Shulou(Shulou.com)06/01 Report--

ICMP message

ICMP message is encapsulated in IP Datagram. ICMP message can be divided into two categories: error report message and query message.

The general format of the header of the ICMP message is shown in figure 1.11.

Figure 1.11 General format of the header of an ICMP message

1.2.1 query message

There are many types of query messages, the more common are type (Type) 8 and type (Type) 0, which appear in pairs. Type 8 represents an echo request (Echo), and type 0 represents an echo reply (Echo Reply). It has been introduced in the course of "Building and maintaining Enterprise Networks", so I won't repeat it here.

1.2.2 error report message

One of the main responsibilities of ICMP is to report errors. When the router or destination host encounters problems with IP datagrams, it sends the error messages to the source of the datagrams.

There are five types of error report messages.

? Type 3 end point is unreachable

? Type 4 source point suppression

? Type 5 change route

? Type 11 timeout

? Type 12 parameter problem

This section describes three types: end point unreachability, source point suppression, and timeout message types.

1. Destination unreachable message

When the intermediate router cannot find a route for the Datagram or the destination host cannot deliver the Datagram, the intermediate router or destination host discards the Datagram and sends an unreachable message to the source that sent the Datagram.

The header format of the destination unreachable message is shown in figure 1.12.

Figure 1.12 header format of ICMP end unreachable message

The code field indicates the reason for discarding the Datagram, and there are 16 types. Two of these reasons are listed and demonstrated below.

? Code 1:Host unreachable (host unreachable).

? Code 3:Port unreachable (port unreachable).

First of all, demonstrate the first reason, the idea is: ping a host in an unknown network on the Web host, and then analyze the ICMP packets returned by Sniffer.

Enable Sniffer grab package on the Web host, then ping 1.1.1.1, run the command in the CMD window and the result is:

C:\ > ping 1.1.1.1

Reply from 192.168.1.254: Destination host unreachable.

……

This is the error report returned by the router: the destination host is unreachable because the router cannot find a route for 1.1.1.1.

The decoding after grabbing the packet by Sniffer is shown in figure 1.13.

As you can see, the source IP:192.168.1.254 (router) returns an error report message to the destination IP:192.168.1.1 (Web host) with a type (Type) of 3 and a code (Code) of 1:Host unreachable (host unreachable).

Figure 1.13 demonstration of ICMP end unreachable message (1)

Then demonstrate the second reason, the idea is to use hping on the PC2 host to send a UDP message to a closed UDP port of the Web host. Because the UDP port is not open, the Web host will not be able to deliver the UDP message and will return the ICMP error report message, which can be analyzed by Sniffer packet analysis on the Web host.

First enable Sniffer packet capture on the Web host, and then use hping on the PC2 host to send a UDP message to UDP port 80 (not open) on the Web host, the command is:

[root@kkg sbin] # hping 192.168.1.1-2-p 80-c 1

The decoding after capturing the packet by Sniffer on the Web host is shown in figure 1.14.

Figure 1.14 demonstration of ICMP end unreachable message (2)

As you can see, the source IP:192.168.1.1 (Web host) returns an error report message to the destination IP:192.168.2.1 (PC2 host) with a type (Type) of 3 and a code (Code) of 3:Port unreachable (port unreachable).

2. Source point suppression message

There is no flow control mechanism in the IP protocol, which may cause congestion in the intermediate router or destination host. The queue length (cache) in the router or host is limited, and the queue will overflow if the rate at which datagrams are received is much faster than the rate at which they are forwarded (for routers) or processed (for hosts). In this case, the router or host can only discard some datagrams.

In order to add a flow control mechanism to IP protocol, the source suppression message of ICMP is designed. When the router or host discards the Datagram because of congestion, it sends a source suppression message to the sender of the Datagram, notifying the sender that the sending rate must be slowed down. It is important to note that for every Datagram discarded due to congestion, the router or host should send a source point suppression message.

The header format of the source point suppression message is shown in figure 1.15.

Figure 1.15 header format of ICMP source suppression message

3. Timeout message

There are two situations in which time-out messages are generated.

? The intermediate router receives the Datagram and finds that its TTL field has a value of 1 or 0.

? The destination host did not receive all the fragments within the specified time.

When this happens, the intermediate router or destination host discards the Datagram and sends a time-out message to the source that sent the Datagram.

The header format of the timeout message is shown in figure 1.16.

Figure 1.16 header format of ICMP timeout message

Where code 0 is used only by the router and code 1 is used only by the destination host.

Two situations in which timeout messages are generated will be demonstrated below.

First demonstrate the first situation, the idea is: use hping on the PC2 host to send an ICMP message with TTL 1 to the Web host, and fake the source IP of 192.168.0.1 (PC1 host), so that the returned timeout message can be captured through Sniffer on the PC1 host.

First, enable Sniffer packet capture on the PC1 host, then use hping on the PC2 host to send an ICMP message with a TTL of 1 to the Web host, and fake the source IP of 192.168.0.1, the command is:

[root@kkg sbin] # hping 192.168.1.1-1-t 1-c 1-a 192.168.0.1

The decoding after capturing the packet by Sniffer on the PC1 host is shown in figure 1.17.

Figure 1.17 ICMP timeout message demonstration (1)

You can see that the source IP:192.168.2.254 (router) returns a timeout message to the destination IP:192.168.0.1 (PC1 host) with a type (Type) of 11 and a code (Code) of 0.

Then demonstrate the second case, the idea is: use hping on the PC2 host to send only one IP shard to the Web host, and after a short period of time, the Web host will return a timeout message because it has not received any subsequent shards.

First enable Sniffer packet grabbing on the Web host, and then use hping on the PC2 host to send an IP shard to the Web host, the command is:

[root@kkg sbin] # hping 192.168.1.1-1-x-d 1000-N 100-c 1

After waiting for 60 seconds, the decoding of the packet grabbed by Sniffer on the Web host is shown in figure 1.18.

Figure 1.18 ICMP timeout message demonstration (2)

You can see that the source IP:192.168.1.1 (Web host) returns a timeout message to the destination IP:192.168.2.1 (PC2 host) with a type (Type) of 11 and a code (Code) of 1.

Note

Thank you.

The timeout message described here should be distinguished from the timeout generated when using the ping command. For example, the ping command for Windows 2003 displays a timeout (Request timed out) if it does not receive an Echo reply within 2 seconds (the default) after issuing an Echo request.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.