Loading learning content...
In the physical world, when a letter cannot be delivered, the postal service returns it with a clear explanation: "Address Unknown," "No Such Number," or "Refused." The Internet operates on the same principle. When an IP datagram cannot reach its intended destination, the network doesn't simply discard it in silence—it generates an ICMP Destination Unreachable message to inform the sender precisely why delivery failed.
This feedback mechanism is fundamental to how the Internet self-diagnoses. Without Destination Unreachable messages, applications would wait indefinitely for responses that will never come, network administrators would have no visibility into routing failures, and troubleshooting would become an exercise in blind guesswork.
The Destination Unreachable message (ICMP Type 3) is the most frequently encountered error message in IP networks and serves as the primary mechanism through which routers and hosts communicate delivery failures back to the original sender.
By the end of this page, you will understand the complete structure of Destination Unreachable messages, master all 16 code variations, comprehend the circumstances triggering each code, and know how to interpret these messages during network troubleshooting. You'll gain the precision needed to diagnose connectivity issues like an experienced network engineer.
The ICMP Destination Unreachable message follows a precisely defined format specified in RFC 792 and extended by subsequent RFCs. Understanding this structure is essential for packet analysis and protocol interpretation.
The complete message consists of:
This design ensures the sender can identify exactly which transmission failed by examining the returned original packet fragment.
| Byte Position | Field | Size (bits) | Description |
|---|---|---|---|
| 0 | Type | 8 | Value = 3 (Destination Unreachable) |
| 1 | Code | 8 | Specific unreachable reason (0-15) |
| 2-3 | Checksum | 16 | Error-checking for ICMP message |
| 4-5 | Unused | 16 | Set to zero (except for Code 4) |
| 6-7 | Next-Hop MTU | 16 | Only used when Code = 4 |
| 8-27 | Original IP Header | 160+ | Complete original IP header |
| 28-35 | Original Data | 64 | First 8 bytes of original datagram's data |
The original IP header plus 8 bytes of data captures critical identification information. For TCP, this includes source and destination ports (4 bytes) plus the sequence number (4 bytes). For UDP, this includes both ports (4 bytes) and the length/checksum (4 bytes). This allows the source host to identify exactly which TCP connection or UDP session failed.
12345678910111213141516
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Type (3) | Code | Checksum |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Unused (zeros) | Next-Hop MTU |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| |+ Original IP Header (20-60 bytes) +| |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| First 8 Bytes of Original Datagram |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Total Minimum Size: 36 bytes (8 + 20 + 8)Maximum Size: 68 bytes (8 + 60 + 8) with max IP optionsKey Structural Elements:
Type Field (Value 3): The Type field value of 3 universally identifies this as a Destination Unreachable message across all compliant IP implementations. Any packet analyzer or operating system network stack recognizes this constant.
Code Field: This is the critical discriminator that specifies why the destination was unreachable. The 16 defined codes cover different failure scenarios from network-level routing problems to host-level service unavailability.
Checksum: Calculated over the entire ICMP message using the standard Internet checksum algorithm (one's complement sum). This ensures message integrity during transit.
Next-Hop MTU: This field is only meaningful when Code = 4 (fragmentation needed but DF set). In all other cases, this field must be zero. When populated, it communicates the maximum packet size the next-hop link can accommodate, enabling Path MTU Discovery.
The Code field in Destination Unreachable messages provides granular insight into delivery failure reasons. Originally, RFC 792 defined codes 0-5. Subsequent RFCs extended this to 16 codes (0-15), each representing a distinct failure mode.
Understanding these codes is essential for:
| Code | Name | Generator | RFC |
|---|---|---|---|
| 0 | Network Unreachable | Router | RFC 792 |
| 1 | Host Unreachable | Router | RFC 792 |
| 2 | Protocol Unreachable | Host | RFC 792 |
| 3 | Port Unreachable | Host | RFC 792 |
| 4 | Fragmentation Needed and DF Set | Router | RFC 792 |
| 5 | Source Route Failed | Router | RFC 792 |
| 6 | Destination Network Unknown | Router | RFC 1122 |
| 7 | Destination Host Unknown | Router | RFC 1122 |
| 8 | Source Host Isolated | Router | RFC 1122 |
| 9 | Network Administratively Prohibited | Router | RFC 1122 |
| 10 | Host Administratively Prohibited | Router | RFC 1122 |
| 11 | Network Unreachable for TOS | Router | RFC 1122 |
| 12 | Host Unreachable for TOS | Router | RFC 1122 |
| 13 | Communication Administratively Prohibited | Router/Firewall | RFC 1812 |
| 14 | Host Precedence Violation | Router | RFC 1812 |
| 15 | Precedence Cutoff in Effect | Router | RFC 1812 |
Note which entity generates each code. Codes 0-1 and 4-15 are generated by routers during packet forwarding. Codes 2-3 are generated by destination hosts. This distinction helps pinpoint where in the network path the failure occurred.
