Byte-Sized Lesson: ICMP Revisited

ICMP is a mandatory operating system extension that helps explain how IP traffic is functioning. In this lesson, we review the protocol and delve into how its applications can be used effectively.
(Image credit: Getty Images)

When we began this series, we discussed the ICMP (Internet Control Message Protocol). This protocol is the basis for two widely used applications, ping and traceroute. In this lesson and the next, we will review the protocol and delve into how ping and traceroute work and how they can be used effectively.

[Byte-Sized Lesson: Analyzing Netflix’s Streaming Delivery]

ICMP is not an optional protocol in TCP/IP. In virtually every operating system, if IP is used, ICMP is a mandatory extension. As the name implies, ICMP sends and receives control messages related to how IP is functioning. For example, if a message is sent to a nonexistent IP address, it will be ICMP that reports back to the source that the address does not exist. If a packet is sent to a device in a network that can’t be reached with the existing routing structure, ICMP will send a message indicating that the network can’t be reached. It may also suggest a new route to be used.

ICMP messages rarely consume a lot of bandwidth. In fact, if they do, that is often a sign of a malware attack. Unfortunately, some applications and operating systems use discovery processes designed to see which devices are currently active on the network. Such processes usually involve pinging every possible address in the network to see which devices respond. Better discovery routines ping only a list of potential devices such as those that are using a particular application such as email or a collaboration product.

[Byte-Sized Lesson: How Layers Affect Protocols]

The most common type of ICMP responses are either error messages or what might be called reachability messages. If there is a problem with an IP packet’s route or destination, the following are some of the error codes that can be returned:

  • Hop count exceeded: packet went through too many routers and has been discarded.
  • Destination unreachable indicating what can’t be reached among the following: Host, Network, or Port.

Reachability messages are:

  • Echo request and reply, commonly known as ping
  • Redirect: used when the router knows a better path for the sender to use.

In our next lesson we’ll examine the use of ICMP with the most common applications ping and traceroute. However, before we leave this discussion, we’ll point out how Windows 10 reports a ping response. On my computer, in the command window, I typed ping The response was this:

  • Reply from bytes 32 time 27ms TTL=55
  • Reply from bytes 32 time 27ms TTL=55
  • Reply from bytes 32 time 27ms TTL=55
  • Reply from bytes 32 time 27ms TTL=55

TTL (time-to-live) is the original name for what is commonly called hop count. Each router a packet passes through is a hop. From these four replies, we know we can reach the server and the response time is about 27ms. In addition, we can probably assume the default hop count for Windows was set at 64. Since each router decreases the hop count by 1, we can determine that the route to the server involved seven hops. I verified the default hop for Windows 10 by sending a ping to my own router and the response said TTL = 64. My local router is zero hops away.

In our next lesson, we’ll review ping and move on to the use of tracreroute. The combination of these two applications can reveal a surprising amount of information about our network and network application performance.


Phil Hippensteel