N10-009
Obj 1.4 | Ch. 2
12 slides

ICMP

The Network's Diagnostic Language
How ping, traceroute, and error messages keep networks running

12 Slides
Obj 1.4
Chapter 2
Network+ N10-009
The Scenario
A user reports they can't reach the company's remote server at 10.200.1.5. You open a terminal. Your first tool? Ping. But what actually happens when you type ping 10.200.1.5? Let's trace ICMP from keystroke to reply.
N10-009
Slide 2 of 12
Foundation

What Is ICMP?

Scenario
When you type ping 10.200.1.5, your OS doesn't open a TCP connection or a UDP socket. It creates an ICMP packet — a special Layer 3 control message that lives inside IP itself.

What ICMP IS

  • Protocol Number: 1 in the IP header
  • Encapsulated directly inside IP (Layer 3)
  • Purpose: error reporting and diagnostics
  • Defined in RFC 792 (IPv4)
  • No ports — you can't "connect" to ICMP

What ICMP Is NOT

  • Not a transport protocol
  • Does NOT use TCP or UDP
  • Does NOT carry user data
  • Does NOT establish connections
  • NOT a replacement for TCP/UDP
IP Header
Protocol = 1
ICMP Header
Type | Code | Checksum
ICMP Data
Network status info
Key Point
ICMP doesn't carry user data. It carries network status information — "is this host alive," "that destination doesn't exist," "your TTL expired." It's the network telling itself what's happening.
N10-009
Slide 3 of 12
Message Types

ICMP Message Types — The Essential Ones

Diagnostic
8
Echo Request
"Are you alive?" — the packet ping sends outbound
Diagnostic
0
Echo Reply
"I'm alive!" — the response the target sends back
Error
3
Destination Unreachable
"Can't get there" — 16 sub-codes identify exactly why
Informational
11
Time Exceeded
"TTL hit zero" — traceroute exploits this deliberately
Routing
5
Redirect
"Use a better route" — router tells host to update next-hop
Exam Tip
Type 8 = Request (you send). Type 0 = Reply (you receive). The numbers are NOT sequential pairs — memorize them individually. Type 8 goes out, Type 0 comes back. Type 11 = traceroute. Type 3 = something broke.
N10-009
Slide 4 of 12
Ping Mechanics

Ping — How It Actually Works

1
Your machine sends ICMP Echo RequestType 8, Code 0
Your OS constructs an ICMP packet with Type=8, Code=0. It's wrapped in an IP header destined for 10.200.1.5. No TCP handshake. No UDP socket. Straight to IP.
2
Each router decrements TTL — if TTL hits 0, sends backType 11
Every router along the path decrements the TTL field in the IP header by 1. If any router decrements TTL to zero, it drops the packet and sends back an ICMP Type 11 (Time Exceeded) to the source.
3
Target receives request, sends back ICMP Echo ReplyType 0, Code 0
The destination host (10.200.1.5) receives the Echo Request, reverses the source/destination IPs, and sends back an ICMP Type 0 Echo Reply.
4
Your machine calculates round-trip time (RTT)
The OS timestamps the outbound request. When the reply arrives, it subtracts the timestamps. That difference is the RTT in milliseconds — latency to the target.
C:\> ping 10.200.1.5 Pinging 10.200.1.5 with 32 bytes of data: Reply from 10.200.1.5: bytes=32 time=24ms TTL=62 Reply from 10.200.1.5: bytes=32 time=23ms TTL=62 Reply from 10.200.1.5: bytes=32 time=25ms TTL=62 Reply from 10.200.1.5: bytes=32 time=24ms TTL=62 Packets: Sent = 4, Received = 4, Lost = 0 (0% loss) Minimum = 23ms, Maximum = 25ms, Average = 24ms
bytes=32 — default Windows ping payload size time=24ms — round-trip time (RTT), latency to target TTL=62 — hops remaining when reply arrived (started at 64)
N10-009
Slide 5 of 12
Troubleshooting

Ping Failures — What They Mean

Request timed out.
No response received within the timeout window. Possible causes: host is down, a firewall is blocking ICMP Echo Request or Reply, or a routing issue exists in either direction. The absence of a reply is not proof the host is unreachable.
Reply from 192.168.1.1: Destination host unreachable.
A router along the path (here: 192.168.1.1) sent back an ICMP Type 3 (Destination Unreachable). The router knows the destination exists but cannot forward the packet. Check routing tables on the router that sent this reply.
Reply from 10.100.0.2: TTL expired in transit.
The packet is looping. Two or more routers are forwarding traffic to each other, each incrementing the hop count until TTL hits zero. ICMP Type 11. Check routing tables on the routers identified in the reply source IP.
Scenario
Your ping to 10.200.1.5 returns "Request timed out." Is the server down? Not necessarily. The server's firewall may be configured to silently drop ICMP Echo Requests. Ping is a test tool, not definitive proof of reachability. Next step: try traceroute to see where traffic stops.
N10-009
Slide 6 of 12
Path Discovery

