How ICMP and Ping Work

ICMP - the Internet Control Message Protocol - is the network's error reporting and diagnostic system. It does not carry application data like HTTP or DNS. Instead, it carries control messages: "that host is unreachable," "that port is closed," "this packet was too big," "I am alive." Ping, the most widely used network diagnostic tool, is built entirely on ICMP.

What ICMP Is

ICMP is defined in RFC 792 and operates at the network layer (Layer 3), encapsulated directly inside IP packets. It uses IP protocol number 1. Unlike TCP (protocol 6) and UDP (protocol 17), ICMP has no concept of ports. Messages are identified by type and code numbers.

ICMP is not optional. The IP specification requires every host and router to implement ICMP. It is the mechanism by which routers communicate problems back to senders - "I cannot forward this packet because the destination is unreachable" or "this packet was too large to forward without fragmentation."

Despite being a Layer 3 protocol, ICMP is often called a "Layer 3.5" protocol because it reports on the behavior of Layer 3 rather than carrying Layer 4+ data.

ICMP Message Types

Each ICMP message has a type (8 bits) and a code (8 bits) that together define its meaning. The most important types are:

Type 0 - Echo Reply. The response to a ping. Contains the same data the sender included in the Echo Request.

Type 3 - Destination Unreachable. Generated by a router or host when a packet cannot be delivered. The code field specifies why:

• Code 0: Network unreachable (no route to the destination network)
• Code 1: Host unreachable (network reachable but specific host is not)
• Code 3: Port unreachable (the destination host received the packet but nothing is listening on that port - this is the standard UDP rejection)
• Code 4: Fragmentation needed but Don't Fragment (DF) flag set (critical for Path MTU Discovery)
• Code 13: Communication administratively prohibited (firewall blocked it)

Type 5 - Redirect. Sent by a router to tell the host there is a better route. If you send a packet to router A, and router A knows router B is a shorter path to the destination, router A forwards the packet and sends an ICMP Redirect telling you to use router B next time.

Type 8 - Echo Request. The outbound ping message. Contains an identifier, sequence number, and optional payload data.

Type 11 - Time Exceeded. Generated when a packet's TTL reaches zero. This is the message that makes traceroute work. Code 0 means TTL expired in transit; code 1 means fragment reassembly time exceeded.

graph TD
    subgraph "ICMP Query Messages"
        E8[Type 8 - Echo Request] -->|paired with| E0[Type 0 - Echo Reply]
        T13[Type 13 - Timestamp Request] -->|paired with| T14[Type 14 - Timestamp Reply]
    end
    subgraph "ICMP Error Messages"
        D3[Type 3 - Destination Unreachable] --> D3C0[Code 0 - Network unreachable]
        D3 --> D3C1[Code 1 - Host unreachable]
        D3 --> D3C3[Code 3 - Port unreachable]
        D3 --> D3C4[Code 4 - Fragmentation needed]
        T11[Type 11 - Time Exceeded] --> T11C0[Code 0 - TTL expired]
        T5[Type 5 - Redirect] --> T5C0[Code 0 - Better route exists]
    end
    subgraph "Used By"
        E8 -.-> PING[ping utility]
        T11 -.-> TRACE[traceroute utility]
        D3C4 -.-> PMTU[Path MTU Discovery]
    end

Figure 1 - ICMP message types organized by function with their primary use cases

How Ping Works

Ping sends an ICMP Echo Request (type 8) to a target and waits for an ICMP Echo Reply (type 0). The mechanics are simple but reveal useful information:

Identifier and Sequence Number. The Echo Request includes a 16-bit identifier (so multiple ping processes on the same host can distinguish their responses) and a 16-bit sequence number (incremented for each ping in a series). The Echo Reply must return both values unchanged.

Payload. Ping includes a data payload, often filled with a pattern or timestamp. The default size varies by OS - Linux uses 56 bytes of data (64 bytes total with the ICMP header), Windows uses 32 bytes. The payload must be echoed back unchanged.

Round-Trip Time (RTT). The sender records the time when the Echo Request is sent and the time when the Echo Reply arrives. The difference is the RTT, typically displayed in milliseconds. Consecutive pings build a picture of latency and jitter (variation in latency).

TTL in the Reply. The reply's IP header contains a TTL value. Since TTL is decremented by each router, subtracting the received TTL from the original (usually 64, 128, or 255 depending on the OS) gives an estimate of the hop count.

