IP Routing troubleshooting by ping and traceroute commands

Internet Control Message Protocol (ICMP)

TCP/IP includes ICMP, a protocol designed to help manage and control the operation of a TCP/IP network.  The ICMP protocol provides a wide variety of information about a network’s health and operational status.  ICMP helps control and manage IP’s work by defining a set of messages and procedures about the operation of IP.  ICMP is considered part of TCP/IP’s network layer.  ICMP messages sit inside an IP packet, with no transport layer header, so ICMP is truly an extension of the TCP/IP network layer.

The following excerpt from RFC 792 describes ICMP:

Occasionally a gateway or destination host will communicate with a source host, for example, to report an error in datagram processing.  For such purposes, this protocol, ICMP, is used.  ICMP uses the basic support of IP as if it were a higher level protocol: however, ICMP is actually an integral part of IP and must be implemented by every IP module.

ICMP Message Types:

Message Description
Destination Unreachable Tells the source host that there is a problem delivering a packet.
Time Exceeded The time that it takes a packet to be delivered has expired, so the packet has been discarded.
Redirect The router sending this message has received a packet for which another router has a better route. The message tells the sender to use the better route.
Echo Request, Echo Reply Used by the ping command to verify connectivity.

The ping Command and the ICMP Echo Request and Echo Reply

The ping command uses the ICMP Echo Request and Echo Reply messages.  When people say they sent a ping packet, they really mean that they sent an ICMP Echo Request.  The Echo Request means that the host to which it is addressed should reply to the packet.  The Echo Reply is the ICMP message type that is used in the reply.  The Echo Request includes some data that can be specified in the ping command; whatever data is sent in the Echo Request is sent back in the Echo Reply.

The Destination Unreachable ICMP Message

Hosts and routers send ICMP Destination Unreachable messages back to the sending host when that host or router cannot deliver the data completely to the application at the destination host.

The ICMP Unreachable message includes five separate unreachable functions (codes) that further identify the reason why the packet cannot be delivered.  All five code types pertain directly to an IP, TCP, or UDP feature.

ICMP Unreachable Codes:

Unreachable Code When It Is Used What Typically Sends It
Network unreachable There is no match in a router table for the packet’s destination. Router
Host unreachable The packet can be routed to a router connected to the destination subnet, but the host is not responding. Router
Can’t fragment The packet has the Don’t Fragment bit set, and a router must fragment to forward the packet. Router
Protocol unreachable The packet is delivered to the destination host, but the transport layer protocol is not available on that host Host
Port unreachable The packet is delivered to the destination host, but the destination port has not been opened by an application. Host

Codes That the ping Command Receives in Response to Its ICMP Echo Request:

ping Command Code Description
! ICMP Echo Reply received.
. Nothing was received before the ping command timed out.
U ICMP unreachable (destination) received.
N ICMP unreachable (network/subnet) received.
M ICMP Can’t Fragment message received.
? Unknown packet received.

The Redirect ICMP Message

The ICMP redirect message provides a means by which routers can tell hosts to use another router as default gateway for certain destination addresses.  Most hosts use the concept of a default router IP address, sending packets destined for subnets to their default router.  However, if multiple routers connect to the same subnet, a host’s default gateway may not be the best router on that subnet to which to forward packets sent to some destinations.  The default gateway can recognize that a different router is a better option.  Then it can send ICMP redirect messages to the host to tell it to send the packets for that destination address to this different router.

The host can ignore the redirect and keep sending the packets to its default router.

The ICMP Time Exceeded Mesage

The ICMP Time Exceeded message notifies a host when a packet it sent has been discarded because it was “out of time”.  Packets are not actually timed, but to prevent them from being forwarded forever when there is a routing loop, each IP header uses a Time to Live (TTL) field.  Routers decrement the TTL by 1 every time they forward a packet; if a router decrements the TTL to 0, it throws away the packet.  This prevents packets from rotating forever.

The router that discards the packet also sends an ICMP Time Exceeded message, with a Code field of “time exceeded” to the host that sent the packet.

The traceroute Command

The traceroute command sends a set of messages with increasing TTL values, starting with 1.  The traceroute command expects these messages to be discarded when routers decrement the TTL to 0, returning Time Exceeded messages to the traceroute command.  The source IP addresses of the Time Exceeded messages identify the routers that discarded the messages, which can then be displayed by the traceroute command.

To see how this command works, consider the first set of packets (three packets by default) sent by the traceroute command.  The packets are IP packets, with a UDP transport layer, and with the TTL set to 1.  When the packets arrive at the next router, the router decrements the TTL to 0 in each packet, discards the packet, and sends a Time Exceeded message back to the host that sent the discarded packet.  The traceroute command looks at the first router’s source IP address in the received Time Exceeded packet.

Next, the command sends another set of three IP packets, this time with TTL = 2.  The first router decrements TTL to 1 and forwards the packet, and the second router decrements the TTL to 0 and discards the packets.  This second router sends Time Exceeded messages back to the router where the command was used, and the command now knows the second router in the route.

The traceroute command knows when the test packets arrive at the destination host because the host sends back an ICMP Port Unreachable message.  The original packets sent by the IOS traceroute command use a destination UDP port number that is very unlikely to be used on the destination host, so as soon as the TTL is large enough to allow the packet to arrive at the destination host, the host notices that it does not have an application listening at that particular UDP port.  So, the destination host returns a Port Unreachable message, which tells the traceroute command that the complete route has been found, and the command can stop.

The extended version of the traceroute command does a much better job of simulating packets sent by end-user hosts, especially for testing reverse routes.