Вы находитесь на странице: 1из 28

ICMP: Ping and Trace

Ethernet Header (Layer 2)


Ethernet Destination Address (MAC) Ethernet Source Address (MAC) Frame Type

IP Header (Layer 3)
Source IP Add. Dest. IP Add. Protocol field

ICMP Message (Layer 3)


Type 0 or 8 Code 0 Checksum ID Seq. Num. Data

Ether. Tr.
FCS

Partial list

ICMP (Internet Control Message Protocol) ICMP: A Layer 3 protocol Used for sending messages Encapsulated in a Layer 3, IP packet Uses Type and Code fields for various messages
2

ICMP

Ethernet Header (Layer 2)


Ethernet Destination Address (MAC) Ethernet Source Address (MAC) Frame Type

IP Header (Layer 3)
Source IP Add. Dest. IP Add. Protocol field

ICMP Message (Layer 3)


Type 0 or 8 Code 0 Checksum ID Seq. Num. Data

Ether. Tr.
FCS

Unreachable Destination or Service Used to notify a host that the destination or service is unreachable. When a host or router receives a packet that it cannot deliver, it may send an ICMP Destination Unreachable packet to the host originating the packet. The Destination Unreachable packet will contain codes that indicate why the packet could not be delivered. From a router: 0 = network unreachable Does not have a route in the routing table 1 = host unreachable Has a route but cant find host. (end router) From a host: 2 = protocol unreachable 3 = port unreachable Service is not available because no daemon is running providing the service or because security on the host is not allowing access to the service.

172.30.1.20

172.30.1.25

Ethernet Header (Layer 2)


Ethernet Destination Address (MAC) Ethernet Source Address (MAC) Frame Type

IP Header (Layer 3)
Source IP Add. Dest. IP Add. Protocol field

ICMP Message (Layer 3)


Type 0 or 8 Code 0 Checksum ID Seq. Num. Data

Ether. Tr.
FCS

Ping Uses ICMP message encapsulated within an IP Packet Protocol field = 1


Does not use TCP or UDP Format ping ip address (or ping <cr> for extended ping) ping 172.30.1.25

Ethernet Header (Layer 2)


Ethernet Destination Address (MAC) Ethernet Source Address (MAC) Frame Type

IP Header (Layer 3)
Source IP Add. 172.30.1.20 Dest. IP Add. 172.30.1.25 Protocol field 1

ICMP Message - Echo Request (Layer 3)


Type 8 Code 0 Checksum ID Seq. Num. Data

Ether. Tr.
FCS

Echo Request The sender of the ping, transmits an ICMP message, Echo Request

Echo Request - Within ICMP Message Type = 8 Code = 0

Ethernet Header (Layer 2)


Ethernet Destination Address (MAC) Ethernet Source Address (MAC) Frame Type

IP Header (Layer 3)
Source IP Add. 172.30.1.25 Dest. IP Add. 172.30.1.20 Protocol field 1

ICMP Message - Echo Reply (Layer 3)


Type 0 Code 0 Checksum ID Seq. Num. Data

Ether. Tr.
FCS

Echo Reply The IP address (destination) of the ping, receives the ICMP message, Echo Request The ip address (destination) of the ping, returns the ICMP message, Echo Reply Echo Reply - Within ICMP Message Type = 0 Code = 0

Ping example

Pings may fail

Q: Are pings forwarded by routers? A: Yes! This is why you can ping devices all over the Internet. Q: Do all devices forward or respond to pings? A: No, this is up to the network administrator of the device. Devices, including routers, can be configured not to reply to pings (ICMP echo requests). This is why you may not always be able to ping a device. Also, routers can be configured not to forward pings destined for other devices.

Traceroute

Traceroute is a utility that records the route (router IP addresses) between two devices on different networks.