A typical ping output looks like:

64 bytes from 104.21.48.1: icmp_seq=1 ttl=57 time=12.3 ms
64 bytes from 104.21.48.1: icmp_seq=2 ttl=57 time=11.8 ms
64 bytes from 104.21.48.1: icmp_seq=3 ttl=57 time=12.1 ms

This tells you the host is reachable, approximately 7 hops away (64 - 57 = 7), and the latency is consistent around 12ms with minimal jitter.

TTL and Its Role

TTL (Time to Live) is an 8-bit field in the IP header, set by the sender and decremented by one at each router hop. When TTL reaches zero, the router drops the packet and sends an ICMP Type 11 (Time Exceeded) message back to the sender.

TTL exists to prevent routing loops. Without it, a misconfigured network could cause a packet to circulate endlessly between two or more routers, consuming bandwidth forever. TTL guarantees that every packet eventually dies.

Different operating systems use different default TTL values:

• Linux: 64
• Windows: 128
• macOS: 64
• Many routers: 255

This makes TTL a passive fingerprinting vector. If you receive a packet with TTL=118, it likely originated from a Windows machine (128 - 10 = 118, meaning 10 hops away). TTL=52 suggests Linux or macOS (64 - 12 = 52, 12 hops).

sequenceDiagram
    participant S as Sender - TTL=64
    participant R1 as Router 1
    participant R2 as Router 2
    participant R3 as Router 3
    participant D as Destination
    S->>R1: Packet TTL=64
    R1->>R1: Decrement TTL to 63
    R1->>R2: Packet TTL=63
    R2->>R2: Decrement TTL to 62
    R2->>R3: Packet TTL=62
    R3->>R3: Decrement TTL to 61
    R3->>D: Packet TTL=61
    D->>S: Echo Reply TTL=64
    Note over S: Received TTL=61 means 3 hops to destination

Figure 2 - TTL decrement across router hops and how it reveals hop count

ICMP as an Attack Surface

ICMP's diagnostic role makes it a double-edged tool. The same messages that help troubleshoot networks can be weaponized:

Ping Flood (ICMP Flood). An attacker sends a massive volume of Echo Request packets to a target, consuming bandwidth and processing resources. The target must generate a reply for each request, amplifying the resource consumption. Modern networks handle this easily with rate limiting, but it remains a basic denial-of-service vector.

Smurf Attack (historical). The attacker sends Echo Requests to a network's broadcast address with the source IP spoofed as the victim's address. Every host on the network sends an Echo Reply to the victim, amplifying the attack by the number of hosts. Broadcast-directed forwarding is now disabled by default on virtually all routers, making this attack obsolete.

ICMP Redirect Attack. An attacker sends forged ICMP Redirect messages to a victim, telling it to route traffic through the attacker's machine. Most modern operating systems ignore ICMP Redirects by default, but some embedded devices and older systems still honor them.

ICMP Tunneling. Arbitrary data can be hidden inside the payload field of Echo Request/Reply messages. Since ICMP is often allowed through firewalls, this creates a covert channel. Tools like icmptunnel and ptunnel implement this technique.

The ICMP Blocking Debate

Many firewall administrators block all ICMP traffic to reduce the attack surface. This prevents ping scans and the attacks described above, but it also breaks important network functions:

Path MTU Discovery (PMTUD) relies on ICMP Type 3, Code 4 (Fragmentation Needed). When a router encounters a packet too large for the next link and the Don't Fragment flag is set, it sends this ICMP message to tell the sender to reduce its packet size. Blocking it causes "black holes" - connections that hang after the initial handshake because large data packets silently disappear.

Troubleshooting becomes significantly harder without ping and traceroute. Network engineers rely on these tools daily to diagnose connectivity issues, measure latency, and identify failing links.

The recommended approach is ICMP rate limiting rather than blanket blocking. Allow essential ICMP types (Echo Request/Reply, Destination Unreachable, Time Exceeded) at a limited rate, and block unnecessary types (Redirect, Timestamp). This preserves diagnostic functionality while reducing abuse potential.

Practical Use

Ping is often the first tool you reach for when diagnosing network problems. No response? Check if the host is up, check if ICMP is blocked, check the route. High latency? The path might be congested or taking a suboptimal route. Intermittent packet loss? A link somewhere is failing.

The BLEShark Nano can observe ICMP traffic on the local network, giving you visibility into which devices are pinging which targets and how the network topology responds. Combined with ARP data and DNS queries, ICMP traffic paints a picture of network health and behavior that is difficult to get any other way.

ICMP is small, simple, and often overlooked. But it is the protocol that tells you when something is wrong with the network - and sometimes, the protocol an attacker uses to probe your defenses.