ICMPv4 (Internet Control Message Protocol)

The Internet Control Message Protocol (ICMPv4) is an essential companion to IPv4, defined in RFC 792 (September 1981), designed to communicate control and error messages in IP-based networks.

Though often associated with tools like ping and traceroute, ICMP isn't a transport protocol per se - it operates at the network layer and uses IP (protocol number 1) to report issues like unreachable hosts or TTL expiry.

While RFC 792 is the core specification, ICMPv4 has been enhanced, deprecated, and extended through several RFCs:

  • RFC 1122 updates network requirements for ICMP.
  • RFC 1812 clarifies router-related behaviors.
  • RFC 1191 covers Path MTU Discovery, which uses ICMP type 3 code 4.
  • RFC 1256 and RFC 1393 define Router Discovery (types 9 and 10).
  • RFC 4884 adds extended (multi-part) ICMP message support.
  • RFC 6918 formally deprecates outdated message types/codepoints.

ICMP Datagram Structure & Header

IPv4 Encapsulation

  • ICMP messages are embedded in an IPv4 packet where:
    • Version = 4
    • Protocol = 1 (ICMP)
    • TTL, source/destination and checksum fields follow as usual.

ICMP Header (first 8 bytes)

| Field | Size (bits) | Description | |--------------|-------------|--------------------------------------------------| | Type | 8 | Identifies message class | | Code | 8 | Provides subtype detail within each message type| | Checksum | 16 | Verifies ICMP header and payload integrity | | Rest of Header | 32 | Varies by type (e.g., ID+Seq for Echo; unused or pointer for errors) |

Type and Code are mandatory; checksum covers the ICMP header and payload.

ICMPv4 Message Types & Common Codes

According to IANA (updated April 2025) and other technical references, here's a comprehensive list of core ICMPv4 Types:

Informational (Query) Messages

  • Type 8: Echo Request
    • Code 0
  • Type 0: Echo Reply
    • Code 0
  • Type 9: Router Advertisement
    • Code 0
  • Type 10: Router Solicitation
    • Code 0
  • Deprecated: Timestamp (13/14), Information Request/Reply (15/16), Address Mask Request/Reply (17/18).

Error Messages

  • Type 3: Destination Unreachable
    • Codes 0–15 detailing reasons (e.g., network unreachable, port unreachable, fragmentation needed, etc.)
  • Type 4: Source Quench (deprecated)
  • Type 5: Redirect
    • Codes 0–3 (network/host, TOS distinctions)
  • Type 11: Time Exceeded
    • Code 0 = TTL expired, Code 1 = Fragment reassembly timeout
  • Type 12: Parameter Problem
    • Code 0 = pointer error, Code 1 = missing option, Code 2 = bad length

Extensions

  • Type 42/43: Extended Echo, defined in RFC 8335 (not as common)
  • Experimental types: 253 and 254 for experimentation
  • Multi-part message support for types 3, 11, 12 via RFC 4884

Field-by-Field Breakdown

Type (8 bits)

Specifies the category: Echo (0/8), Error (3, 11, 12), Router Discovery (9, 10), etc.

Code (8 bits)

Gives subtype detail, especially critical for types 3, 5, 11, 12, etc. Values defined in IANA registry.

Checksum (16 bits)

CRC-like checksum across the entire ICMP payload and header, calculated by zeroing this field then summing.

Type-specific Data (32 bits or more)

  • Echo messages: Contains Identifier and Sequence Number.
  • Error messages: Contains unused (usually zero) or a pointer (in parameter-problem messages).
  • Redirect (Type 5): Contains new router IP in that space.

Payload

  • In queries (Echo), includes user data.
  • In error messages, carries the triggering packet’s IPv4 header plus first 64 bits of data to help hosts identify the issue.

Extensions (RFC 4884)

Optional multi-part header and objects may follow certain error messages, containing length info, etc.

Summary of ICMPv4 Types and Codes

| Type | Name | Code(s) and Description | |------|---------------------------|-------------------------------------------------------------------------| | 0 | Echo Reply | Code 0 | | 3 | Destination Unreachable | Codes 0–15: e.g., net unreachable, port unreachable, fragmentation needed | | 4 | Source Quench (Deprecated)| Code 0 | | 5 | Redirect | Codes 0–3: redirect for network, host, or TOS | | 8 | Echo Request | Code 0 | | 9 | Router Advertisement | Code 0 | | 10 | Router Solicitation | Code 0 | | 11 | Time Exceeded | Code 0 = TTL expired; Code 1 = fragment reassembly timeout | | 12 | Parameter Problem | Codes 0–2: pointer error, missing option, bad length | | 13 | Timestamp Request | Code 0 (Deprecated) | | 14 | Timestamp Reply | Code 0 (Deprecated) | | 15 | Information Request | Code 0 (Deprecated) | | 16 | Information Reply | Code 0 (Deprecated) | | 17 | Address Mask Request | Code 0 (Deprecated) | | 18 | Address Mask Reply | Code 0 (Deprecated) | | 42 | Extended Echo Request | Defined in RFC 8335 | | 43 | Extended Echo Reply | Defined in RFC 8335 | | 253 | Experimental | For experimental use | | 254 | Experimental | For experimental use |

