networking protocols

ICMP (ICMP)

icmp protocols diagnostics networking-fundamentals
Plain English

ICMP is the messaging system routers and devices use to report problems. If your data cannot reach its destination, ICMP is how the network tells your computer why: “that host is unreachable,” “that port is closed,” or “the packet is too big for this link.” The ping tool uses ICMP to check if a device is online, and traceroute uses it to map the path your data takes across the internet.

Technical Definition

Internet Control Message Protocol (ICMP), defined in RFC 792 (IPv4) and RFC 4443 (ICMPv6), is a Layer 3 protocol used for network diagnostics and error reporting. ICMP messages are encapsulated inside IP packets but are not considered a transport protocol (no ports, no sessions).

Common ICMP types:

TypeCodeNameUse
00Echo ReplyResponse to ping
30-15Destination UnreachableNetwork/host/port unreachable, packet too big
50-3RedirectInform host of a better route
80Echo RequestPing
110-1Time ExceededTTL expired in transit (used by traceroute)

How traceroute uses ICMP:

  1. Send packets with TTL=1; first router decrements to 0, sends back ICMP Time Exceeded
  2. Send packets with TTL=2; second router responds
  3. Repeat, incrementing TTL, until the destination responds with ICMP Echo Reply
  4. Each response reveals the IP of that hop and the round-trip time

Path MTU Discovery: uses ICMP “Packet Too Big” (Type 3, Code 4) messages. The sender sets the Don’t Fragment (DF) bit; if a router cannot forward the packet without fragmentation, it sends back ICMP with the maximum MTU. The sender then reduces packet size.

Security considerations: many firewalls block ICMP by default, which breaks ping, traceroute, and Path MTU Discovery. Best practice is to allow ICMP types 0, 3, 8, and 11 while blocking others.

ICMP in action 

# Ping uses ICMP Echo Request (Type 8) and Echo Reply (Type 0)
$ ping -c 2 8.8.8.8
64 bytes from 8.8.8.8: icmp_seq=1 ttl=118 time=11.2 ms

# Traceroute uses ICMP Time Exceeded (Type 11)
$ traceroute -n 8.8.8.8
 1  192.168.1.1     1.2 ms
 2  10.0.0.1        5.4 ms
 3  72.14.215.85   11.1 ms
 4  8.8.8.8        12.3 ms

# Capture ICMP traffic
$ sudo tcpdump -i eth0 icmp -n
12:00:01 IP 192.168.1.10 > 8.8.8.8: ICMP echo request, seq 1
12:00:01 IP 8.8.8.8 > 192.168.1.10: ICMP echo reply, seq 1

# Check for ICMP unreachable messages (firewall blocking)
$ sudo tcpdump -i eth0 'icmp[icmptype] == 3' -n
12:00:05 IP 10.0.0.1 > 192.168.1.10: ICMP host 10.5.5.5 unreachable
In the Wild

ICMP is the foundation of network troubleshooting. Ping (ICMP Echo) is the first tool every engineer reaches for. Traceroute (ICMP Time Exceeded) maps the network path and identifies where latency or packet loss occurs. Monitoring systems use ICMP to detect host availability. The common mistake of blanket-blocking ICMP at firewalls breaks Path MTU Discovery, causing mysterious “connection hangs” for large packets (often manifesting as SSH or VPN sessions that connect but cannot transfer data). Cloud providers handle ICMP inconsistently: AWS security groups allow outbound ICMP by default but block inbound; Azure NSGs require explicit rules. Always allow ICMP types 0, 3, 8, and 11 through firewalls for basic network functionality.

← Back to Dictionary