Networking and Protocols

ICMP

Control and error reporting messages used by IP for diagnostics and feedback.

Where you will see it: Shows up in packet captures, network diagrams, firewall rules, and system or network logs.

What it is

ICMP (Internet Control Message Protocol) is how IP devices report errors and provide operational signals. When a router cannot forward a packet, or when a host needs to tell a sender something about delivery, it often does so with an ICMP message.

Key points
  • ICMP is part of IP, not a separate transport like TCP or UDP.
  • Used for errors (unreachable, fragmentation needed) and for diagnostics (echo).
  • Blocking all ICMP can break real traffic, especially Path MTU Discovery.

How it works in broad strokes

  1. A device processes an IP packet. If it can forward or deliver it, no ICMP is needed.
  2. If something goes wrong, such as no route, TTL expired, or a packet too big, the device may generate an ICMP message back to the source.
  3. The ICMP message includes a type and code describing the condition and usually includes part of the original packet so the sender can identify the flow.
  4. Diagnostic tools send ICMP Echo Requests, and the destination replies with Echo Replies, which is what ping measures.
  5. Traceroute manipulates TTL values so routers along the path send ICMP Time Exceeded, revealing the hop sequence.
  6. Firewalls may rate limit ICMP to prevent abuse, so ICMP behavior can be bursty in real networks.

Concrete example

A router drops a packet because its TTL reached zero. It sends ICMP Time Exceeded back to the source. Your traceroute tool collects those messages to map the route one hop at a time.

Why it matters

IP is best effort. Without feedback, senders would have no clue why traffic fails. ICMP provides enough information for troubleshooting and for important mechanisms like Path MTU Discovery, while still keeping IP simple.

Security angle

  • ICMP can be used for scanning and for some reflection attacks, so networks often filter or rate limit it.
  • ICMP redirects and other rarely used types can be risky if enabled in untrusted environments.
  • The safer approach is to allow necessary ICMP for network health while limiting exposure from the Internet edge.

Common pitfalls

  • Blocking all ICMP. Some types are essential for PMTU and for clean failure behavior.
  • Assuming ping failure means the host is down. Many networks block Echo but still allow TCP and UDP.
  • Ignoring rate limiting. A few ICMP replies do not guarantee every packet gets feedback.
  • Misreading traceroute output when there are asymmetric routes or filtered ICMP.
  • Treating ICMP as a security risk by default rather than filtering specific types sensibly.

DEEP DIVE

ICMP is not a transport, it is feedback

ICMP messages are carried inside IP, but they are not meant for application payloads. They exist so hosts and routers can report problems and provide control information. When a router cannot forward your packet, it can send an ICMP error back to the source explaining why.

You can think of it as the network's notification channel. Without it, many failures would look identical: your traffic would just vanish. With ICMP, you can learn that a destination is unreachable, that a time to live expired, or that a packet was too big for a link.

ICMP is therefore tightly linked to real operations. Tools like ping and traceroute are not magic utilities. They are convenient wrappers around specific ICMP message types.

Ping: echo request and echo reply

Ping sends an ICMP Echo Request to a target and waits for an Echo Reply. The request includes an identifier and sequence number so the sender can match replies and measure round trip time. If replies come back, you know basic IP reachability exists and that the target is responding.

Ping is useful, but it is not a complete test. Firewalls can block echo messages while allowing real application traffic, and some devices rate limit ICMP responses. A failed ping does not always mean a host is down, but a successful ping is strong evidence that the path and target are alive.

In practice, ping is also a test of the return path. The reply must make it back to you. That is why asymmetric routing issues can show up as intermittent ping failures even when one direction seems fine.

Traceroute: learning the path using TTL expiry

Traceroute works by manipulating the IP Time To Live value. It sends probes with TTL set to 1, then 2, then 3, and so on. Each router decrements TTL. When TTL reaches zero, that router drops the packet and sends back an ICMP Time Exceeded message, revealing itself as a hop.

Eventually a probe reaches the destination. Depending on the traceroute style, the destination may reply with an ICMP Port Unreachable, an Echo Reply, or an application level response. Either way, traceroute stitches together hop by hop feedback from ICMP.

Because routers can rate limit ICMP, traceroute output can be messy. Missing hops do not always mean a missing router. They often mean that the router forwarded the probe but declined to send back an ICMP error due to policy or load.

Path MTU discovery depends on ICMP

Many systems try to avoid IP fragmentation by discovering the maximum packet size that can traverse a path. In IPv4, a sender can set the Don't Fragment bit. If a router encounters a link that cannot carry that size, it drops the packet and sends an ICMP message indicating fragmentation was needed.

The sender then lowers its packet size and tries again. This feedback loop is path MTU discovery. It is vital for performance and correctness, especially when tunnels are involved and effective MTU is smaller than you expect.

If ICMP is blocked, path MTU discovery can break and you get black hole behavior: small packets work, large ones stall or hang. That is why blocking all ICMP is a classic self inflicted outage. The network loses its ability to explain that packets are too big.