Loading learning content...
While ICMP error messages are generated reactively when problems occur, ICMP also defines a category of messages that work proactively—allowing hosts and routers to actively query the network for information.
These query messages follow a request/reply model: a host sends a specific question, and the target (or intermediate routers) responds with an answer. This enables essential diagnostic capabilities that every network engineer relies upon.
The most famous query message is undoubtedly the Echo Request/Reply pair—better known as ping. But ICMP's query arsenal extends beyond connectivity testing to include time synchronization, network configuration discovery, and router identification. Understanding these messages transforms ICMP from an abstract protocol into a powerful diagnostic toolkit.
By the end of this page, you will understand all ICMP query message types and their purposes, how Echo Request/Reply enables ping and related tools, the role of Identifier and Sequence Number fields in matching requests to replies, Timestamp messages for measuring network latency, Address Mask queries for subnet discovery, and Router Solicitation/Advertisement for gateway discovery.
Before diving into specific query types, let's clearly distinguish ICMP's two fundamental message categories. This distinction affects how messages are generated, processed, and secured.
Error Messages (Unsolicited)
Error messages are generated automatically when something goes wrong with packet delivery. The sender never "asked" for these messages—they appear unexpectedly when routers or hosts encounter problems. Error messages are unsolicited and reactive.
Query Messages (Solicited)
Query messages follow a request/reply pattern where one host actively sends a query and expects a specific response. The reply is meaningless without the original request, and request/reply pairs share identification fields. Query messages are solicited and proactive.
| Characteristic | Error Messages | Query Messages |
|---|---|---|
| Initiation | Automatic on error condition | Deliberate request by host |
| Expectation | Sender doesn't expect them | Sender expects and waits for reply |
| Pairing | Independent messages | Request/Reply pairs |
| Identification | References original packet | Uses Identifier + Sequence Number |
| Purpose | Report problems that occurred | Actively probe for information |
| Timing | Generated when problem happens | Sent whenever application chooses |
| Examples | Dest Unreachable, Time Exceeded | Echo, Timestamp, Address Mask |
Matching Requests to Replies
Query messages use two fields to correlate requests with replies:
Identifier (16 bits): Typically the process ID of the application sending the query. This allows multiple simultaneous ping processes on the same host to distinguish their responses.
Sequence Number (16 bits): Incremented for each request sent. This allows the sender to detect lost packets, out-of-order responses, and duplicate replies.
When a host receives an Echo Request, it sends an Echo Reply with the identical Identifier and Sequence Number. The sender uses these to match the reply to the original request, calculate round-trip time, and detect loss.
Using process ID as the Identifier ensures uniqueness without coordination. If two users run ping simultaneously on the same machine, each process uses its own PID as Identifier, guaranteeing their replies don't get confused. This simple convention enables multiple concurrent ping operations on any host.
The Echo Request (Type 8) and Echo Reply (Type 0) messages form the foundation of the ping utility—perhaps the most widely used network diagnostic tool in existence. Their simplicity belies their power: a single ping can reveal host reachability, network latency, packet loss, and routing path stability.
Operational Principle
Echo works on a simple contract:
The key requirement: any data in the Request must be returned unchanged in the Reply. This allows applications to embed checksums, timestamps, or patterns to verify data integrity and measure precise timing.
Echo Message Structure
Echo Request and Echo Reply share identical structures (differing only in the Type field):
1234567891011121314151617181920
# ICMP Echo Request (Type 8) / Echo Reply (Type 0) Format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Type (8/0) | Code (0) | Checksum |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Identifier | Sequence Number |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Data || (Variable length, echoed back) |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ # Field details:# Type: 8 for Echo Request, 0 for Echo Reply# Code: Always 0# Checksum: Covers entire ICMP message# Identifier: Usually process ID (enables multiple ping processes)# Sequence Number: Incremented per request (enables loss/order detection)# Data: Application-defined payload, typically includes timestampWhat Ping Reveals
A successful ping exchange provides rich diagnostic information:
1. Reachability: Receiving a reply confirms end-to-end connectivity. The packet traversed all routers and the destination host is alive.
