The ICMP protocol

Let's look into the ICMP protocol. Specifically, ping and traceroute. ICMP is the Internet Control Message Protocol and is a component of the IP Layer. Basically, used by hosts to communicate diagnostic network layer information that is carried in the IP payload. It communicates error messages which are acted on by the IP layer or the UDP or TCP protocols.
All of the exercises were carried out using the open source network protocol analyzer "Wireshark". www.wireshark.org

1. Describe in detail the protocols ARP and ICMP.

ARP is the Address Resolution Protocol is similar to that of DNS. Where DNS resolves IP addresses to domain names, ARP resolves network layer IP addresses to link layer MAC addresses. In order to send a datagram the source must give the adaptor the IP address and the MAC address. For example, host A wants to send a packet to host B. Host A uses a cached ARP table to look up the IP address for any existing records of host B's MAC address. If the MAC address is found, it sends the IP packet on the link layer to the record found in the cached address via the LAN cable. If the cache did not produce a result for host B's IP address, host A has to send a broadcast ARP message in an attempt to get an answer. Host B replies with its MAC address. Host A then updates its ARP table. For example by issuing the arp -a command on all the IP addresses on my network I can get the physical address all my Linux machines and my gateway router:

arp -a 192.168.2.4
Interface: 192.168.2.102 --- 0xb
  Internet Address      Physical Address      Type
  192.168.2.4           00-b0-d0-d9-a3-10     dynamic
arp -a 192.168.2.104
Interface: 192.168.2.102 --- 0xb
  Internet Address      Physical Address      Type
  192.168.2.104         00-b0-d0-d8-53-68     dynamic
arp -a 192.168.2.3
Interface: 192.168.2.102 --- 0xb
  Internet Address      Physical Address      Type
  192.168.2.3           00-20-78-1d-38-e5     dynamic
arp -a 192.168.2.1
Interface: 192.168.2.102 --- 0xb
  Internet Address      Physical Address      Type
  192.168.2.1           00-0f-66-31-87-9c     dynamic

ICMP is the Internet Control Message Protocol and is one of the main components of the network layer. Basically, used by hosts to communicate diagnostic network layer information. It communicates error messages which are usually acted on by either the IP layer, TCP or UDP. These ICMP errors messages are then directed back to the source IP address of the originating packet. ICMP packets have an 8-byte header.

• Type: ICMP type.
• Code: Subtype.
• Checksum: Error checking.
• Rest of Header: Varies based on the ICMP type and code.

Error codes are mapped to descriptive text. For example if you were attempting to FTP a file and you received the message "..... Destination network unknown” that would be error code 6. For a full list of error codes see http://linuxpoison.blogspot.com/2008/05/icmp-error-codes.html.

2. What is the functionality of "tracert"? How does it work?

Traceroute sends multiple Internet Control Message Protocol request packets addressed to the host specified in the command line. As they work their way to the destination they pass through many routers. When it passes through each router it then sends back its name and router address. These are known as hops. If a packet is not acknowledged within a specified number of seconds, an asterisk is displayed. In this example I am passing additional switches in the command that tell it to wait 3 seconds, send out 1 query to each hop, and limit the maximum number of hops to 16.

traceroute -w 3 -q 1 -m 16 www.mlb.com
traceroute to www.mlb.com (12.130.102.60), 16 hops max, 
60 byte packets
 1  192.168.2.1 (192.168.2.1)  2.495 ms
 2  10.7.100.1 (10.7.100.1)  26.169 ms
 3  P0-1-3-5.PHLAPA-LCR-21.verizon-gni.net (130.81.44.138)  70.727 ms
 4  130.81.199.18 (130.81.199.18)  30.898 ms
 5  0.xe-7-1-0.BR1.IAD8.ALTER.NET (152.63.3.85)  59.435 ms
 6  192.205.36.141 (192.205.36.141)  41.636 ms
 7  cr2.wswdc.ip.att.net (12.122.81.250)  83.054 ms
 8  cr1.cgcil.ip.att.net (12.122.18.21)  91.619 ms
 9  gar1.mpsmn.ip.att.net (12.122.133.81)  90.028 ms
10  12.122.251.134 (12.122.251.134)  68.053 ms
11  mdf001c7613r0003-gig-10-1.chi2.attens.net (12.130.96.170)  
70.963 ms
12  *
13  *
14  *
15  *
16  *