10

Tracroute
http://en.wikipedia.org/wiki/Traceroute On modern Unix and Linux-based operating systems, the traceroute utility by default uses UDP datagrams with a destination port number starting at 33434. The traceroute utility usually has an option to specify use of ICMP echo request (type 8) instead. The Windows utility uses ICMP echo request, better known as ping packets. Some firewalls on the path being investigated may block UDP probes but allow the ICMP echo request traffic to pass through. There are also traceroute implementations sending out TCP packets, such as tcptraceroute or Layer Four Trace. In Microsoft Windows, traceroute is named tracert. A new utility, pathping, was introduced with Windows NT, combining ping and traceroute functionality. All these traceroutes rely on ICMP (type 11) packets coming back.
11

Trace (Traceroute)

Trace ( Cisco = traceroute, tracert,) is used to trace the probable path a packet takes between source and destination. Probable, because IP is a connectionless protocol, and different packets may take different paths between the same source and destination networks, although this is not usually the case. Trace will show the path the packet takes to the destination, but the return path may be different. This is more likely the case in the Internet, and less likely within your own autonomous system. Linux/Unix Systems Uses ICMP message within an IP Packet Both are layer 3 protocols. Uses UDP as a the transport layer. We will see why this is important in a moment.
12

Trace
10.0.0.0/8 RTA RTB 172.16.0.0/16 RTC 192.168.10.0/24 RTD

.1

.2

.1

.2

.1

.2

Format (trace, traceroute, tracert) RTA# traceroute ip address RTA# traceroute 192.168.10.2

13

Trace
10.0.0.0/8 RTA RTB 172.16.0.0/16 RTC 192.168.10.0/24 RTD .1 .2 .1 .2 .1 .2

DA = 192.168.10.2, TTL = 1

Data Link Header (Layer 2) Data Link Data Link Destination Source Address Address

IP Header (Layer 3) Source IP Add. 10.0.0.1 Dest. IP Add. 192.168.10.2 Protocol field 1 TTL 1

ICMP Message - Echo Request (trace) Type 8 Code 0 Chk sum ID Seq. Num Data

UDP (Layer 4) DestPort 35,000

DataLink Tr. FCS

How it works (using UDP) - Fooling the routers & host! Traceroute uses ping (echo requests) Traceroute sets the TTL (Time To Live) field in the IP Header, initially to 1 When a router receives an IP Packet, it decrements the TTL by 1. If the TTL is 0, it will not forward the IP Packet, and send back to the source an ICMP time exceeded message.

14

Trace
10.0.0.0/8 RTA RTB 172.16.0.0/16 RTC 192.168.10.0/24 RTD .1 .2 .1 .2 .1 .2

DA = 192.168.10.2, TTL = 1 ICMP Time Exceeded, SA = 10.0.0.2

Data Link Header (Layer 2) Data Link Data Link Destination Source Address Address

IP Header (Layer 3) Source IP Add. 10.0.0.2 Dest. IP Add. 10.0.0.1 Protocol field 1

ICMP Message - Time Exceeded Type 11 Code 0 Chk sum ID Seq . Nu m. Data

DataLink Tr. FCS

RTB - TTL: When a router receives an IP Packet, it decrements the TTL by 1. If the TTL is 0, it will not forward the IP Packet, and send back to the source an ICMP time exceeded message. ICMP Message: Type = 11, Code = 0
15

10.0.0.0/8 RTA RTB

172.16.0.0/16 RTC

192.168.10.0/24 RTD

.1

.2

.1

.2

.1

.2

DA = 192.168.10.2, TTL = 1 ICMP Time Exceeded, SA = 10.0.0.2

Data Link Header (Layer 2) Data Link Data Link Destination Source Address Address

IP Header (Layer 3) Source IP Add. 10.0.0.2 Dest. IP Add. 10.0.0.1 Protocol field 1

ICMP Message - Time Exceeded Type 11 Code 0 Chk sum ID Seq . Nu m. Data

DataLink Tr. FCS

RTB Sends back a ICMP Time Exceeded message back to the source, using its IP address for the source IP address. Router Bs IP header includes its own IP address (source IP) and the sending hosts IP address (dest. IP).

