ArcLibrary
L1入门L2进阶L3生态

ICMP (Internet Control Message Protocol)

The network layer's 'support desk' — Ping, Traceroute, and unreachable notifications all ride on it.

ICMPPingNetwork Layer
核心 · Key Idea

In one line: ICMP rides directly on IP (no TCP/UDP) and exists for control and diagnostics: route-unreachable, TTL expiry, ping probes. It carries no application data — it is the network's "support desk + health-check" channel.

What it is#

ICMP messages are the payload of IP packets (protocol number 1; IPv6 uses 58, called ICMPv6):

IP header(protocol=1) | ICMP header(type, code) | data

Common types:

type 0   Echo Reply         ← Ping response
type 8   Echo Request       ← Ping request
type 3   Destination Unreachable  (code 0=net, 1=host, 3=port, 4=fragmentation needed but DF set)
type 11  Time Exceeded      ← TTL expired, traceroute relies on this
type 5   Redirect           ← Router says "use a different gateway"

Analogy#

打个比方 · Analogy

IP / TCP = the courier service; ICMP = customer service — calls you when "address doesn't exist" / "floor too high" / "let me test if this is reachable". ICMP itself doesn't ship anything.

Key concepts#

Echo Request / ReplyEcho Request / Reply
Used by ping (types 8 / 0).
Destination UnreachableDestination Unreachable
type 3 + codes — net / host / port / protocol unreachable.
Time ExceededTime Exceeded
type 11; traceroute exploits it to reveal each intermediate router.
RedirectRedirect
type 5; router suggests a different gateway. Often disabled in modern networks (abuse risk).
PMTUDPath MTU Discovery
Relies on type 3 code 4. Firewalls mistakenly blocking it cause a 'black hole'.
ICMPv6ICMPv6
Mandatory in IPv6 — carries Neighbor Discovery + Router Advertisement; **must not be blocked**.

How it works#

Traceroute deliberately starves TTL one hop at a time — each Time-Exceeded reveals the next router on the path.

Practical notes#

  • ping uses ICMP type 8/0; a server refusing ping doesn't mean it's offline — it may just block ICMP.
  • Don't blanket-block ICMP: blocking type 3 code 4 (PMTUD) creates a black hole — small packets pass, large ones drop. Blocking ICMPv6 breaks IPv6 entirely.
  • Transport-level alternatives: tcping / nc -zv host port / mtr --tcp work in ICMP-blocked networks.
  • Risk: ICMP tunnels (smuggling data in echo payloads) are used for exfiltration — egress firewalls should rate-limit + DPI.
  • Standard triage: ping → traceroute → mtr → tcpdump icmp is the classic four-step path.

Easy confusions#

ICMP
**Network-layer** control signaling.
No ports; no application payload.
UDP / TCP
**Transport-layer** application communication.
Ports + actual payloads.

Further reading#