To communicate information, the ICMP message must provide information within the header, as follows:
- 8-bit type: This field indicates the type, such as type 0—echo reply.
- 8-bit code: The code field further defines the type field. For example, type 3—destination unreachable, might have a corresponding code 2—protocol unreachable.
- 16-bit checksum: This field holds a numeric value used for error detection.
Following the type, code, and checksum are the contents of the ICMP message. The contents will depend on what was sent, which can either be an error report or a query message.
To see an example of an echo request/reply, go to CloudShark at https://www.cloudshark.org/captures/fe65ed807bc3 and open icmp.pcap in Wireshark.
In this example, frame 1 of the echo request/reply shows a type 8, code 0 message. Expand the ICMP header, as shown in the following screenshot:
As shown in the preceding screenshot, the details for this type of ICMP message include fields for identifiers and sequence numbers, which help to match corresponding echoes and replies. The entire payload is encapsulated in a frame, as shown in the following diagram:
Here, we see the various headers, which includes the frame header, the IP header, the ICMP message, and the data.
ICMP does not have a transport layer header, as it does not exchange or transport data. Its primary role is to test for reachability and report transmission errors.
After the Type, Code, and Checksum fields, there is a data portion within the ICMP message. The following section explains what you might find in the data payload.