16

10.0.0.0/8 RTA RTB

172.16.0.0/16 RTC

192.168.10.0/24 RTD

.1

.2

.1

.2

.1

.2

DA = 192.168.10.2, TTL = 1 ICMP Time Exceeded, SA = 10.0.0.2

Data Link Header (Layer 2) Data Link Data Link Destination Source Address Address

IP Header (Layer 3) Source IP Add. 10.0.0.2 Dest. IP Add. 10.0.0.1 Protocol field 1

ICMP Message - Time Exceeded Type 11 Code 0 Chk sum ID Seq . Nu m. Data

DataLink Tr. FCS

RTA, Sending Host The traceroute program of the sending host (RTA) will use the source IP address of this ICMP Time Exceeded packet to display at the first hop. RTA# traceroute 192.168.10.2 Type escape sequence to abort. Tracing the route to 192.168.10.2 1 10.0.0.2 4 msec 4 msec 4 msec
17

10.0.0.0/8 RTA RTB

172.16.0.0/16 RTC

192.168.10.0/24 RTD

.1

.2

.1

.2

.1

.2

DA = 192.168.10.2, TTL = 1 ICMP Time Exceeded, SA = 10.0.0.2

DA = 192.168.10.2, TTL = 2

Data Link Header (Layer 2) Data Link Data Link Destination Source Address Address

IP Header (Layer 3) Source IP Add. 10.0.0.1 Dest. IP Add. 192.168.10.2 Protocol field 1 TTL 2

ICMP Message - Echo Request (trace) Type 8 Code 0 Chk sum ID Seq. Num Data

UDP (Layer 4) DestPort 35,000

DataLink Tr. FCS

RTA The traceroute program increments the TTL by 1 (now 2 ) and resends the ICMP Echo Request packet.
18

10.0.0.0/8 RTA RTB

172.16.0.0/16 RTC

192.168.10.0/24 RTD

.1

.2

.1

.2

.1

.2

DA = 192.168.10.2, TTL = 1 ICMP Time Exceeded, SA = 10.0.0.2

DA = 192.168.10.2, TTL = 2 ICMP Time Exceeded, SA = 172.16.0.2

RTB This time RTB decrements the TTL by 1 and it is NOT 0. (It is 1.) So it looks up the destination ip address in its routing table and forwards it on to the next router. RTC RTC however decrements the TTL by 1 and it is 0. RTC notices the TTL is 0 and sends back the ICMP Time Exceeded message back to the source. RTCs IP header includes its own IP address (source IP) and the sending hosts IP address (destination IP address of RTA). The sending host, RTA, will use the source IP address of this ICMP Time Exceeded message to display at the second hop.
19

10.0.0.0/8 RTA RTB

172.16.0.0/16 RTC

192.168.10.0/24 RTD

.1

.2

.1

.2

.1

.2

DA = 192.168.10.2, TTL = 1 ICMP Time Exceeded, SA = 10.0.0.2

DA = 192.168.10.2, TTL = 2 ICMP Time Exceeded, SA = 172.16.0.2

RTA to RTB
Data Link Header (Layer 2) Data Link Data Link Destination Source Address Address IP Header (Layer 3) Source IP Add. 10.0.0.1 Dest. IP Add. 192.168.10.2 Protocol field 1 TTL 2 ICMP Message - Echo Request (trace) Type 8 Code 0 Chk sum ID Seq. Num Data UDP (Layer 4) DestPort 35,000 DataLink Tr. FCS

RTB to RTC
Data Link Header (Layer 2) Data Link Data Link Destination Source Address Address IP Header (Layer 3) Source IP Add. 10.0.0.1 Dest. IP Add. 192.168.10.2 Protocol field 1 TTL 1 ICMP Message - Echo Request (trace) Type 8 Code 0 Chk sum ID Seq. Num Data UDP (Layer 4) DestPort 35,000 DataLink Tr. FCS

.
Data Link Header (Layer 2) Data Link Data Link Destination Source Address Address

