
TTL=2. Traceroute sends another probe with TTL=2. The first router passes it with TTL now at 1. The second router decrements to 0 and sends Time Exceeded. The second router's IP is recorded.
Continue. Traceroute keeps incrementing TTL by 1 for each round of probes.
Destination reached. Eventually, the probe packet reaches the destination with TTL still greater than 0. On Linux and macOS, the default traceroute sends UDP probes to a high-numbered port that nothing is listening on — the destination responds with ICMP Destination Unreachable, Port Unreachable (Type 3, Code 3). On Windows, tracert uses ICMP Echo Requests — the destination responds with ICMP Echo Reply. Either way, traceroute knows it has reached the end.

Reading Traceroute Output

traceroute to google.com (142.250.80.46), 30 hops max, 60 byte packets
 1  192.168.1.1 (192.168.1.1)         1.432 ms   1.201 ms   1.389 ms
 2  10.10.1.1 (10.10.1.1)             8.321 ms   8.511 ms   8.498 ms
 3  203.0.113.1 (isp-router.example)  12.44 ms  12.51 ms   12.39 ms
 4  * * *
 5  72.14.232.1 (google-edge.example) 18.33 ms  18.12 ms   18.44 ms

Each numbered line is one hop. The three time values (in milliseconds) are the RTT for three separate probe packets sent to that hop. The IP address is the router's address; the name in parentheses is the reverse DNS entry for that IP, if one exists.

What the * * * means: A hop that shows three asterisks did not respond. The router at that hop may be configured to not send ICMP Time Exceeded responses, or a firewall along the path is blocking ICMP. Importantly, a * does not necessarily mean the hop is broken — traffic may still flow through it, but it is silently forwarding packets without generating ICMP responses. If later hops respond normally, the path is intact and only that router's ICMP responses are blocked.

What increasing RTT tells you: RTT typically increases with each hop as packets travel farther. A sudden large increase between two hops can indicate a slow link, a distant geographical jump, or a congested router.

Traceroute Variations

The traceroute on Linux by default uses UDP probes. The -I flag switches it to ICMP Echo Requests (like tracert on Windows). The -T flag uses TCP SYN probes, which can sometimes get through firewalls that block UDP and ICMP but allow TCP:

traceroute -T -p 80 google.com     # TCP traceroute on port 80

Path MTU Discovery

Every network link has an MTU (Maximum Transmission Unit) — the maximum size of a packet (technically, the maximum payload size) that the link can carry. Ethernet's standard MTU is 1500 bytes. Some links have smaller MTUs; some specialized environments have larger ones (called jumbo frames).

If a packet is larger than the MTU of a link it needs to traverse, the router handling that link has two options: fragment the packet into smaller pieces, or drop it and report the problem. Fragmentation carries its own overhead and complications, so modern network design prefers to avoid it. The DF (Don't Fragment) bit in the IP header, when set to 1, explicitly tells routers "do not fragment this packet under any circumstances."

When a router receives a packet with the DF bit set that is too large for the next link, it drops the packet and sends ICMP Type 3, Code 4 (Fragmentation Needed and DF Bit Was Set) back to the sender. The ICMP message includes the MTU of the link that could not accommodate the packet. The sender receives this information and reduces its packet size accordingly, then retransmits. This automatic process is called Path MTU Discovery (PMTUD).

Path MTU Discovery allows the network to automatically find the largest packet size that can traverse the entire path without fragmentation, without the sender having to know in advance what every link's MTU is. It happens transparently.

A practical problem: if a firewall blocks all ICMP between the sender and a router along the path, the ICMP Type 3 Code 4 message never reaches the sender. The sender keeps sending packets that are too large, the router keeps dropping them, and the connection hangs. This is known as a PMTUD black hole. It is a real operational problem that can cause mysterious connection failures, and it is one reason that blanket ICMP blocking is considered poor practice.