Why ICMP Matters

  • Diagnostics: ping (Echo) and traceroute (Time Exceeded and Destination Unreachable for TTL-exceeded routes) heavily rely on ICMP.
  • Error signaling: Inform hosts about unreachable networks, ports, or malformed packets.
  • Path MTU Discovery: Routers send Fragmentation Needed (Type 3 Code 4) to help packets fit path constraints.
  • Router Discovery: Hosts learn default gateways via Types 9 and 10.

Fuzzing ICMP with Penzzer

Penzzer, our fuzz‑testing powerhouse, excels at uncovering vulnerabilities in ICMP‑capable devices, routers, switches, IoT devices, network stacks, and firewall appliances, using the following strategies:

Protocol-Aware ICMP State Modeling

  • Implements state machines for:
    • Echo request/reply sequences
    • Path MTU interactions (IP + ICMP interplay)
    • TTL expiration handling (Time Exceeded)
  • Enables grammar-aware packet generation fuzzing that tweaks Type/Code combinations and payload fields.

Intelligent Field Generation

Penzzer targets segments like:

  • Checksum: corruption, off-by-one errors
  • Code values: using invalid codes (e.g., Type 3 Code 16–255)
  • Extended headers: crafting RFC 4884 compliant/violating extensions
  • Payload size: oversized/undersized data, alignment anomalies

Crash Detection and Triage

  • Sends mutated ICMP to target
  • Observes crashes, hangs, assertions
  • Automatically extracts minimized input, correlates with crash signatures, and generates triage-ready reports

Lab Case Study: ICMP Redirect Exploit

In one test, Penzzer replaced a Type 5 redirect's "gateway" field with an IPv4 malloc pointer, triggering a use-after-free vulnerability. By combining ICMP fuzzing with code coverage, Penzzer identified the precise crash location and produced a vulnerability report along with reproducible inputs.

Extending to Multi-Part ICMP

Penzzer supports RFC 4884 multi-part ICMP:

  • Fuzzes extension header entries and object headers
  • Crafts overlapping/invalid object lengths
  • Tests parsers for safety against integer-overflow and boundary-check issues

Want to hear more about Penzzer?

Leave your details and we'll reach out shortly.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Don't miss these stories:

June 26, 2025
RADIUS (Remote Authentication Dial-In User Service)

RADIUS may seem old - dating back before Wi‑Fi 802.11 - but it remains ubiquitous. Unfortunately, many implementations receive minimal security analysis, especially in embedded and IoT contexts. By using dynamic fuzzing, field‑aware packet generators, and orchestrated suites like Penzzer, developers and security teams can uncover hidden flaws and deliver hardened systems certified to ISO/SAE 21434. Whether you're pen‑testing enterprise VPN servers, auditing Wi‑Fi access points, or certifying a diagnostic tool for the next car model, RADIUS must be a priority. Equip yourself with smart fuzzing and test orchestration, Penzzer is one such powerful tool in your arsenal.

June 25, 2025
ISAKMP (Internet Security Association and Key Management Protocol)

ISAKMP provides a robust negotiation framework but is complex, stateful, and difficult to implement securely. By combining protocol structure, advanced state logic, and ABI fuzzing techniques, organizations can comprehensively test their ISAKMP stacks. With Penzzer's support, fuzzing becomes systematic, repeatable, and coverage-aware. For those maintaining legacy VPNs, firewalls, or embedded stacks using ISAKMP/IKEv1, proactive fuzz testing remains essential to ensure cryptographic and implementation safety in modern networks.

June 24, 2025
How Penzzer Uses DBC Files for Smarter CAN‑bus Fuzzing

Penzzer's fusion of DBC-based intelligence, engineered fuzz pipelines, and hardware-aware harnessing sets it apart. Eliminates noise and drives high-impact fuzzing. Works within safety boundaries. Offers researchers transparency & integration through its API. Enables powerful fuzzing both on-vehicle and on-bench.

About usDemoResourcesContact Us