2. Round-Trip Time (RTT): Time from sending request to receiving reply measures network latency. Ping typically shows minimum, average, and maximum RTT.
3. Packet Loss: Unanswered requests indicate loss somewhere in the path. Could be congestion, filtering, or failures.
4. TTL in Response: The TTL value in the reply indicates remaining hops. Original TTL minus reply TTL gives approximate distance. Also reveals OS (Linux=64, Windows=128, Cisco=255).
5. Jitter: Variance in RTT over multiple pings indicates network stability. High jitter suggests congestion or routing instability.
6. Data Integrity: If ping includes meaningful data patterns, matching validates that no corruption occurred in transit.
1234567891011121314151617181920212223242526272829303132333435
# Standard ping showing all key metrics$ ping -c 5 8.8.8.8PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=14.2 ms64 bytes from 8.8.8.8: icmp_seq=2 ttl=117 time=13.8 ms64 bytes from 8.8.8.8: icmp_seq=3 ttl=117 time=14.1 ms64 bytes from 8.8.8.8: icmp_seq=4 ttl=117 time=13.9 ms64 bytes from 8.8.8.8: icmp_seq=5 ttl=117 time=14.0 ms --- 8.8.8.8 ping statistics ---5 packets transmitted, 5 received, 0% packet loss, time 4006msrtt min/avg/max/mdev = 13.800/14.000/14.200/0.141 ms # Analysis:# - Reachability: Yes (5/5 replies received)# - RTT: ~14ms average (acceptable for internet destination)# - Packet Loss: 0% (excellent)# - TTL: 117 (original was likely 128, so ~11 hops away)# - Jitter: Very low (0.141ms standard deviation) # Ping with specific packet size (testing MTU)$ ping -c 3 -s 1472 -M do 8.8.8.8# -s 1472 = 1472 bytes data + 8 ICMP header + 20 IP header = 1500 MTU# -M do = Don't Fragment flag set # Ping revealing packet loss$ ping -c 10 problem-host.example.com...10 packets transmitted, 7 received, 30% packet loss, time 9012ms # Ping timeout (host unreachable or filtered)$ ping -c 3 filtered.example.comPING filtered.example.com (203.0.113.50) 56(84) bytes of data.--- filtered.example.com ping statistics ---3 packets transmitted, 0 received, 100% packet loss, time 2003msA host may respond to ping but still have application-layer problems. Ping only confirms IP-layer reachability. The HTTP server could be crashed, the firewall could block port 443 while allowing ICMP, or DNS could resolve to the wrong IP. Always combine ping with application-specific tests.
Beyond basic connectivity testing, Echo Request/Reply enables sophisticated diagnostic techniques. Understanding these transforms ping from a simple yes/no tool into a powerful network analyzer.
Technique 1: MTU Discovery via Ping
By sending Echo Requests with the Don't Fragment (DF) flag and varying sizes, you can discover the Path MTU:
This is faster than waiting for TCP's PMTUD and useful for diagnosing "connection works but large transfers fail" problems.
| Situation | Expected PMTU | Cause |
|---|---|---|
| Standard Ethernet | 1500 bytes | Ethernet frame limit |
| PPPoE DSL | 1492 bytes | 8 bytes PPPoE overhead |
| VPN Tunnel (IPsec) | ~1400 bytes | Encryption + tunnel headers |
| GRE Tunnel | 1476 bytes | 24 bytes GRE overhead |
| MPLS Network | 1496-1508 bytes | 4 bytes per MPLS label |
| Jumbo Frames (DC) | 9000 bytes | Enterprise DC configuration |
Technique 2: Flood Ping for Stress Testing
Flood ping sends Echo Requests as fast as possible without waiting for replies. This tests:
Caution: Flood ping can constitute a denial-of-service attack. Only use on networks you own/control with proper authorization.
Technique 3: Record Route and Source Route
Some ping implementations can use IP Options to record the route taken or specify a source route. While deprecated for security reasons, understanding the concept aids protocol comprehension.
Technique 4: Continuous Monitoring
Running ping continuously (no count limit) creates a simple availability monitor:
Tools like fping and smokeping build on this for production monitoring.