Let's examine each code in depth to understand when it's generated and what it indicates about the network state.
Code 0: Network Unreachable and Code 1: Host Unreachable are the most fundamental routing failure indicators. They inform the sender that the packet could not be forwarded because the routing infrastructure lacks a path to the destination.
The distinction is subtle but critical. Network Unreachable means the routing infrastructure itself doesn't know how to get there—a macro-level problem. Host Unreachable means we can get to the right neighborhood but can't find the specific house—a micro-level problem. This distinction dramatically narrows troubleshooting scope.
Practical Troubleshooting Implications:
For Network Unreachable (Code 0):
For Host Unreachable (Code 1):
While Codes 0-1 indicate routing-layer failures, Code 2: Protocol Unreachable and Code 3: Port Unreachable indicate application-layer delivery failures. These are generated by the destination host itself, not by intermediate routers.
This is a frequently tested concept. UDP generates ICMP Port Unreachable (Type 3, Code 3) when no process listens on the destination port. TCP does NOT use ICMP for this—instead, it responds with a TCP RST (Reset) segment. This asymmetry exists because TCP is connection-oriented and has its own signaling mechanism.
1234567891011121314151617181920
# Terminal 1: Start packet capture on the server (no service on port 9999)sudo tcpdump -i eth0 'icmp or udp port 9999' -nn # Terminal 2: Send UDP packet to unused portecho "test" | nc -u 192.168.1.100 9999 # tcpdump output will show:# 10:15:32.123456 IP 192.168.1.50.54321 > 192.168.1.100.9999: UDP, length 5# 10:15:32.123789 IP 192.168.1.100 > 192.168.1.50: ICMP 192.168.1.100 # udp port 9999 unreachable, length 41 # Detailed packet analysis with tsharktshark -i eth0 -f 'icmp and icmp[0]=3' -V # Output shows:# Internet Control Message Protocol# Type: 3 (Destination unreachable)# Code: 3 (Port unreachable)# Checksum: 0x1234 [correct]# [Original datagram details follow...]Why Port Unreachable Matters for Troubleshooting:
Receiving a Port Unreachable message is actually good news from a connectivity standpoint—it proves:
The only problem is that no application is listening. This dramatically narrows the troubleshooting focus to the application layer: Is the service started? Is it bound to the correct interface/port? Is there a local firewall rule blocking it?
Code 4: Fragmentation Needed and Don't Fragment was Set is perhaps the most critical Destination Unreachable code for modern Internet operation. It forms the foundation of Path MTU Discovery (PMTUD), the mechanism that enables efficient packet sizing across heterogeneous network paths.
Different network links have different Maximum Transmission Unit (MTU) sizes. Ethernet typically uses 1500 bytes, but tunnels, VPNs, PPPoE, and WAN links often have smaller MTUs. When a packet exceeds the MTU of a link, it must either be fragmented or dropped.
The Fragmentation Dilemma:
When an IP packet arrives at a router and is too large for the outgoing link:
When the DF bit is set and the packet is too large, the router:
This MTU value tells the sender the maximum packet size that will traverse this link successfully.
| Technology | MTU (bytes) | Notes |
|---|---|---|
| Standard Ethernet | 1500 | Most common LAN MTU |
| PPPoE (DSL) | 1492 | 8 bytes overhead from PPPoE header |
| GRE Tunnel | 1476 | 24 bytes GRE + IP header overhead |
| IPsec Tunnel (ESP) | 1438 | Variable; depends on encryption |
| VXLAN | 1450 | 50 bytes VXLAN overhead |
| Internet minimum | 576 | Required minimum for IPv4 |
| Jumbo Frames | 9000 | Data center environments |
Some misconfigured firewalls block ALL ICMP, including Code 4 messages. This creates PMTUD black holes where large packets silently disappear with no error feedback. The TCP connection stalls mysteriously. This is a major cause of "some websites work, some don't" problems—small pages load, large pages hang.