Traceroute — Mapping the Path

How Traceroute Works

  • Sends probes with TTL=1, then TTL=2, then TTL=3...
  • Each router that decrements TTL to 0 returns ICMP Type 11 (Time Exceeded)
  • The source IP in each Type 11 response reveals that hop
  • Process repeats until the destination is reached (ICMP Type 0)

Platform Differences

  • Windows: tracert — uses ICMP Echo Requests
  • Linux: traceroute — uses UDP by default
  • Linux ICMP mode: traceroute -I
  • Same concept, different probe packet type
Hop
RTT 1
RTT 2
RTT 3
IP
Note
1
<1 ms
<1 ms
<1 ms
192.168.1.1
[Gateway]
2
12 ms
11 ms
12 ms
10.0.0.1
[ISP Router]
3
*
*
*
Request timed out.
[Firewall blocking ICMP]
4
22 ms
23 ms
22 ms
10.100.0.1
[Core Router]
5
24 ms
24 ms
25 ms
10.200.1.5
[Destination]
The Asterisks Explained
Hop 3 shows * * * — the firewall blocks ICMP but still forwards traffic normally. The packet gets through; the router just won't respond to TTL-expired packets. Traffic reaching hop 4 proves this.
N10-009
Slide 7 of 12
Error Codes

Type 3: Destination Unreachable — The Sub-Codes

Code 0
Network Unreachable
No route to the destination network exists in the routing table. The router has no idea how to reach that network at all.
Code 1
Host Unreachable
The network is reachable but the specific host is not responding on the local segment. Often an ARP failure on the last-hop router.
Code 3
Port Unreachable
Host is alive but no service is listening on that UDP port. This is how UDP "connect refused" works — TCP uses RST instead.
Code 4
Fragmentation Needed — DF Bit Set
Packet is too large for the next link, but the Don't Fragment (DF) bit is set. This is how Path MTU Discovery (PMTUD) works — blocking this code causes VPN black holes.
Code 9
Network Administratively Prohibited
A firewall or ACL is explicitly blocking access to the destination network. The router is telling you it's a policy decision, not a routing failure.
Code 13
Communication Administratively Prohibited
Traffic to the host is filtered by policy. Similar to Code 9 but at the host level. Commonly seen when a host-based firewall blocks the connection.
Scenario
You ping 10.200.1.5 and get "Destination net unreachable" from 10.100.0.1. That's Code 0 — the router at 10.100.0.1 has no route to the 10.200.0.0 network. Check that router's routing table. Static route missing? Default route problem?
N10-009
Slide 8 of 12
Security

ICMP and Security

Why Firewalls Block ICMP

Ping Sweep
Send Echo Requests to every IP in a subnet to discover live hosts. Fast network reconnaissance.
ICMP Flood / Ping of Death
Overwhelm a target with high-volume or oversized ICMP packets. Historical DoS vector.
Smurf Attack
Send ping to a broadcast address with a spoofed source IP. Every host on the subnet replies to the victim — amplification attack.
ICMP Tunneling
Hide exfiltrated data inside ICMP packet payloads. Bypasses firewalls that allow ping but block other protocols.

Why Blocking ALL ICMP Breaks Things

PMTUD Failure
Path MTU Discovery relies on ICMP Type 3 Code 4 (Fragmentation Needed). Block all ICMP and VPN tunnels experience mysterious black holes where large packets silently fail.
Traceroute Stops Working
Type 11 responses are blocked. Every hop shows * * *. Network diagnostics go blind.
Best Practice
Allow Types 0, 3, 8, and 11 — Echo Request, Echo Reply, Destination Unreachable, Time Exceeded. Rate-limit inbound Echo Requests. Block the rest.
N10-009
Slide 9 of 12
Protocol Comparison