3. What is the IP address of your host? What is the IP address of the destination host?

Host Source: 192.168.2.101 (192.168.2.101)
Host Destination: 146.186.157.6 (146.186.157.6)

4. Examine one of the ping request packets sent by your host. What are the ICMP type and code numbers? What other fields does this ICMP packet have? How many bytes are the checksum, sequence number and identifier fields?

Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0x4d4e [correct]
Identifier (BE): 1 (0x0001)
Identifier (LE): 256 (0x0100)
Sequence number (BE): 13 (0x000d)
Sequence number (LE): 3328 (0x0d00)
2 bytes for checksum and identifier.

5. Examine the corresponding ping reply packet. What are the ICMP type and code numbers? What other fields does this ICMP packet have? How many bytes are the checksum, sequence number and identifier fields?

Type: 0 (Echo (ping) reply)
Code: 0
Checksum: 0x554c [correct]
Identifier (BE): 1 (0x0001)
Identifier (LE): 256 (0x0100)
Sequence number (BE): 15 (0x000f)
Sequence number (LE): 3328 (0x0d00)
2 bytes for checksum and identifier.

6. In any of the above ping reply packets, please find out the IP addresses and corresponding Physical addresses of sender and destination.

The sender is my laptop the reply is from my gateway router. 
Sender: IP 192.168.2.1 MAC: (00:0f:66:31:87:9c), 
Destination: 192.168.2.101 MAC: (00:23:14:67:7a:18)
The sender (PSU) to my laptop is seen in the IP protocol:
Internet Protocol Version 4, Src: 146.186.157.6 (146.186.157.6), 
Dst: 192.168.2.101 (192.168.2.101)

7. Next, give the command arp –a in the command prompt. Paste the output of the command in the document. From the table, find out the IP address that matches the sender's physical address. Why it is different from the sender's IP address that you found earlier.

$ arp -a
Interface: 192.168.2.101 --- 0xb
  Internet Address      Physical Address      Type
  192.168.2.1           00-0f-66-31-87-9c     dynamic
  192.168.2.100         74-e1-b6-db-75-e5     dynamic
  192.168.2.255         ff-ff-ff-ff-ff-ff     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.251           01-00-5e-00-00-fb     static
  224.0.0.252           01-00-5e-00-00-fc     static
  224.0.0.253           01-00-5e-00-00-fd     static
  239.255.255.250       01-00-5e-7f-ff-fa     static
  255.255.255.255       ff-ff-ff-ff-ff-ff     static

It's different because the output of Ping counts router hops, my router is the first stop on the way.

8. What is the IP address of your host? What is the IP address of the target destination host?

Src: 192.168.2.101 (192.168.2.101),
Dst: 129.89.70.123 (129.89.70.123)

9. Examine the ICMP echo packet in your screenshot. Is this different from the ICMP ping query packets in the first half of this lab? If yes, how so?

The sequence numbers are different and there are 32 bytes of data rather than 64.

10. Examine the ICMP error packet in your screenshot. It has more fields than the ICMP echo packet. What is included in those fields?

Destination unreachable. We also have the IP packet and UDP packets included into the ICMP packet. It includes the error codes Type: 3 (Destination unreachable) & Code: 3 (Port unreachable). Internet Protocol Version 4, Src: 192.168.2.101 (192.168.2.101), Dst: 10.7.100.1 (10.7.100.1) User Datagram Protocol, Src Port: netbios-ns (137), Dst Port: netbios-ns (137)

11. Examine the last three ICMP packets received by the source host. How are these packets different from the ICMP error packets? Why are they different?

The last three ICMP packets are message Type: 0 (Echo (ping) reply) rather Type: 11 (Time-to-live exceeded). They are different because the datagrams have reached their destination hosts before TTL expired.