Skip to content

ICMP - Internet Control Message Protocol

Some protocols carry data.
ICMP carries messages about that data.
It is not about delivering content. It is about reporting problems, testing reachability, and helping networks stay aware of themselves.

What this page covers

  • What ICMP is and what it does
  • How it fits into the TCP/IP stack
  • Where its data comes from
  • How it is structured and used
  • How it can be abused or defended
  • Tools I use to explore it

This page is my reference for understanding ICMP as a diagnostic tool, a protocol for feedback, and a potential attack surface.

What ICMP Actually Is

ICMP is a network protocol used for sending control messages between devices.
It helps report errors, test connectivity, and signal network conditions.
It does not carry application data. Instead, it supports other protocols by reporting on their behavior.

Common uses include:

  • Ping (echo request and reply)
  • Traceroute (time exceeded messages)
  • Destination unreachable errors
  • Redirects and congestion signals

How ICMP Lives in the TCP/IP Stack

  • OSI Layer: Network Layer (Layer 3)
  • Transport: ICMP is encapsulated directly in IP
  • Flow:
  • ICMP messages are wrapped in IP packets
  • No TCP or UDP layer is involved
  • Devices generate ICMP messages in response to network events

ICMP is used by routers, hosts, and diagnostic tools to communicate about the state of the network.

Where ICMP Data Comes From

ICMP messages are triggered by:

  • Operating systems responding to unreachable destinations
  • Routers signaling TTL expiration or congestion
  • Users running tools like ping or traceroute
  • Firewalls or security appliances sending rejection notices

The data is system-generated, but often initiated by user actions or network conditions.

How ICMP Is Structured

  • ICMP messages include:
  • Type (defines the kind of message)
  • Code (adds detail to the type)
  • Checksum
  • Payload (often includes part of the original packet)

Examples:

  • Type 8: Echo Request
  • Type 0: Echo Reply
  • Type 3: Destination Unreachable
  • Type 11: Time Exceeded

ICMP and Security

ICMP can be abused in several ways:

  • Reconnaissance: attackers use ping sweeps to map networks
  • Covert Channels: data can be hidden in ICMP payloads
  • Denial of Service: ICMP floods can overwhelm systems
  • Firewall Bypass: some devices respond to ICMP even when other ports are blocked

Defenses include:

  • Rate limiting ICMP traffic
  • Filtering unnecessary ICMP types
  • Monitoring for unusual patterns
  • Disabling ICMP on exposed interfaces when appropriate

Tools I Use to Explore ICMP

ping

  • Sends echo requests to test reachability
  • Example: ping 10.10.10.1

traceroute

  • Maps the path to a destination using TTL and ICMP replies
  • Example: traceroute 10.10.10.1

hping3

  • Crafts custom ICMP packets for testing and scanning
  • Example: hping3 -1 10.10.10.1

These tools help me understand how ICMP works, how it responds, and how it can be used in both diagnostics and attacks.

Final Thought

ICMP is a messenger.
It does not carry content, but it speaks when something goes wrong.
It is a protocol of feedback, visibility, and sometimes vulnerability.

This page is my study of that voice.
Not just how ICMP works, but how it signals, how it can be silenced, and how it can be misused.