ICMP: Ping and Trace

CCNA 1 version 3.0

Rick Graziani
Spring 2005
 172.30.1.20 172.30.1.25

Rick Graziani [email protected] 2

Ethernet Header IP Header ICMP Message Ether.
(Layer 2) (Layer 3) (Layer 3) Tr.
Ethernet Ethernet Frame Source IP Add. Type Code Check- ID Seq. Data FCS
Destination Source Type Dest. IP Add. 0 or 8 0 sum Num.
Address Address Protocol field
(MAC) (MAC)

Ping
• Uses ICMP message encapsulated within an IP Packet
– Protocol field = 1
• Both are layer 3 protocols. (ICMP is considered as a network layer
protocol.)
• Does not use TCP or UDP, but may be acted upon by the receiver
using TCP or UDP.

Format
• ping ip address (or ping <cr> for extended ping)
• ping 172.30.1.25

Rick Graziani [email protected] 3

Ethernet Header IP Header ICMP Message - Echo Request Ether.
(Layer 2) (Layer 3) (Layer 3) Tr.
Ethernet Ethernet Frame Source IP Type Code Check- ID Seq. Data FCS
Destination Source Type Add. 8 0 sum Num.
Address Address 172.30.1.20
(MAC) (MAC) Dest. IP Add.
172.30.1.25
Protocol field
1

Echo Request
• The sender of the ping, transmits an ICMP message, “Echo Request”

Echo Request - Within ICMP Message

• Type = 8
• Code = 0

Rick Graziani [email protected] 4

 172.30.1.20 172.30.1.25

Rick Graziani [email protected] 5

Ethernet Header IP Header ICMP Message - Echo Reply Ether.
(Layer 2) (Layer 3) (Layer 3) Tr.
Ethernet Ethernet Frame Source IP Type Code Check- ID Seq. Data FCS
Destination Source Type Add. 0 0 sum Num.
Address Address 172.30.1.25
(MAC) (MAC) Dest. IP Add.
172.30.1.20
Protocol field
1

Echo Reply
• The IP address (destination) of the ping, receives the ICMP
message, “Echo Request”
• The ip address (destination) of the ping, returns the ICMP
message, “Echo Reply”

Echo Reply - Within ICMP Message

• Type = 0
• Code = 0

Rick Graziani [email protected] 6

Routers and Pings

Q: Are pings forwarded by routers?

A: Yes! This is why you can ping devices all over the Internet.

Q: Do all devices forward or respond to pings?

A: No, this is up to the network administrator of the device. Devices,
including routers, can be configured not to reply to pings (ICMP echo
requests). This is why you may not always be able to ping a device.
Also, routers can be configured not to forward pings destined for
other devices.

Rick Graziani [email protected] 7

Traceroute
• Traceroute is a utility that records the route (router IP addresses)
between two devices on different networks.

Rick Graziani [email protected] 8

Tracroute

• http://en.wikipedia.org/wiki/Traceroute
• On modern Unix and Linux-based operating systems, the traceroute
utility by default uses UDP datagrams with a destination port number
starting at 33434.
• The traceroute utility usually has an option to specify use of ICMP echo
request (type 8) instead.
• The Windows utility uses ICMP echo request, better known as ping
packets.
• Some firewalls on the path being investigated may block UDP probes
but allow the ICMP echo request traffic to pass through.
• There are also traceroute implementations sending out TCP packets,
such as tcptraceroute or Layer Four Trace.
• In Microsoft Windows, traceroute is named tracert.
• A new utility, pathping, was introduced with Windows NT, combining
ping and traceroute functionality. All these traceroutes rely on ICMP
(type 11) packets coming back.
Rick Graziani [email protected] 9
Trace (Traceroute)

• Trace ( Cisco = traceroute, tracert,…) is used to trace the probable path

a packet takes between source and destination.
• Probable, because IP is a connectionless protocol, and different
packets may take different paths between the same source and
destination networks, although this is not usually the case.
• Trace will show the path the packet takes to the destination, but the
return path may be different.
– This is more likely the case in the Internet, and less likely within
your own autonomous system.
• Linux/Unix Systems
– Uses ICMP message within an IP Packet
– Both are layer 3 protocols.
– Uses UDP as a the transport layer.
– We will see why this is important in a moment.
Rick Graziani [email protected] 10
Trace