ICMP in Security

ICMP is not just a diagnostic tool. It is a reconnaissance tool, a covert channel, and historically a vector for attacks. Understanding these uses is essential for both offense and defense.

Ping Sweep — Host Discovery

A ping sweep sends ICMP Echo Requests to every address in a range and records which addresses respond. This is one of the first steps in network reconnaissance — finding which hosts are alive before investing time in deeper scanning.

Using Nmap (Network Mapper), a widely used network scanning tool:

nmap -sn 192.168.1.0/24

The -sn flag tells Nmap to do host discovery only, without port scanning. On a local network segment, Nmap also uses ARP (Address Resolution Protocol) requests in addition to ICMP for more reliable results.

A security implication: if you see a large volume of ICMP Echo Requests arriving at many different hosts in rapid succession from the same source, you are likely looking at a ping sweep. This is a reconnaissance indicator and should appear in network security monitoring alerts.

ICMP Tunneling — Covert Data Exfiltration

ICMP packets carry a data payload field. An ICMP Echo Request is supposed to carry a small amount of arbitrary data (so the Echo Reply can send it back to confirm the packet is unchanged). There is no technical restriction on how much data this field contains or what the data represents.

Attackers have exploited this to create covert communication channels by encoding arbitrary data in the ICMP payload — effectively tunneling one protocol inside ICMP. Tools that implement this technique include icmptunnel and ptunnel. These tools can create a full bidirectional communication channel (including command-and-control traffic and data exfiltration) through firewalls that permit ICMP but block other protocols.

Detecting ICMP tunneling:

ICMP packets with unusually large payloads. Standard ping sends 32 or 56 bytes of payload. Tunneling tools may use hundreds or thousands of bytes.
High volumes of ICMP traffic. Normal networks see occasional ICMP. Sustained high-rate ICMP traffic is anomalous.
ICMP traffic to external destinations. Internal hosts should rarely be pinging external hosts continuously.
Payload content that does not match the expected ping pattern. Standard ping payloads are often a recognizable byte pattern; tunneling tools have structured, encrypted, or compressed payloads.

OS Fingerprinting from TTL

As discussed in the TTL section, the TTL value in received packets can suggest the originating operating system. A packet arriving with TTL 127 almost certainly started with TTL 128 (Windows) and passed through one router. A packet with TTL 63 likely started with TTL 64 (Linux or macOS) through one router.

This is passive fingerprinting — it requires no active probing and leaves no trace in the target's logs. An attacker receiving responses from a target can observe TTL values and infer the likely OS before deciding which exploits to attempt.

Network Topology Mapping

Running traceroute from multiple vantage points — internal machines at different network segments, external machines, cloud instances in different regions — builds a map of the network's routing structure. Which routers connect which segments? Where are the chokepoints? Where does traffic leave the internal network? This information guides attackers planning lateral movement or data exfiltration routes.

In authorized penetration testing, topology mapping is a standard early-phase activity. Defenders can detect it through the same ICMP Time Exceeded traffic analysis they would use to detect anomalous ICMP.

ICMP Flood Attacks

An ICMP flood sends a large volume of ICMP Echo Requests to a target, attempting to exhaust either the target's bandwidth or its processing capacity (because the target's CPU must process each request and generate a reply).

The historical Smurf attack — named after the tool used to execute it — combined ICMP flooding with IP spoofing and directed broadcast amplification. The attacker spoofed the victim's IP address as the source and sent ICMP Echo Requests to a network's broadcast address (e.g., 192.168.1.255). Every host on that network would send an Echo Reply to the victim's IP address, multiplying the attacker's traffic by the number of hosts on the amplification network. Modern networks disable directed broadcast forwarding by default, which eliminates the Smurf attack, but basic ICMP flood DoS (Denial of Service) remains a technique.

Firewalls and ICMP Blocking

Many organizations block inbound ICMP at the network perimeter — the point where the internal network connects to the internet. The motivation is to prevent ping sweeps and to reduce the information that attackers can gather by probing with ICMP.