ICMP vs TCP vs UDP

ICMP
Protocol 1
No ports
No data transfer
Error reporting
Diagnostics
Connectionless
Layer 3
TCP
Protocol 6
Uses port numbers
Reliable data transfer
Connection-oriented
3-way handshake
Retransmission
Layer 4
UDP
Protocol 17
Uses port numbers
Unreliable data transfer
Connectionless
No handshake
No retransmission
Layer 4
Key Insight
ICMP has no port numbers. You can't "connect" to ICMP. It's a signaling protocol, not a data protocol. TCP and UDP are Layer 4 transport protocols that carry application data. ICMP is a Layer 3 control protocol that carries network status messages.
Exam Tip
If a question asks about Protocol Number 1, the answer is ICMP. Protocol 6 = TCP. Protocol 17 = UDP. These three appear constantly on network exams.
N10-009
Slide 10 of 12
Packet Analysis

ICMP in Wireshark

Watch the capture below. The first five packets are normal ping traffic — then something changes at packet 6.

No.
Time
Source
Destination
Proto
Info
1
0.000
192.168.1.10
10.200.1.5
ICMP
Echo (ping) request id=0x0e21 seq=1
2
0.024
10.200.1.5
192.168.1.10
ICMP
Echo (ping) reply id=0x0e21 seq=1
3
0.999
192.168.1.10
10.200.1.5
ICMP
Echo (ping) request id=0x0e21 seq=2
4
1.023
10.200.1.5
192.168.1.10
ICMP
Echo (ping) reply id=0x0e21 seq=2
5
2.050
192.168.1.10
10.200.1.5
ICMP
Echo (ping) request id=0x0e21 seq=3
6
2.050
10.100.0.1
192.168.1.10
ICMP
Destination unreachable (Host unreachable)
Filters:  icmp  |  icmp.type == 8 (requests only)  |  icmp.type == 3 (errors only)  |  icmp.type == 11 (TTL exceeded)
What Changed at Packet 6?
Packet 5 is a request to 10.200.1.5. Packet 6 is a Type 3 (Host Unreachable) from 10.100.0.1 — a completely different IP. The route broke mid-test. The reply isn't coming from the target — it's coming from a router that can no longer reach the target. Something changed between packets 4 and 6.
N10-009
Slide 11 of 12
Exam Prep

Key Exam Points

Protocol 1

ICMP = IP Protocol Number 1. Not TCP (6) or UDP (17). No ports assigned.

Type 8 = Out

ICMP Echo Request. The packet ping sends to the target. Type 8, Code 0.

Type 0 = Back

ICMP Echo Reply. The packet the target sends back. Type 0, Code 0.

Type 3 = Error

Destination Unreachable. Sub-codes 0-13 tell you exactly what failed.

Type 11 = Trace

Time Exceeded. TTL hit zero. Traceroute exploits this to map each hop.

No Ports

ICMP has no port numbers. Encapsulated directly in IP, not TCP or UDP.

Ping vs Trace

ping tests reachability. traceroute maps the path. Different tools, both use ICMP.

PMTUD Risk

Blocking all ICMP breaks Path MTU Discovery (Type 3, Code 4). VPN black holes result.

Layer 3

ICMP operates at Layer 3 (Network). Not Layer 4. No transport-layer services.

Exam Tip
Questions about network diagnostic tools always connect back to ICMP. "What protocol does ping use?" = ICMP. "What type is a ping reply?" = Type 0. "What does traceroute rely on?" = ICMP Type 11 (Time Exceeded).
N10-009
Slide 12 of 12
Module Complete

Scenario Resolution

What Actually Happened at 10.200.1.5
You pinged 10.200.1.5 — Request timed out. No reply, no error code. You ran traceroute — the path completed through hop 4 at 10.100.0.1, but hop 3 showed asterisks. ICMP was being filtered. You asked the firewall admin — they confirmed an ACL was added yesterday that blocks all inbound ICMP. The server is up. The service is running. The firewall is silent-dropping your probe packets.

ICMP told you the story. Not by answering — by not answering from the right place.

What We Covered

  • ICMP = Protocol 1, Layer 3, no ports
  • Type 8 (Request) and Type 0 (Reply)
  • Type 3 Destination Unreachable + codes
  • Type 11 Time Exceeded (traceroute)
  • Ping failure modes and their meaning
  • Wireshark ICMP filter syntax
  • Security threats and blocking trade-offs

When You See ICMP on the Exam

  • Protocol Number 1 question = ICMP
  • "ping uses which protocol" = ICMP
  • TTL expired = Type 11, think traceroute
  • Type 3 with code = Destination Unreachable
  • PMTUD + blocking = Code 4 / VPN black hole
  • Linux traceroute default = UDP, not ICMP
  • Wireshark filter: icmp