10.0.0.0/8 172.16.0.0/16 192.168.10.0/24

RTA RTB RTC RTD

.1 .2 .1 .2 .1 .2

Format (trace, traceroute, tracert)

• RTA# traceroute ip address

RTA# traceroute 192.168.10.2

Rick Graziani [email protected] 11

Trace
10.0.0.0/8 172.16.0.0/16 192.168.10.0/24
RTA RTB RTC RTD

.1 .2 .1 .2 .1 .2

DA = 192.168.10.2, TTL = 1

Data Link Header IP Header ICMP Message - Echo Request (trace) UDP DataLink
(Layer 2) (Layer 3) (Layer 4) Tr.
Data Link Data Link …… Source IP Type Chk ID Seq. Data DestPort FCS
Destination Source Add. 8 sum Num 35,000
Address Address 10.0.0.1
Dest. IP Add. Code
192.168.10.2 0
Protocol field
1
TTL
1

How it works (using UDP) - Fooling the routers & host!

• Traceroute uses ping (echo requests)
• Traceroute sets the TTL (Time To Live) field in the IP Header, initially
to “1”
Rick Graziani [email protected] 12
Trace
10.0.0.0/8 172.16.0.0/16 192.168.10.0/24
RTA RTB RTC RTD

.1 .2 .1 .2 .1 .2

DA = 192.168.10.2, TTL = 1

ICMP Time Exceeded, SA = 10.0.0.2

Data Link Header IP Header ICMP Message - Time Exceeded DataLink

(Layer 2) (Layer 3) Tr.
Data Link Data Link …. Source IP Type Chk ID Seq Data FCS
Destination Source Add. 11 sum .
Address Address 10.0.0.2 Nu
Dest. IP Add. Code m.
10.0.0.1 0
Protocol field
1

RTB - TTL:
• When a router receives an IP Packet, it decrements the TTL by 1.
• If the TTL is 0, it will not forward the IP Packet, and send back to the
source an ICMP “time exceeded” message.
• ICMP Message: Type = 11, Code = 0
Rick Graziani [email protected] 13
 10.0.0.0/8 172.16.0.0/16 192.168.10.0/24
RTA RTB RTC RTD

.1 .2 .1 .2 .1 .2

DA = 192.168.10.2, TTL = 1

ICMP Time Exceeded, SA = 10.0.0.2

Data Link Header IP Header ICMP Message - Time Exceeded DataLink

(Layer 2) (Layer 3) Tr.
Data Link Data Link …. Source IP Type Chk ID Seq Data FCS
Destination Source Add. 11 sum .
Address Address 10.0.0.2 Nu
Dest. IP Add. Code m.
10.0.0.1 0
Protocol field
1

RTB
• After the traceroute is received by the first router, it decrements the
TTL by 1 to 0.
• Noticing the TTL is 0, it sends back a ICMP Time Exceeded
message back to the source, using its IP address for the source IP
address.
• Router B’s IP header includes its own IP address (source IP) and the
sending host’s IP address (dest. IP).
Rick Graziani [email protected] 14
 10.0.0.0/8 172.16.0.0/16 192.168.10.0/24
RTA RTB RTC RTD

.1 .2 .1 .2 .1 .2

DA = 192.168.10.2, TTL = 1

ICMP Time Exceeded, SA = 10.0.0.2

Data Link Header IP Header ICMP Message - Time Exceeded DataLink

(Layer 2) (Layer 3) Tr.
Data Link Data Link …. Source IP Type Chk ID Seq Data FCS
Destination Source Add. 11 sum .
Address Address 10.0.0.2 Nu
Dest. IP Add. Code m.
10.0.0.1 0
Protocol field
1

RTA, Sending Host

• The traceroute program of the sending host (RTA) will use the source
IP address of this ICMP Time Exceeded packet to display at the first
hop.