123456789101112131415161718192021222324252627
# MTU Discovery with ping$ ping -c 1 -M do -s 1472 target.example.com # Test 1500 byte MTU$ ping -c 1 -M do -s 1464 target.example.com # Test 1492 byte MTU$ ping -c 1 -M do -s 1372 target.example.com # Test 1400 byte MTU # Flood ping (requires root, use with caution!)$ sudo ping -f -c 1000 target.example.com# Output: .................... (each . = reply, lost packets not shown)# Summary: 1000 transmitted, 998 received, 0.2% loss # Ping with specific TTL (useful for layer 3 troubleshooting)$ ping -c 1 -t 5 target.example.com# If target is >5 hops away, get "Time Exceeded" from hop 5 # Continuous ping with timestamp (monitoring)$ ping -D target.example.com | tee ping_log.txt# [1673451234.567890] 64 bytes from target.example.com: icmp_seq=1 ... # Ping multiple hosts simultaneously (scripted)$ for host in host1 host2 host3; do ping -c 1 -W 1 $host & done; wait # fping for rapid multi-host checking$ fping -g 192.168.1.0/24192.168.1.1 is alive192.168.1.10 is alive192.168.1.50 is unreachable...If you see sequence numbers arrive out of order (e.g., seq=3 before seq=2), this indicates packet reordering in the network—likely from asymmetric routing, load balancing, or parallel paths. Occasional reordering is normal; persistent reordering can cause TCP performance issues and indicates routing instability.
ICMP Timestamp Request (Type 13) and Timestamp Reply (Type 14) were designed for measuring network transit times with greater precision than Echo. While largely obsoleted by NTP for time synchronization, understanding these messages provides insight into network timing measurement.
Purpose and Operation
Timestamp messages contain three timestamp fields:
By comparing these values, the source can calculate:
123456789101112131415161718192021222324
# ICMP Timestamp Request (Type 13) / Reply (Type 14) Format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Type (13/14)| Code (0) | Checksum |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Identifier | Sequence Number |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Originate Timestamp |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Receive Timestamp |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Transmit Timestamp |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ # Timestamps are 32-bit values representing milliseconds since midnight UTC# Maximum value: 86,400,000 (24 hours * 60 minutes * 60 seconds * 1000 ms) # Processing:# 1. Source sets Originate = current time, sends Request# 2. Destination sets Receive = arrival time, copies Originate# 3. Destination sets Transmit = send time, sends Reply# 4. Source calculates delays from the three timestampsCalculating Delays
Given the three timestamps, the source can compute:
Round-Trip Time = (Arrival of Reply − Originate) − (Transmit − Receive)
Forward Delay = Receive − Originate (requires synchronized clocks)
Backward Delay = Arrival of Reply − Transmit (requires synchronized clocks)
Processing Time = Transmit − Receive (time spent at destination)
Why Timestamp is Rarely Used Today
Timestamp messages have significant limitations:
ICMP Timestamp predates NTP (1985). In early networks with no standard time synchronization, it provided a primitive way to estimate clock differences. Today, NTP achieves millisecond accuracy within LANs and sub-100ms globally, making ICMP Timestamp obsolete for time synchronization but still interesting for protocol study.
ICMP Address Mask Request (Type 17) and Address Mask Reply (Type 18) were designed for diskless workstations and similar devices that boot without knowing their subnet mask. A host would broadcast an Address Mask Request, and routers would respond with the appropriate subnet mask.
Historical Context
In early networking, hosts often obtained their IP address via RARP (Reverse ARP) or BOOTP, but these protocols didn't always provide subnet mask information. ICMP Address Mask filled this gap, allowing hosts to learn their subnet configuration after obtaining an IP address.
