ICMP
Internet Control Message Protocol
A Layer 3 protocol used by routers and hosts to send error and diagnostic messages — the engine behind ping and traceroute, and essential for network error reporting.
ICMP is the signalling layer of IP networks. Unlike TCP or UDP, ICMP is not used to carry application data — it carries control messages between network devices. When a router cannot forward a packet, when a TTL expires, or when a destination is unreachable, ICMP delivers that information back to the sender. Without ICMP, IP networks would fail silently with no indication of what went wrong.
ICMP message types
| Type | Name | Key codes | Used by |
|---|---|---|---|
| 0 | Echo Reply | — | ping response |
| 3 | Destination Unreachable | 0=net, 1=host, 3=port, 4=frag needed | Error reporting, PMTUD |
| 8 | Echo Request | — | ping |
| 11 | Time Exceeded | 0=TTL in transit, 1=frag reassembly | traceroute |
| 12 | Parameter Problem | — | Malformed packet notification |
How ping uses ICMP
The ping command sends ICMP Type 8 (Echo Request) packets to a destination host and listens for Type 0 (Echo Reply) responses. The elapsed time between sending and receiving is the round-trip time (RTT) — what speed tests report as latency. Each Echo Request carries a sequence number and timestamp in its payload; the receiver copies these back in the Echo Reply, allowing ping to match requests to replies and measure RTT accurately. If no reply arrives within the timeout, the host is down, unreachable, or configured to drop ICMP.
How traceroute uses ICMP TTL exceeded
traceroute (Linux/macOS) and tracert (Windows) exploit the TTL field in IP headers. TTL is decremented by each router; when it reaches zero, the router discards the packet and returns an ICMP Type 11 (Time Exceeded, code 0) message to the source — revealing the router's IP address and the RTT to reach it. Traceroute starts with TTL=1 (revealing hop 1), then TTL=2 (hop 2), and so on until the destination is reached. The destination returns either an ICMP Echo Reply (if using ICMP probes) or an ICMP Port Unreachable (Type 3 code 3, if using UDP probes to a high port), signalling the end of the path.
ICMP and Path MTU Discovery (PMTUD)
Path MTU Discovery uses ICMP Type 3 code 4 (Fragmentation Needed, Don't Fragment set). When a router receives a packet that is too large for the next-hop link and the Don't Fragment (DF) bit is set, it cannot fragment the packet — so it drops it and returns this ICMP message to the sender, including the maximum size the next link can accept. The sender then reduces its segment size and retransmits. If a firewall blocks this ICMP type, the sender never learns the MTU limit and the connection appears to hang — a condition called an MTU black hole. This is one of the most damaging consequences of indiscriminate ICMP blocking.
ICMPv6 and its expanded role
IPv6 gives ICMP a much larger role than in IPv4. ICMPv6 (defined in RFC 4443) handles not just error reporting but also core network functions that IPv4 handled with separate protocols:
- Neighbor Discovery Protocol (NDP) replaces ARP — IPv6 nodes use ICMPv6 Neighbor Solicitation and Neighbor Advertisement messages to resolve link-layer addresses, replacing the broadcast-based ARP of IPv4
- Router Advertisement (RA) — routers periodically send ICMPv6 Router Advertisements carrying the network prefix, default gateway, and MTU, allowing hosts to auto-configure without DHCP (SLAAC)
- Multicast Listener Discovery (MLD) — ICMPv6 replaces IGMP for multicast group management in IPv6
Blocking ICMPv6 on an IPv6 network breaks address autoconfiguration, neighbour resolution, and router discovery — the network effectively stops functioning. ICMPv6 must never be blanket-blocked.
Why blocking ICMP causes problems
A common but misguided firewall rule is to block all ICMP to "hide" the network. The real consequences:
- PMTUD breaks, causing TCP connections to stall on paths with smaller MTUs (common with VPNs, which add tunnel overhead)
- Diagnostic tools (ping, traceroute) become useless, making network troubleshooting far harder
- On IPv6, blocking ICMPv6 breaks address resolution and routing entirely
The correct approach is rate-limiting ICMP Echo Requests from the internet to limit DDoS reflection potential, while allowing all other ICMP types — especially Type 3 (Destination Unreachable) and Type 11 (Time Exceeded) — to pass freely in both directions.
Frequently Asked Questions
What does ping use ICMP for?
Ping sends ICMP Echo Request (Type 8) to a host and waits for an Echo Reply (Type 0). The round-trip time is the measured latency. No reply means the host is down, unreachable, or blocking ICMP.
How does traceroute use ICMP?
Traceroute sends packets with incrementally increasing TTL values. Each router that decrements TTL to zero returns an ICMP Time Exceeded message (Type 11), revealing its IP address and the RTT to reach it — mapping each hop along the path to the destination.
Should I block ICMP on my firewall?
Never block all ICMP — Type 3 code 4 (Fragmentation Needed) is essential for PMTUD, and blocking it causes MTU black holes and broken TCP connections. Rate-limit Echo Requests from the internet if needed, but always allow Destination Unreachable and Time Exceeded messages in both directions.