RTA# traceroute 192.168.10.2

Type escape sequence to abort.
Tracing the route to 192.168.10.2
1 10.0.0.2 4 msec 4 msec 4 msec
Rick Graziani [email protected] 15
 10.0.0.0/8 172.16.0.0/16 192.168.10.0/24
RTA RTB RTC RTD

.1 .2 .1 .2 .1 .2

DA = 192.168.10.2, TTL = 1

ICMP Time Exceeded, SA = 10.0.0.2

DA = 192.168.10.2, TTL = 2

Data Link Header IP Header ICMP Message - Echo Request (trace) UDP DataLink
(Layer 2) (Layer 3) (Layer 4) Tr.
Data Link Data Link …… Source IP Type Chk ID Seq. Data DestPort FCS
Destination Source Add. 8 sum Num 35,000
Address Address 10.0.0.1
Dest. IP Add. Code
192.168.10.2 0
Protocol field
1
TTL
2

RTA
• The traceroute program increments the TTL by 1 (now 2 ) and
resends the ICMP Echo Request packet.

Rick Graziani [email protected] 16

 10.0.0.0/8 172.16.0.0/16 192.168.10.0/24
RTA RTB RTC RTD

.1 .2 .1 .2 .1 .2

DA = 192.168.10.2, TTL = 1

ICMP Time Exceeded, SA = 10.0.0.2

DA = 192.168.10.2, TTL = 2

ICMP Time Exceeded, SA = 172.16.0.2

RTB
• This time RTB decrements the TTL by 1 and it is NOT 0. (It is 1.)
• So it looks up the destination ip address in its routing table and forwards
it on to the next router.
RTC
• RTC however decrements the TTL by 1 and it is 0.
• RTC notices the TTL is 0 and sends back the ICMP Time Exceeded
message back to the source.
• RTC’s IP header includes its own IP address (source IP) and the sending
host’s IP address (destination IP address of RTA).
• The sending host, RTA, will use the source IP address of this ICMP
Time Exceeded message to display at the second hop.
Rick Graziani [email protected] 17
 10.0.0.0/8 172.16.0.0/16 192.168.10.0/24
RTA RTB RTC RTD

.1 .2 .1 .2 .1 .2

DA = 192.168.10.2, TTL = 1

ICMP Time Exceeded, SA = 10.0.0.2

DA = 192.168.10.2, TTL = 2

ICMP Time Exceeded, SA = 172.16.0.2

RTA to RTB
Data Link Header IP Header ICMP Message - Echo Request (trace) UDP DataLink
(Layer 2) (Layer 3) (Layer 4) Tr.
Data Link Data Link …… Source IP Type Chk ID Seq. Data DestPort FCS
Destination Source Add. 8 sum Num 35,000
Address Address 10.0.0.1
Dest. IP Add. Code
192.168.10.2 0
Protocol field
1
TTL
2

RTB to RTC
Data Link Header IP Header ICMP Message - Echo Request (trace) UDP DataLink
(Layer 2) (Layer 3) (Layer 4) Tr.
Data Link Data Link …… Source IP Type Chk ID Seq. Data DestPort FCS
Destination Source Add. 8 sum Num 35,000
Address Address 10.0.0.1
Dest. IP Add. Code
192.168.10.2 0
Protocol field
1
. TTL
1

Data Link Header IP Header ICMP Message - Time Exceeded DataLink

(Layer 2) (Layer 3) Tr.
Data Link Data Link …. Source IP Type Chk ID Seq Data FCS
Destination Source Add. 11 sum .
Address Address 172.16.0.2 Nu
Dest. IP Add. Code m.
10.0.0.1 0
Protocol field
1

Rick Graziani [email protected] 18

 10.0.0.0/8 172.16.0.0/16 192.168.10.0/24
RTA RTB RTC RTD

.1 .2 .1 .2 .1 .2

DA = 192.168.10.2, TTL = 1

ICMP Time Exceeded, SA = 10.0.0.2

DA = 192.168.10.2, TTL = 2

ICMP Time Exceeded, SA = 172.16.0.2

Data Link Header IP Header ICMP Message - Time Exceeded DataLink

(Layer 2) (Layer 3) Tr.
Data Link Data Link …. Source IP Type Chk ID Seq Data FCS
Destination Source Add. 11 sum .
Address Address 172.16.0.2 Nu
Dest. IP Add. Code m.
10.0.0.1 0
Protocol field
1

The sending host, RTA:

• The traceroute program uses this information (Source IP Address) and
displays the second hop.