RTC to RTA
. IP Header (Layer 3) Source IP Add. 172.16.0.2 Dest. IP Add. 10.0.0.1 Protocol field 1 ICMP Message - Time Exceeded Type 11 Code 0 Chk sum ID Seq . Nu m. Data DataLink Tr. FCS

20

10.0.0.0/8 RTA RTB

172.16.0.0/16 RTC

192.168.10.0/24 RTD

.1

.2

.1

.2

.1

.2

DA = 192.168.10.2, TTL = 1 ICMP Time Exceeded, SA = 10.0.0.2

DA = 192.168.10.2, TTL = 2 ICMP Time Exceeded, SA = 172.16.0.2

Data Link Header (Layer 2) Data Link Data Link Destination Source Address Address

IP Header (Layer 3) Source IP Add. 172.16.0.2 Dest. IP Add. 10.0.0.1 Protocol field 1

ICMP Message - Time Exceeded Type 11 Code 0 Chk sum ID Seq . Nu m. Data

DataLink Tr. FCS

The sending host, RTA: The traceroute program uses this information (Source IP Address) and displays the second hop.

RTA# traceroute 192.168.10.2 Type escape sequence to abort. Tracing the route to 192.168.10.2 1 10.0.0.2 4 msec 4 msec 4 msec 2 172.16.0.2 20 msec 16 msec 16 msec
21

10.0.0.0/8 RTA RTB

172.16.0.0/16 RTC

192.168.10.0/24 RTD

.1

.2

.1

.2

.1

.2

DA = 192.168.10.2, TTL = 1 ICMP Time Exceeded, SA = 10.0.0.2

DA = 192.168.10.2, TTL = 2 ICMP Time Exceeded, SA = 172.16.0.2

DA = 192.168.10.2, TTL = 3

Data Link Header (Layer 2) Data Link Data Link Destination Source Address Address

IP Header (Layer 3) Source IP Add. 10.0.0.1 Dest. IP Add. 192.168.10.2 Protocol field 1 TTL 3

ICMP Message - Echo Request (trace) Type 8 Code 0 Chk sum ID Seq. Num Data

UDP (Layer 4) DestPort 35,000

DataLink Tr. FCS

The sending host, RTA: The traceroute program increments the TTL by 1 (now 3 ) and resends the Packet.

22

10.0.0.0/8 RTA RTB

172.16.0.0/16 RTC

192.168.10.0/24 RTD

.1

.2

.1

.2

.1

.2

DA = 192.168.10.2, TTL = 1 ICMP Time Exceeded, SA = 10.0.0.2

DA = 192.168.10.2, TTL = 2 ICMP Time Exceeded, SA = 172.16.0.2

DA = 192.168.10.2, TTL = 3

RTA to RTB
Data Link Header (Layer 2) Data Link Data Link Destination Source Address Address IP Header (Layer 3) Source IP Add. 10.0.0.1 Dest. IP Add. 192.168.10.2 Protocol field 1 TTL 3 ICMP Message - Echo Request (trace) Type 8 Code 0 Chk sum ID Seq. Num Data UDP (Layer 4) DestPort 35,000 DataLink Tr. FCS

Data Link Header (Layer 2) Data Link Data Link Destination Source Address Address

RTB to RTC

IP Header (Layer 3) Source IP Add. 10.0.0.1 Dest. IP Add. 192.168.10.2 Protocol field 1 TTL 2

ICMP Message - Echo Request (trace) Type 8 Code 0 Chk sum ID Seq. Num Data

UDP (Layer 4) DestPort 35,000

DataLink Tr. FCS

RTC to RTD
Data Link Header (Layer 2) Data Link Data Link Destination Source Address Address IP Header (Layer 3) Source IP Add. 10.0.0.1 Dest. IP Add. 192.168.10.2 Protocol field 1 TTL 1 ICMP Message - Echo Request (trace) Type 8 Code 0 Chk sum ID Seq. Num Data UDP (Layer 4) DestPort 35,000 DataLink Tr. FCS

