Wednesday, May 18, 2016

More than Pings, Little things you don't know about the ICMP Protocol - A Hackers Introductory Note on ICMP


Internet Control Message Protocol - ICMP 

If you are relatively new or in-experienced in the Networking field, your first guess at the mention of ICMP protocol would be "Ahaa, the protocol that the Ping command is based on" and you might further define it as a protocol for testing network reachability - Dont worry you are partially correct but I'll pardon you for belittling the great ICMP to just a network tester.

Also, if you are relatively experienced, chances are that you will say something like "ICMP is an error-reporting mechanism in the IP layer.
Me: Well yeah error reporting mechanism - Why do you say error reporting or what makes it an error reporting mechanism?
You: "Every where goes mute"



Okay lets cut the story short:
        Do you know that apart from from Network reachability,
  • you could also use ICMP to synchronize computer clocks within a network, 
  • you can use it to optimize paths, 
  • Determine things like what network a computer connects to - [You are probably thinking hacking - be careful]
well and more. Lets dive in to the structure of the ICMP and at the end you will probably be able to figure out more you could do with the protocol.

1st Clarification: ICMP is a protocol that sends and recieves ERROR messages and INFORMATION messages - [information messages sounds cool eh]
Linux Network Architecture
Having said that, basically an error message comes when there is an error in the network and the destination is unreachable and an information message comes as a result of some "Query" which the protocol lends its-self to.

A basic and generalised structure of an ICMP packet is shown below

Type
Code
Checksum
 ICMP data (variables)

The Type field indicates an 8 bit field that specifies the type of ICMP message and the Code field specifies more information about each of the different Type field - (I like to think of it like a Relative Database structure where given the table "Code", the Primary Key Table is the "Type", so we can say for each "Code" item, there exist a foreign key item in table "Type" - Don't worry if the Database stuff doesn't make sense, just skip it, that makes us even).

The "Code" field is also 8 bit and you can guess that the Checksum is 16bit and that makes a total (8+8+16) of the usual 32bit length of the IP packet [intuitive right]

There are 11 Type fields though I like to call them 8 so that I wouldn't have to type so much redefining the obvious. So the 8 are:

                     
TypeValue
Message/QueryReply
Destination Unreachable0x03
Time Exceeded0x0B
Parameter Problem0x0C
Source Quench0x04
Redirect0x05
Time Stamp and TimeStamp Reply0x000x0E
Information Request and Information Reply0x0F0x10
Echo and Echo Reply0x080x00


If you look closely, you will see they are 11(Types with replies are counted separately).

A brief look at each Type:

  • Destination Unreachable: As you can guess or may have even seen, is the Message you get when a destination is unreachable. So the question now is "How do we know the cause/reason why the destination is unreachable" ?
    • The answer lies in the "Code" value: There are apparently 6 different things the Code value may tell us as the cause when the Destination is unreachable.
      • It could be due to "Unreachable Network" - Code Value becomes 0x00
      • Unreachable Host - Code Value becomes 0x01
      • Protocol Unreachable - 0x02 [dont go protocol snifing]
      • Port Unreachable - 0x03 [don't go port sniffing]
      • Fragmentation Needed - 0x04
      • Failed Source Route - 0x05
    • Yea, you can check up the meaning of each "Code" value, don't expect much they are very intuitive as they appear but for now, I will attempt to briefly define others [pheww]
  • Time Exceeded: A sender gets this message when the packet live time expires that is the Time to Live becomes 0. Code values include 0x00 and 0x01[0x01 occurs due to inability to reassemble fragmented IP message within a time period due to missing fragments - doesnt sound like "time exceded" stuff right - I leave you to look up more on that and 0x00 - Assignment 1.]
  • Parameter Problem:A sender receives this message when a router or an end system detects that the IP header has some invalid parameter. the Code value here is always 0x00, There is something unique about this message - It has an 8 bit "Pointer" field which points to the actual error field in the IP header. [Imagine the power - Cool ehh]
  • Source Quench: If you ever asked the question "What "Type" value should I expect when the receiver has too much load on his/her network (maybe memory capacity issue or computing space) ?" Then this is answer you have been seeking. The Source quench type value tells you that [if you want you can slow down the sending rate when you get the message to avoid more packet loss, don't be malicious and do the opposite]. The "Code" value here is  0x00.
  • Redirect: I mentioned network optimization on one of the things you could do with ICMP messages, yeah this is "Type" value that tells you that and it has 4"Code" that say different things: 0x00, 0x01, 0x02, 0x03 [I rather not talk much on this and leave it to someday when I want to say something on network optimization.]
  • TimeStamp and TimeStamp Reply: As you may have guessed, this is an ICMP "Type" for exchanging Time, yeah you can also use this to synchronize time. Think of it, if you can get the time Timestamp of the end system, [Viola] synchronization becomes easy. I know you may be thinking what of time difference due to transmit time in the network. The good news is that the TimeStamp ICMP packet has a provision for these values. It has the Originating Timestamp field,Transmiting Timestamp field and also the Receiving TimeStamp field each of which is a 32bit timestamp field. The only "Code" type for the timestamp and timestamp reply is  0x00.
  • Information Request and Information Reply: It is mostly used for Identifying a network an end system connects to. It has no payload unlike the Echo and Echo reply discussed next and maintains a "Code" value of 0x00.
  • Echo and Echo Reply: You have probably used the "Ping" command to verify if an intermediate system exists or not, This is what the Echo and Echo Reply message is used for. like the Information Request and Information Reply, the Echo and Echo reply maintains a "Code" value of 0x00. You could even specify a payload capacity to add to the Echo message, you have probably heard of Ping of Death, Buffer overflows and related network crippling tactics. These are network vices usually carried out using simple Ping command. [To keep it simple and focused, I wont delve into these]
The good news is that you have gotten some extra tip on what the ICMP protocol support. This is not in anyway an exhaustive list of features and fields for ICMP because for some of these "Types", I have omitted fields like Checksum, Identifier, Sequence and Data. I wil just call it a scratch on the surface.

So - Where can I get further/more Information on ICMP ?
Well I would say there are tons of Information on the Web on ICMP including RFC 792, 1122, 1812. 

However, My post have been largely and greatly facilitated by the Book Linux Network Architecture by Klaus WehrleFrank PahlkeHartmut RitterDaniel Muller,Marc Bechler.

Thanks for reading, If you do have some questions or comments. If you notice any errors, kindly notify me.

About the title I chose - well I was simply inspired.


Thanks. 

1 comment:

  1. Great post ! I love your innovative link building strategies…some of the best that I’ve seen on the Internet.
    Feel Free To Visit My Site:
    صيانة تلفزيونات سونى

    ReplyDelete