RTA# traceroute 192.168.10.2

Type escape sequence to abort.
Tracing the route to 192.168.10.2
1 10.0.0.2 4 msec 4 msec 4 msec
2 172.16.0.2 20 msec 16 msec 16 msec
Rick Graziani [email protected] 19
 10.0.0.0/8 172.16.0.0/16 192.168.10.0/24
RTA RTB RTC RTD

.1 .2 .1 .2 .1 .2

DA = 192.168.10.2, TTL = 1

ICMP Time Exceeded, SA = 10.0.0.2

DA = 192.168.10.2, TTL = 2

ICMP Time Exceeded, SA = 172.16.0.2

DA = 192.168.10.2, TTL = 3

Data Link Header IP Header ICMP Message - Echo Request (trace) UDP DataLink
(Layer 2) (Layer 3) (Layer 4) Tr.
Data Link Data Link …… Source IP Type Chk ID Seq. Data DestPort FCS
Destination Source Add. 8 sum Num 35,000
Address Address 10.0.0.1
Dest. IP Add. Code
192.168.10.2 0
Protocol field
1
TTL
3

The sending host, RTA:

• The traceroute program increments the TTL by 1 (now 3 ) and resends
the Packet.

Rick Graziani [email protected] 20

 10.0.0.0/8 172.16.0.0/16 192.168.10.0/24
RTA RTB RTC RTD

.1 .2 .1 .2 .1 .2

DA = 192.168.10.2, TTL = 1

ICMP Time Exceeded, SA = 10.0.0.2

DA = 192.168.10.2, TTL = 2

ICMP Time Exceeded, SA = 172.16.0.2

DA = 192.168.10.2, TTL = 3

RTA to RTB
Data Link Header IP Header ICMP Message - Echo Request (trace) UDP DataLink
(Layer 2) (Layer 3) (Layer 4) Tr.
Data Link Data Link …… Source IP Type Chk ID Seq. Data DestPort FCS
Destination Source Add. 8 sum Num 35,000
Address Address 10.0.0.1
Dest. IP Add. Code
192.168.10.2 0
Protocol field
1
TTL
3

RTB to RTC
Data Link Header IP Header ICMP Message - Echo Request (trace) UDP DataLink
(Layer 2) (Layer 3) (Layer 4) Tr.
Data Link Data Link …… Source IP Type Chk ID Seq. Data DestPort FCS
Destination Source Add. 8 sum Num 35,000
Address Address 10.0.0.1
Dest. IP Add. Code
192.168.10.2 0
Protocol field
1
TTL
2
.
RTC to RTD
Data Link Header IP Header ICMP Message - Echo Request (trace) UDP DataLink
(Layer 2) (Layer 3) (Layer 4) Tr.
Data Link Data Link …… Source IP Type Chk ID Seq. Data DestPort FCS
Destination Source Add. 8 sum Num 35,000
Address Address 10.0.0.1
Dest. IP Add. Code
192.168.10.2 0
Protocol field
1
TTL
1
Rick Graziani [email protected] 21
 10.0.0.0/8 172.16.0.0/16 192.168.10.0/24
RTA RTB RTC RTD

