In an ICMP datagram, the payload is dependent on the type of message. In a standard ICMP request/reply, the data payload is meaningless and will have either ASCII characters or NULL values, depending on the OS. For example, in the Cloudshark icmp.pcap graphic echo request/reply (shown in the Sending messages section), the data portion is a string of characters: 6162636465666768696a6b6c6d6e6f707172737475767761.

With normal ICMP behavior, when there is an error, ICMP must return the IP header, plus the first eight bytes of the original datagram, to the sender. As shown in the following screenshot, ICMP has returned an ICMP type 3 and code 13, which means a firewall is blocking the request:

The data portion in an ICMP request can be modified. For example, ping monitoring, by Paessler (https://www.paessler.com/ping-monitoring), has a watermark, as shown in the following screenshot:

In this case, the watermark is not malicious. However, an ICMP packet can be modified to exfiltrate data by using the Loki tool to execute a covert channel attack. Data is embedded within an ICMP packet and is sent through the network, which poses a security risk. As a result, the network administrator should tune devices to enable the inspection of ICMP data, and send an alert if the payload contains a data pattern, as this may be an indication of a covert ICMP tunnel.

We can now see that ICMP is an essential network layer protocol that is used alongside both IPv4 and IPv6 to provide error reporting and informational messages. Let's take a look at the two versions: ICMPv4 and ICMPv6.