My IP Help

ICMP

Also known as: Internet Control Message Protocol

The Internet Control Message Protocol — a companion protocol to IP used for diagnostic and error-reporting messages like ping and traceroute.

Last updated:

What is ICMP?

ICMP (Internet Control Message Protocol) is the diagnostic and error-reporting companion to IP. Unlike TCP and UDP, which carry application data, ICMP carries control messages — "destination unreachable", "time exceeded", "echo request/reply", and a few dozen other codes defined in RFC 792 (IPv4) and RFC 4443 (IPv6).

ICMP sits at the same layer as TCP and UDP (directly on top of IP), but it doesn't use ports. The full identity of an ICMP message is its type and code fields.

Tools that rely on ICMP

Two diagnostic tools every network engineer knows use ICMP as their core mechanism:

  • ping — sends ICMP Echo Request (type 8) and measures how long the Echo Reply (type 0) takes to come back. A round-trip time of 20ms says the path is healthy; 2,000ms says something is very wrong
  • traceroute — sends packets with gradually increasing TTL values. Each hop along the path returns an ICMP Time Exceeded (type 11), revealing the route

Important ICMP message types

| Type | Name | Purpose | |-----:|------|---------| | 0 | Echo Reply | Response to a ping | | 3 | Destination Unreachable | No route, port closed, host down | | 8 | Echo Request | Ping | | 11 | Time Exceeded | TTL reached 0 — used by traceroute | | 5 | Redirect | Router suggests a better path (often disabled for security) |

Why ICMP is often partially blocked

Operators frequently block ICMP at their firewalls, which breaks diagnostic tools but addresses real threats:

  • Amplification attacks — spoofed pings to a broadcast address could trigger many replies aimed at the victim (the Smurf attack)
  • Tunneling — attackers can exfiltrate data through ICMP payloads when other protocols are blocked
  • Reconnaissance — attackers use ping sweeps to find live hosts on a network

The balance most operators settle on: allow Echo (ping), Time Exceeded (traceroute), and Destination Unreachable (essential for TCP/UDP error signaling — blocking it breaks Path MTU Discovery and causes mysterious hangs on large packets). Block the more exotic types.

ICMPv6 serves the same role on IPv6 but is much more important — it carries Neighbor Discovery and Router Solicitation, which replace ARP and DHCP. Blocking all ICMPv6 breaks IPv6 entirely.

Frequently Asked Questions

No. Blocking all ICMP breaks Path MTU Discovery, which causes mysterious hangs on large packets through your network — the classic "websites load fine but file transfers freeze" symptom. It also breaks ping and traceroute diagnostics, making outage investigation much harder. The right balance is to block exotic ICMP types (Redirect, Source Quench) but allow Echo, Time Exceeded, and Destination Unreachable. For IPv6, blocking all ICMPv6 breaks the protocol entirely — Neighbor Discovery and Router Solicitation depend on it.
Because ICMP was designed exactly for diagnostic and control messages like ping. ICMP Echo Request (type 8) and Echo Reply (type 0) are the simplest possible round-trip primitive — no ports, no connection state, no application data. Using TCP or UDP would require choosing a port, dealing with firewalls that block specific ports, and adding handshake overhead that contaminates the latency measurement. There are TCP and UDP "ping" tools (`tcping`, `nc -z`) for cases where ICMP is blocked, but standard ping is ICMP for a reason.
ICMPv4 (RFC 792) is mostly a diagnostic protocol — ping, traceroute, error reporting. ICMPv6 (RFC 4443) is essential for the IPv6 protocol itself. ICMPv6 carries Neighbor Discovery Protocol (replacing IPv4's ARP), Router Advertisement (replacing parts of DHCP), and Multicast Listener Discovery. Blocking ICMPv4 just breaks ping; blocking ICMPv6 makes IPv6 stop working entirely. They share the same name and conceptual role but have very different operational importance.
Yes — historically the Smurf attack (spoofed ICMP Echo Requests to broadcast addresses) and Ping of Death (oversized ICMP packets that crashed older stacks) caused real damage; both are now defused by modern stacks. ICMP tunneling embeds covert data in ICMP payloads to exfiltrate from networks where other protocols are blocked. ICMP reconnaissance (ping sweeps) is part of standard scanning workflows. None of these justify blocking all ICMP — they justify rate-limiting and selective filtering.
ICMP type 3 (Destination Unreachable) tells you the network could not deliver your packet. The accompanying code says why: 0 = network unreachable (no route to that network), 1 = host unreachable (route exists, host doesn't respond at L2), 3 = port unreachable (host received it but no service was listening on that port), 9 = network administratively prohibited (a firewall blocked it). The code is the actionable part — it tells you whether to debug routing, the host, or a firewall rule.
Back to glossary