23

10.0.0.0/8 RTA RTB

172.16.0.0/16 RTC

192.168.10.0/24 RTD

.1

.2

.1

.2

.1

.2

DA = 192.168.10.2, TTL = 1 ICMP Time Exceeded, SA = 10.0.0.2

DA = 192.168.10.2, TTL = 2 ICMP Time Exceeded, SA = 172.16.0.2

DA = 192.168.10.2, TTL = 3

RTB This time RTB decrements the TTL by 1 and it is NOT 0. (It is 2.) So it looks up the destination ip address in its routing table and forwards it on to the next router. RTC This time RTC decrements the TTL by 1 and it is NOT 0. (It is 1.) So it looks up the destination ip address in its routing table and forwards it on to the next router. RTD RTD however decrements the TTL by 1 and it is 0. However, RTD notices that the Destination IP Address of 192.168.0.2 is its own interface. Since it does not need to forward the packet, the TTL of 0 has no affect.

24

Data Link Header (Layer 2) Data Link Data Link Destination Source Address Address

IP Header (Layer 3) Source IP Add. 10.0.0.1 Dest. IP Add. 192.168.10.2 Protocol field 1 TTL 1

ICMP Message - Echo Request (trace) Type 8 Code 0 Chk sum ID Seq. Num Data

UDP (Layer 4) DestPort 35,000

DataLink Tr. FCS

Data Link Header (Layer 2) Data Link Data Link Destination Source Address Address

IP Header (Layer 3) Source IP Add. 192.168.10.2 Dest. IP Add. 10.0.0.1 Protocol field 1

ICMP Message Port Unreachable Type 3 Code 3 Chk sum ID Seq . Nu m. Data

DataLink Tr. FCS

RTD RTD sends the packet to the UDP process. UDP examines the unrecognizable port number of 35,000 and sends back an ICMP Port Unreachable message to the sender, RTA, using Type 3 and Code 3.
25

10.0.0.0/8 RTA RTB

172.16.0.0/16 RTC

192.168.10.0/24 RTD

.1

.2

.1

.2

.1

.2

DA = 192.168.10.2, TTL = 1 ICMP Time Exceeded, SA = 10.0.0.2

DA = 192.168.10.2, TTL = 2 ICMP Time Exceeded, SA = 172.16.0.2

DA = 192.168.10.2, TTL = 3 ICMP Port Unreachable, SA = 192.168.10.2

Data Link Header (Layer 2) Data Link Data Link Destination Source Address Address

IP Header (Layer 3) Source IP Add. 192.168.10.2 Dest. IP Add. 10.0.0.1 Protocol field 1

ICMP Message Port Unreachable Type 3 Code 3 Chk sum ID Seq . Nu m. Data

DataLink Tr. FCS

Sending host, RTA RTA receives the ICMP Port Unreachable message. The traceroute program uses this information (Source IP Address) and displays the third hop. The traceroute program also recognizes this Port Unreachable message as meaning this is the destination it was tracing.
26

10.0.0.0/8 RTA RTB

172.16.0.0/16 RTC

192.168.10.0/24 RTD

.1

.2

.1

.2

.1

.2

DA = 192.168.10.2, TTL = 1 ICMP Time Exceeded, SA = 10.0.0.2

DA = 192.168.10.2, TTL = 2 ICMP Time Exceeded, SA = 172.16.0.2

DA = 192.168.10.2, TTL = 3 ICMP Port Unreachable, SA = 192.168.10.2

Sending host, RTA RTA, the sending host, now displays the third hop. Getting the ICMP Port Unreachable message, it knows this is the final hop and does not send any more traces (echo requests). RTA# traceroute 192.168.10.2 Type escape sequence to abort. Tracing the route to 192.168.10.2 1 10.0.0.2 4 msec 4 msec 4 msec 2 172.16.0.2 20 msec 16 msec 16 msec 3 192.168.10.2 16 msec 16 msec 16 msec

27

Recommended Reading

For more information on ICMP and other TCP/IP topics, I recommend: TCP/IP Illustrated, Volume I R.W. Stevens

28