I am currently doing an assignment that requires us to generate ICMP packet with various types and codes. I have consulted the RFCs as well as various other place. Many of the types and codes I get make perfect sense; except for this one.
I somehow generated a packet that had a type of 8 (echo request) and a code of 9. The problem is that type 8 ICMP can only have a single code of 0. See the packet below as a hex dump from wireshark:
0000 a8 39 44 fa 14 e0 94 de 80 6b ab 74 08 00 45 00 0010 00 94 92 7b 40 00 28 01 fb 61 c0 a8 01 40 68 83 0020 9a 20 08 09 ac c9 4a 06 01 27 00 00 00 00 00 00 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00a0 00 00
The reply can also be seen in the next hex dump. It is also strange because it is an ICMP echo reply with a code of 9. An ICMP echo can only have a code of 0.
0000 94 de 80 6b ab 74 a8 39 44 fa 14 e0 08 00 45 00 0010 00 94 98 af 00 00 39 01 24 2e 68 83 9a 20 c0 a8 0020 01 40 00 09 b4 c9 4a 06 01 27 00 00 00 00 00 00 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00a0 00 00
The question I am asking is how is this possible, what does code 9 mean? Can it be ignored or would it be worth investigating further?
I read in a previous answer that when ICMP tunneling comes in to play the data included in an echo is arbitrary, can this carry over to the header?
Thanks in advance!
Best Answer
If we look at RFC 792 (pages 14-15) it clearly only defines code 0 for ICMP types 0 and 8, this corresponds to IANA's definitions for reply and request. This means above all that 9 does not have a meaning, so it does not mean
Communication with Destination Network is Administratively Prohibited
as used in the Destination Unreachable message.The next point is if any other code than
0
is allowed. RFC 792 is quite old and does not really follow the more strict SHOULD/MUST/MAY/... conventions. The remainder of the RFC only states sections likeIF code = 0 ...
orCode 0 may be received ...
. It actually never states what should be done if code is not zero. One might intuitively interpret it as the opposite of what is defined, somay *not* be received
, another might say that if it's not explicitly disallowed it's okay. There is nothing in the RFC that even hints at what's right, so behavior will likely be very implementation-specific.There is also RFC 1122 but this does not provide any extra specific limitation on the
code
field.Now as for why the reply also uses
9
, easiest bet is to look at implementation. A simple echo reply would just take the incoming packet, replace the type8
with type0
, recalculate the checksum and send back. This is simpler and more efficient than building the reply from scratch, but of course leaves the9
code.