123456789101112131415161718192021222324252627
# Test path MTU to a destination (Linux)# -M do: Set DF bit (Do fragment prohibition)# -s: Packet size (subtract 28 for IP+ICMP headers) # Start with 1500-byte packetsping -M do -s 1472 destination.example.com# If ICMP Code 4 received, reduce size # Binary search to find exact path MTUping -M do -s 1400 destination.example.com # Success?ping -M do -s 1450 destination.example.com # Too big?ping -M do -s 1425 destination.example.com # Finding the boundary... # Windows equivalentping -f -l 1472 destination.example.com # Using tracepath (shows MTU at each hop)tracepath destination.example.com # Sample output:# 1: 192.168.1.1 0.512ms pmtu 1500# 2: 10.0.0.1 2.341ms pmtu 1492# 3: 172.16.0.1 5.123ms pmtu 1400# 4: destination.example.com 15.234ms reached # Capture ICMP Type 3 Code 4 specificallytcpdump -i eth0 'icmp[0]=3 and icmp[1]=4' -nn -vPMTUD Operational Details:
Initial Behavior: Modern TCP implementations set the DF bit on all packets. They start by assuming the Path MTU equals the local interface MTU (typically 1500 bytes for Ethernet).
Adaptation Process:
Caching: Hosts cache discovered Path MTU values (typically for 10 minutes) to avoid rediscovery on every connection.
TCP MSS Negotiation: Applications can also avoid PMTUD issues by using TCP's Maximum Segment Size option during connection establishment, set appropriately for known low-MTU paths.
Modern networks employ extensive access control through firewalls, ACLs, and security policies. When traffic is blocked by administrative policy (rather than routing failure), specific ICMP codes communicate this:
These codes reveal security policy information to potential attackers. Many security-conscious administrators configure firewalls to silently DROP packets rather than REJECT with ICMP. Silent drops provide no feedback to port scanners but make legitimate troubleshooting harder. This is a classic security-vs-usability tradeoff.
Practical Interpretation:
Receiving an administrative prohibition code indicates:
Common Firewall Behaviors:
| Firewall Action | ICMP Response | Security Posture | Usability |
|---|---|---|---|
| REJECT | Type 3, Code 13 | Lower (reveals policy) | Higher (clear feedback) |
| DROP (silent) | None | Higher (no info leak) | Lower (timeout waiting) |
| REJECT + Log | Type 3, Code 13 | Balanced | Higher |
1234567891011121314151617
# REJECT with ICMP administratively prohibited (Code 13)iptables -A INPUT -s 10.0.0.0/8 -p tcp --dport 22 -j REJECT \ --reject-with icmp-admin-prohibited # REJECT with host unreachable (Code 1)iptables -A INPUT -s 10.0.0.0/8 -p tcp --dport 23 -j REJECT \ --reject-with icmp-host-unreachable # REJECT with port unreachable (Code 3) - for UDPiptables -A INPUT -p udp --dport 53 -j REJECT \ --reject-with icmp-port-unreachable # Silent DROP (no ICMP response)iptables -A INPUT -s 192.168.0.0/16 -j DROP # List available ICMP reject typesiptables -j REJECT --help | grep icmpThe remaining codes address specialized scenarios. While less common than Codes 0-4 and 9-13, understanding them completes your mastery of ICMP destination unreachable semantics.
| Code | Name | Detailed Explanation |
|---|---|---|
| 5 | Source Route Failed | The packet specified source routing (strict or loose), but a router along the path could not forward to the next specified hop. Rare in modern networks where source routing is typically disabled. |
| 6 | Destination Network Unknown | Subtly different from Code 0. The routing table explicitly knows the network does not exist (vs. simply having no route). Legacy; rarely seen today. |
| 7 | Destination Host Unknown | Similar distinction from Code 1. The host is confirmed non-existent, not just unreachable. Generated when DNS confirms no such host exists. Rarely implemented. |
| 8 | Source Host Isolated | The source host's network is administratively isolated. Historical; virtually obsolete in modern networks. |
| 11 | Network Unreachable for TOS | A route exists for the destination network, but not for the requested Type of Service (TOS/DSCP value). QoS-constrained path unavailable. |
| 12 | Host Unreachable for TOS | The host is reachable, but not via a path that satisfies the requested TOS. More granular than Code 11. |
| 14 | Host Precedence Violation | The precedence (priority) level requested is not allowed for communication with this destination. Part of IP Precedence (legacy QoS mechanism). |
| 15 | Precedence Cutoff in Effect | Network operators have established a minimum precedence level for traffic, and this packet falls below the cutoff. Used for priority traffic engineering. |
Codes 11 and 12 (TOS unreachable) are increasingly relevant in modern networks with Software-Defined WAN (SD-WAN) and MPLS deployments. When traffic with specific DSCP markings must follow particular paths (e.g., voice over low-latency links), these codes indicate that no compliant path exists.