Message Format
1234567891011121314151617181920
# ICMP Address Mask Request (Type 17) / Reply (Type 18) Format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Type (17/18)| Code (0) | Checksum |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Identifier | Sequence Number |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Address Mask |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ # In Request: Address Mask field is typically zero# In Reply: Address Mask contains the subnet mask (e.g., 255.255.255.0) # Example operation:# 1. Diskless host boots, gets IP 192.168.1.100 via BOOTP# 2. Host doesn't know subnet mask, broadcasts Address Mask Request# 3. Router 192.168.1.1 responds with Address Mask Reply: 255.255.255.0# 4. Host configures interface with learned subnet maskWhy Address Mask is Obsolete
This mechanism is rarely used today for several reasons:
Most modern operating systems and routers do not respond to Address Mask Requests. This is a security best practice. DHCP has completely supplanted this mechanism for network configuration. If you see Address Mask traffic on your network, investigate—it may indicate either very old equipment or reconnaissance activity.
ICMP Router Advertisement (Type 9) and Router Solicitation (Type 10) implement ICMP Router Discovery Protocol (IRDP), defined in RFC 1256. This mechanism allows hosts to discover local routers without static configuration.
Operational Model
12345678910111213141516171819202122232425262728293031
# ICMP Router Advertisement (Type 9) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Type=9 | Code=0 | Checksum |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| NumAddrs | Entry Size | Lifetime |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Router Address 1 |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Preference Level 1 |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Router Address 2 |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Preference Level 2 |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ... # NumAddrs: Number of router addresses in this message# Entry Size: Size of each entry in 32-bit words (usually 2)# Lifetime: Seconds this advertisement is valid# Preference Level: Higher = more preferred router (signed 32-bit) # ICMP Router Solicitation (Type 10)# Simple structure—just header, no data:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Type=10 | Code=0 | Checksum |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Reserved |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+Preference Level
Routers can advertise a preference level to influence which router hosts select as their default gateway. Use cases include:
Preference is a signed 32-bit integer where higher = more preferred. Typical values:
Why IRDP is Rarely Used
While IRDP provides automatic gateway discovery, it has been largely supplanted:
Don't confuse ICMPv4 Router Discovery (IRDP) with ICMPv6 Router Advertisement. ICMPv6 RA is fundamental to IPv6 operation—it's how hosts learn IPv6 prefixes, default gateways, and trigger SLAAC. IPv6 networks depend on ICMPv6 RA in ways that IPv4 never depended on ICMP router discovery.
ICMP Information Request (Type 15) and Information Reply (Type 16) are formally obsolete and included here only for completeness and understanding historical context.
Original Purpose
In the early ARPANET, hosts sometimes knew only their network number but needed to determine their complete IP address. Information Request/Reply was designed for a host to ask "what is my full IP address?"—sending a request with just the network portion, hoping a router would respond with the complete address.
Why This Never Worked Well
The design had fundamental problems:
Current Status
Understanding why Information Request failed helps appreciate why DHCP's designed succeeded—it provides all necessary configuration (IP, mask, gateway, DNS) from an authoritative server in a single, authenticated transaction.
Certification exams (CCNA, CompTIA Network+) may mention Information Request/Reply as obsolete ICMP types. Know that Type 15 = Information Request and Type 16 = Information Reply, but note they're unused. This demonstrates protocol evolution—not all designs succeed, and obsolete features should be recognized.
ICMP query messages provide proactive diagnostic capabilities, allowing hosts to actively interrogate the network rather than passively waiting for error reports. We've explored all major query types:
| Type | Message | Status | Modern Alternative |
|---|---|---|---|
| 8/0 | Echo Request/Reply | Active — Powers ping | None needed—still essential |
| 13/14 | Timestamp Request/Reply | Obsolete | NTP for time synchronization |
| 17/18 | Address Mask Request/Reply | Obsolete | DHCP for configuration |
| 9/10 | Router Advertisement/Solicitation | Rarely used | DHCP gateway; VRRP/HSRP |
| 15/16 | Information Request/Reply | Obsolete | DHCP for configuration |
What's Next
We've now covered both ICMP error messages and query messages. Next, we'll examine ICMP encapsulation—how ICMP messages are packaged within IP packets, their relationship to the IP header, and how ICMP travels through networks. Understanding this encapsulation is crucial for packet analysis and firewall rule configuration.
You now understand how ICMP query messages enable active network diagnostics. You can explain the ping mechanism in detail, interpret query message fields, and recognize which query types remain relevant versus those obsoleted by modern protocols. Next, we examine how ICMP messages are encapsulated within IP packets.