All geek questions in one place

ICMP Type 11 Packet Payload Size

What is the size of the payload of the ICMP packet with type 11, i.e. time out? Since it contains the IP header and the first 8 bytes of the IP packet payload generating the ICMP message, I thought its size was 20 + 8 = 28.

I am reproducing some common user traffic with TTL = 1. In the ICMP messages that I dropped, I noticed that:

  • all ICMP packets generated by UDP packets have a payload of 28 bytes
  • all those generated by TCP packets have a payload of 40 bytes

Since I need to map ICMP-exceeded messages to packets that ran them by comparing these bytes, this information is important, but I cannot understand why this is happening.

+6
source share
3 answers

The problem is that you are quoting an 8-byte header payload from RFC 792, Page 4 , but the requirements have been modified by RFC 1812 ...

Time Exceeded Message (in RFC 792) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Code | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | unused | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Internet Header + 64 bits of Original Data Datagram | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

RFC 1812, section 4.3.2.3 significantly increases the allowable payload in the ICMP error message (emphasis mine):

4.3.2.3 Original message header

Historically, each ICMP error message included an Internet header and at least the first 8 bytes of the datagram data that caused the error. This is no longer adequate due to the use of IP-in-IP tunneling and other technologies. Therefore, the ICMP datagram MUST contain as much of the original datagram as possible without the ICMP datagram length exceeding 576 bytes. the returned IP header (and user data) MUST be identical to that which, except that the router is not required to discard changes to the IP header that are normally made to those that were made before the error was detected (for example, decreasing TTL or update options).

ICMP errors that you generate from Scapy packets must contain all the information from the IP and TCP layers of the source packet.

+5
source

As you noted, the ICMP payload is the IP header plus 8 octets of the original packet payload. However, IP headers do not always have a length of 20 octets; 20 is the minimum. The IP header itself can contain parameters, and the length of the header is indicated by the value in the IHL field of the header. See Section 3.1 of RFC 791. Thus, it looks like TCP packets have 12 extra octets of options in their IP headers. RFC 791 defines some standard parameters, such as source routing and timing. You will need to decode the header to determine which parameters are used.

+1
source

I would like to add for future reference that not only ICMP utility values ​​vary in size, as Mike said, they can also be longer than 128 bytes in the case of ICMP extensions for MPLS . See this project for more details.

+1
source

Source: https://habr.com/ru/post/922058/

More articles:


All Articles