This creates operational problems:

Path MTU Discovery fails. As described above, blocking ICMP Type 3 Code 4 breaks PMTUD and can cause mysterious connection failures.
Traceroute stops at the firewall. Administrators cannot use traceroute from the internet to diagnose connectivity problems.
The firewall is not actually hidden. When traceroute from the internet shows responses up to a certain hop and then shows only asterisks from that point onward, the presence of a filtering device is obvious. An attacker knows a firewall exists at that location.

A host that is behind an ICMP-blocking firewall may be fully operational and serving traffic on TCP (Transmission Control Protocol) ports, but a ping to its IP will show no response. Network scanners like Nmap handle this by falling back to TCP probes — sending TCP SYN (synchronize) packets to common ports and observing whether they receive SYN-ACK (synchronize-acknowledge) or RST (reset) responses. A host that blocks ICMP but allows TCP port 80 (HTTP — Hypertext Transfer Protocol) will appear live in a TCP scan even though ping reports it as unreachable.

The current best practice is selective ICMP filtering rather than blanket blocking: allow ICMP Echo Reply, Time Exceeded, and Destination Unreachable (particularly Type 3 Code 4) to pass, since these are needed for normal network operation and diagnostics. Block ICMP Echo Request at the network perimeter if you want to prevent external ping sweeps. This approach preserves functionality while reducing the reconnaissance value of ICMP.

The Bottom Line

ICMP is the error-reporting and diagnostic backbone of IP networking. It carries no application data — only control messages between network devices. Its most visible tools, ping and traceroute, are the first things you reach for when a network connection is not working. Its TTL-based mechanism reveals the structure of the network between any two points. In security work, ICMP is simultaneously a reconnaissance tool (ping sweeps, topology mapping, OS fingerprinting), a covert channel (ICMP tunneling), and a historical attack vector (Smurf, ICMP floods). Understanding it thoroughly means understanding when ICMP traffic is normal and when it is a warning sign.

Check Your Understanding

You are analyzing network traffic and notice a host sending ICMP packets to hundreds of different IP addresses in rapid succession. The packets are all Type 8 (Echo Request). What activity is most likely occurring, and what would you do next?
A developer reports that connections to an external server work fine for small transfers but hang indefinitely when the application tries to send large amounts of data. The firewall is configured to block all ICMP. How might the firewall configuration be contributing to this problem, and what ICMP message type and code is relevant?

Something to Think About

ICMP tunneling can exfiltrate data through firewalls that allow ICMP but block other protocols. Some organizations respond by blocking all ICMP entirely. Why might blocking all ICMP create more problems than it solves — and what would a more nuanced approach look like?
Traceroute reveals the internal routing structure of a network to anyone who runs it. An attacker can use this information to understand which routers connect which segments, helping plan lateral movement. Should organizations actively prevent traceroute from working inside their networks, or does the diagnostic value outweigh the risk? What would you need to weigh on each side?

References

Official Specification. RFC 792 — "Internet Control Message Protocol". IETF, September 1981. — The ICMP specification defining all message types, codes, and the format of ICMP messages.
Official Specification. RFC 4443 — "Internet Control Message Protocol (ICMPv6)". IETF. — ICMP for IPv6, including Neighbor Solicitation and Neighbor Advertisement messages used in place of ARP.
Official Specification. RFC 1191 — "Path MTU Discovery". IETF. — Defines how ICMP Type 3 Code 4 messages are used to discover the maximum packet size that can traverse a path without fragmentation.
Real-World Incident. CISA — "Advisory AA20-049A: Ransomware Impacting Pipeline Operations". CISA. — Documents attackers using ICMP-based reconnaissance during the initial phases of a critical infrastructure compromise.
Educational Reference. SANS Institute — Reading Room. SANS Institute. — Technical papers on ICMP-based attack techniques used in security research and incident response.