Week 4: ICMP -- Ping and Traceroute

ICMP (Internet Control Message Protocol) is the error-reporting and diagnostic layer of IP. Ping and traceroute are tools built entirely on ICMP. This week you trace how each works at the packet level.

Theme

When a router drops a packet because the TTL hit zero, it does not silently discard it. It sends an ICMP "Time Exceeded" message back to the original sender, identifying itself. That reply is what traceroute collects. Each row in a traceroute output is a router that sent back one of those ICMP messages. This week you will trace a traceroute at the packet level: you will see the outgoing packets with incrementing TTL values and the incoming ICMP replies, and you will be able to point to each in a capture.

Reading (~45 minutes)

1. Stevens TCP/IP Illustrated Ch 6 ("ICMP: Internet Control Message Protocol"): ICMP message types; echo request and reply; error messages
2. Stevens TCP/IP Illustrated Ch 8 ("Ping: An Application Using ICMP"): how ping is implemented; RTT measurement
3. Stevens TCP/IP Illustrated Ch 9 ("Traceroute: A Route-Tracing Application"): TTL manipulation; how routers respond; reading traceroute output

Lecture outline (~2 hours)

Section 1: What ICMP is

• ICMP is part of the IP protocol family; it travels in IP packets with protocol number 1
• ICMP is not a transport protocol; it carries control messages about the IP layer, not application data
• Every ICMP message has a type (1 byte), a code (1 byte), a checksum (2 bytes), and a variable-length body
• The type field is the coarse category; the code field is a subcategory within that type

Section 2: Key ICMP types and codes

Wireshark display filters: icmp.type == 8 (echo requests); icmp.type == 0 (echo replies); icmp.type == 11 (time exceeded).

Section 3: How ping works

• ping 8.8.8.8 sends ICMP Echo Request packets (type 8, code 0) to the target
• Each request carries an identifier and a sequence number; the reply echoes both back
• The identifier lets ping match replies to their requests even if other ICMP traffic is on the wire
• Round-trip time (RTT): measured from the time the request leaves to the time the reply arrives
• Packet loss: if a reply does not arrive within a timeout, ping reports the packet as lost
• In a capture: you will see pairs of packets -- one Echo Request (type 8) followed by one Echo Reply (type 0) -- with matching sequence numbers

Section 4: How traceroute works

• traceroute hostname discovers the path from your machine to the target by exploiting TTL
• Step 1: send a probe packet with TTL=1. The first router decrements TTL to 0 and sends back ICMP Time Exceeded (type 11, code 0). Traceroute records the source IP of that ICMP message as hop 1.
• Step 2: send a probe with TTL=2. The first router forwards it (TTL becomes 1). The second router decrements to 0 and sends ICMP Time Exceeded. Traceroute records hop 2.
• This continues until the probe reaches the destination, which replies with ICMP Echo Reply (or ICMP Port Unreachable for UDP-based traceroute).
• Linux/macOS traceroute sends UDP probes by default; Windows tracert sends ICMP Echo Requests
• Many routers are configured not to respond to ICMP; those hops appear as * * * in traceroute output. This means the router declined to respond, not that the path is broken.

Section 5: Reading traceroute output

traceroute to virtuscyberacademy.org (X.X.X.X), 30 hops max
 1  192.168.1.1     1.2 ms   1.1 ms   1.0 ms    (your router)
 2  10.x.x.1        8.5 ms   8.2 ms   8.6 ms    (ISP CPE)
 3  * * *                                         (router declined to respond)
 4  72.14.x.x      18.3 ms  18.1 ms  18.4 ms    (upstream backbone)
...

• Three RTT measurements per hop: traceroute sends 3 probes per TTL value
• High variation between the three measurements on a single hop: packet loss or queueing on that link
• A hop that has higher latency than the next hop: normal; ICMP generation is low-priority on most routers

Labs (~90 minutes)

Lab 4-1: ICMP -- Ping and Traceroute (labs/lab-4-1-icmp-ping.md)

Independent practice (~7 hours)

1. Read Stevens Ch 8 and Ch 9 fully; note the TTL-incrementing algorithm in detail
2. Run traceroute 8.8.8.8 from your machine. How many hops? Where does the first * * * appear? What is the total RTT to the final hop?
3. Load fundamentals-icmp-ping.pcap in pcap-tools. Verify the identifier and sequence number fields match between the Echo Request and Echo Reply. What is the payload (the data after the ICMP header)?
4. Apply the display filter icmp.type == 8 or icmp.type == 0 to the ICMP capture. How many of each type are there?
5. What happens when you ping an address that does not exist? What ICMP message does your router send back? Try ping 10.255.255.254 (unlikely to exist on your network) and observe the response.

Reflection prompts (~30 minutes)

1. Traceroute relies on routers sending ICMP Time Exceeded replies. Some routers rate-limit or block ICMP responses. How does this affect traceroute's usefulness as a diagnostic tool?
2. A hop showing * * * does not mean the path is broken at that point -- the destination is still reachable. Why does Wireshark and every traceroute tool display these as gaps rather than errors?
3. Ping gives you RTT, not one-way latency. Is RTT a reliable proxy for one-way latency? What could cause RTT to be asymmetric?
4. ICMP "Destination Unreachable" messages can tell an attacker which ports on a host are closed. How might a firewall administrator limit this information disclosure?
5. You can ping an IPv6 address with ping6. The ICMP equivalent for IPv6 is ICMPv6. What is different about ICMPv6 beyond the obvious address-size change?

What comes next

Week 5 introduces UDP: the simple, connectionless transport protocol. You will see DNS (which uses UDP) and DHCP (which also uses UDP) in packet captures and understand why some protocols prefer "fast and unreliable" over "reliable but with overhead."