Source Route Failed (Code 5) Deep Dive:
Source routing allows senders to specify exact router hops a packet must traverse. Two variants exist:
Code 5 is generated when:
Security Note: Source routing is widely disabled as a security measure. Attackers can use it to bypass security controls or spoof addresses. Most modern firewalls block source-routed packets, making Code 5 extremely rare in practice.
Destination Unreachable messages are invaluable for network diagnostics. Understanding how to deliberately trigger and interpret these messages enables systematic troubleshooting.
123456789101112131415161718192021222324252627282930313233343536373839404142434445
#!/bin/bash# Comprehensive connectivity diagnostic script TARGET="$1"PORT="${2:-80}" echo "=== Connectivity Diagnostic for $TARGET:$PORT ===" # Step 1: Basic ICMP reachabilityecho -e "\n[1] Basic ping test..."if ping -c 3 -W 2 "$TARGET" &>/dev/null; then echo " ✓ Host responds to ICMP echo"else echo " ✗ No ICMP echo response (filtered or down)"fi # Step 2: TCP port testecho -e "\n[2] TCP port $PORT connectivity..."timeout 3 bash -c "echo > /dev/tcp/$TARGET/$PORT" 2>/dev/nullcase $? in 0) echo " ✓ TCP port $PORT is open" ;; 1) echo " ✗ TCP RST received - port closed" ;; *) echo " ✗ Connection failed (timeout/unreachable)" ;;esac # Step 3: UDP test with nc (will show ICMP Port Unreachable if no service)echo -e "\n[3] UDP port $PORT test..."timeout 2 nc -u -z -v "$TARGET" "$PORT" 2>&1 | head -2 # Step 4: Path MTU discoveryecho -e "\n[4] Path MTU test..."for size in 1472 1400 1300 1200; do if ping -M do -c 1 -s $size "$TARGET" &>/dev/null; then echo " Path MTU >= $((size + 28)) bytes" break fidone # Step 5: Monitor ICMP responses in backgroundecho -e "\n[5] Capturing ICMP Destination Unreachable messages..."echo " (Run in separate terminal for real-time capture)"echo " Command: sudo tcpdump -i any 'icmp[0]=3' -nn -v" echo -e "\n=== Diagnostic Complete ===" Wireshark automatically decodes ICMP Destination Unreachable messages, showing the type, code, and helpfully extracts the original packet details. Filter with icmp.type == 3 to see only Destination Unreachable messages. Add && icmp.code == 4 to focus on PMTUD issues specifically.
Troubleshooting Decision Tree:
Packet sent → No response received
├── Is destination host pingable?
│ ├── YES → Application layer issue
│ │ └── Check: Port Unreachable (Code 3), Protocol Unreachable (Code 2)
│ └── NO → Network layer issue
│ ├── ICMP Type 3 received?
│ │ ├── Code 0 → Check routing tables upstream
│ │ ├── Code 1 → Check last-hop connectivity/ARP
│ │ ├── Code 4 → PMTUD issue; reduce packet size
│ │ ├── Code 9/10/13 → Administrative block; check ACLs
│ │ └── Other → Refer to code table
│ └── No ICMP at all → Firewall silently dropping; check rules
This systematic approach uses ICMP codes to rapidly narrow down failure domains, transforming hours of blind troubleshooting into minutes of targeted diagnosis.
The ICMP Destination Unreachable message is the IP network's primary mechanism for communicating delivery failures. Mastery of its 16 codes enables precise network diagnostics.
You now have comprehensive understanding of ICMP Destination Unreachable messages. You can interpret each code, understand when and where they're generated, and apply this knowledge to network troubleshooting. Next, we'll explore Time Exceeded messages—the foundation of traceroute.