What Does ICMP Code 9 Mean For a Type 8 Packet

icmppacket-analysispingwireshark

I am currently doing an assignment that requires us to generate ICMP packet with various types and codes. I have consulted the RFCs as well as various other place. Many of the types and codes I get make perfect sense; except for this one.

I somehow generated a packet that had a type of 8 (echo request) and a code of 9. The problem is that type 8 ICMP can only have a single code of 0. See the packet below as a hex dump from wireshark:

0000   a8 39 44 fa 14 e0 94 de 80 6b ab 74 08 00 45 00
0010   00 94 92 7b 40 00 28 01 fb 61 c0 a8 01 40 68 83
0020   9a 20 08 09 ac c9 4a 06 01 27 00 00 00 00 00 00
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0070   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0080   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0090   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00a0   00 00

The reply can also be seen in the next hex dump. It is also strange because it is an ICMP echo reply with a code of 9. An ICMP echo can only have a code of 0.

0000   94 de 80 6b ab 74 a8 39 44 fa 14 e0 08 00 45 00
0010   00 94 98 af 00 00 39 01 24 2e 68 83 9a 20 c0 a8
0020   01 40 00 09 b4 c9 4a 06 01 27 00 00 00 00 00 00
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0070   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0080   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0090   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00a0   00 00

The question I am asking is how is this possible, what does code 9 mean? Can it be ignored or would it be worth investigating further?

I read in a previous answer that when ICMP tunneling comes in to play the data included in an echo is arbitrary, can this carry over to the header?

Thanks in advance!

Best Answer

If we look at RFC 792 (pages 14-15) it clearly only defines code 0 for ICMP types 0 and 8, this corresponds to IANA's definitions for reply and request. This means above all that 9 does not have a meaning, so it does not mean Communication with Destination Network is Administratively Prohibited as used in the Destination Unreachable message.

The next point is if any other code than 0 is allowed. RFC 792 is quite old and does not really follow the more strict SHOULD/MUST/MAY/... conventions. The remainder of the RFC only states sections like IF code = 0 ... or Code 0 may be received .... It actually never states what should be done if code is not zero. One might intuitively interpret it as the opposite of what is defined, so may *not* be received, another might say that if it's not explicitly disallowed it's okay. There is nothing in the RFC that even hints at what's right, so behavior will likely be very implementation-specific.

There is also RFC 1122 but this does not provide any extra specific limitation on the code field.

Now as for why the reply also uses 9, easiest bet is to look at implementation. A simple echo reply would just take the incoming packet, replace the type 8 with type 0, recalculate the checksum and send back. This is simpler and more efficient than building the reply from scratch, but of course leaves the 9 code.

Related Solutions

ICMP type 3 code 1 and 7, what is the diference

The differences are explained in RFC 1812 IPv4 Router Requirements, page 81:

1 = Host Unreachable - generated by a router if a forwarding path (route) to the destination host on a directly connected network is not available (does not respond to ARP);

7 = Destination Host Unknown - generated only when a router can determine (from link layer advice) that the destination host does not exist;

Later in the RFC, it requires routers not to send a "Network Unreachable" instead of Type 3 Codes 1 or 7 when other hosts on the subnet are reachable...

Routers MUST use Host Unreachable or Destination Host Unknown codes whenever other hosts on the same destination network might be reachable; otherwise, the source host may erroneously conclude that all hosts on the network are unreachable, and that may not be the case.

Speaking practically, I haven't seen a router implement Type 3 Code 7 (Destination Host Unknown), normally I see Type 3 Code 1 (Host Unreachable).

First? ARP vs ICMP

Short Answer: The answer is that it depends.

Longer Explanation: Naturally, when a device is sending out unicast IP traffic, it needs to add the layer 2 headers (including destination MAC address) to the frame before sending it on the wire. This IP-to-MAC mapping is exactly what the ARP process is there to provide to the host.

Based on this statement, one might think that this naturally means that ARP traffic will automatically be sent before any ICMP traffic. However, once a host learns this IP-to-MAC mapping, it inserts it into an ARP table for some period of time. So a host will check this ARP table for such a mapping first and only send out ARP if there is no entry.

So in your example, let's say that Host A has no entry for Host B's IP address in the ARP table. When Host A pings Host B the traffic exchange is like this:

 Host A              Host B
 ARP_Request  ---> 
              <---   ARP_Reply
 ICMP_Echo    ---> 
              <---   ICMP_Echo_Reply

Now let's say that Host A does have an entry for Host B's IP address in the ARP table. When Host A pings Host B the traffic exchange is instead like this:

 Host A              Host B
 ICMP_Echo    ---> 
              <---   ICMP_Echo_Reply

So to answer your specific question.

Will A host ping after ARP or omit ARP?

Host A will either send the ICMP after ARP or omit ARP depending on the status of the entry for Host B in it's ARP table.

Best Answer

Related Solutions

ICMP type 3 code 1 and 7, what is the diference

First? ARP vs ICMP

Related Topic