.1 .2 .1 .2 .1 .2

DA = 192.168.10.2, TTL = 1

ICMP Time Exceeded, SA = 10.0.0.2

DA = 192.168.10.2, TTL = 2

ICMP Time Exceeded, SA = 172.16.0.2

DA = 192.168.10.2, TTL = 3

RTB
• This time RTB decrements the TTL by 1 and it is NOT 0. (It is 2.)
• So it looks up the destination ip address in its routing table and forwards it on to
the next router.
RTC
• This time RTC decrements the TTL by 1 and it is NOT 0. (It is 1.)
• So it looks up the destination ip address in its routing table and forwards it on to
the next router.
RTD
• RTD however decrements the TTL by 1 and it is 0.
• However, RTD notices that the Destination IP Address of 192.168.0.2 is it’s own
interface.
• Since it does not need to forward the packet, the TTL of 0 has no affect.
Rick Graziani [email protected] 22
 Data Link Header IP Header ICMP Message - Echo Request (trace) UDP DataLink
(Layer 2) (Layer 3) (Layer 4) Tr.
Data Link Data Link …… Source IP Type Chk ID Seq. Data DestPort FCS
Destination Source Add. 8 sum Num 35,000
Address Address 10.0.0.1
Dest. IP Add. Code
192.168.10.2 0
Protocol field
1
TTL
1

Data Link Header IP Header ICMP Message – Port Unreachable DataLink

(Layer 2) (Layer 3) Tr.
Data Link Data Link …. Source IP Type Chk ID Seq Data FCS
Destination Source Add. 3 sum .
Address Address 192.168.10.2 Nu
Dest. IP Add. Code m.
10.0.0.1 3
Protocol field
1

RTD
• RTD sends the packet to the UDP process.
• UDP examines the unrecognizable port number of 35,000 and sends
back an ICMP Port Unreachable message to the sender, RTA, using
Type 3 and Code 3.

Rick Graziani [email protected] 23

 10.0.0.0/8 172.16.0.0/16 192.168.10.0/24
RTA RTB RTC RTD

.1 .2 .1 .2 .1 .2

DA = 192.168.10.2, TTL = 1

ICMP Time Exceeded, SA = 10.0.0.2

DA = 192.168.10.2, TTL = 2

ICMP Time Exceeded, SA = 172.16.0.2

DA = 192.168.10.2, TTL = 3

ICMP Port Unreachable, SA = 192.168.10.2

Data Link Header IP Header ICMP Message – Port Unreachable DataLink

(Layer 2) (Layer 3) Tr.
Data Link Data Link …. Source IP Type Chk ID Seq Data FCS
Destination Source Add. 3 sum .
Address Address 192.168.10.2 Nu
Dest. IP Add. Code m.
10.0.0.1 3
Protocol field
1

Sending host, RTA

• RTA receives the ICMP Port Unreachable message.
• The traceroute program uses this information (Source IP Address) and
displays the third hop.
• The traceroute program also recognizes this Port Unreachable
message as meaning this is the destination it was tracing.
Rick Graziani [email protected] 24
 10.0.0.0/8 172.16.0.0/16 192.168.10.0/24
RTA RTB RTC RTD

.1 .2 .1 .2 .1 .2

DA = 192.168.10.2, TTL = 1

ICMP Time Exceeded, SA = 10.0.0.2

DA = 192.168.10.2, TTL = 2

ICMP Time Exceeded, SA = 172.16.0.2

DA = 192.168.10.2, TTL = 3

ICMP Port Unreachable, SA = 192.168.10.2

Sending host, RTA

• RTA, the sending host, now displays the third hop.
• Getting the ICMP Port Unreachable message, it knows this is the final
hop and does not send any more traces (echo requests).

RTA# traceroute 192.168.10.2

Type escape sequence to abort.
Tracing the route to 192.168.10.2
1 10.0.0.2 4 msec 4 msec 4 msec
2 172.16.0.2 20 msec 16 msec 16 msec
3 192.168.10.2 16 msec 16 msec 16 msec
Rick Graziani [email protected] 25
Recommended Reading
For more information on ICMP and other TCP/IP topics, I recommend:
• TCP/IP Illustrated, Volume I – R.W. Stevens

Rick Graziani [email protected] 26

ICMP: Ping and Trace

CCNA 1 version 3.0

Rick Graziani
Spring 2005