Icmp Message Types - Learning Module

Loading content...

0/228

Parameter Problem

The Network's Syntax Error Report

In programming, when you write code with a syntax error, the compiler doesn't just fail silently—it tells you exactly where the problem is: "Error on line 42, column 15: unexpected token." This precision lets you fix the bug immediately rather than searching the entire codebase.

IP packets also have syntax rules. Header fields must contain valid values, options must be properly formatted, and lengths must be consistent. When a router or host encounters a packet with malformed header data that prevents normal processing, it generates an ICMP Parameter Problem (Type 12) message.

What makes Parameter Problem unique is its Pointer field: an 8-bit value that pinpoints the exact byte offset where the error occurred. This transforms debugging from "something is wrong with your packet" to "byte 23 of your IP header has an invalid value." For network engineers troubleshooting obscure issues, this precision is invaluable.

What You Will Learn

By the end of this page, you will understand the complete mechanics of ICMP Parameter Problem messages, how the Pointer field pinpoints errors, the three code values and their meanings, common causes of parameter problems, and diagnostic techniques. You'll gain the ability to diagnose malformed packet issues with professional precision.

Message Structure and Pointer Field

The ICMP Parameter Problem message has a unique structure among ICMP error messages. While other error messages have an "Unused" field that must be zero, Parameter Problem uses that space for a Pointer that identifies the problematic byte.

ICMP Parameter Problem Message Structure

Packet Layout

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|   Type (12)   |     Code      |          Checksum             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|    Pointer    |                  Unused (zeros)               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
+                 Original IP Header (20-60 bytes)              +
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|              First 8 Bytes of Original Datagram              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 
Type:     12 (Parameter Problem)
Code:     0 = Pointer indicates the error location
          1 = Missing a required option
          2 = Bad length
Pointer:  Byte offset (0-indexed) in original IP header where error found
Unused:   24 bits, must be zero

Understanding the Pointer Field

The Pointer is a 0-indexed byte offset into the original IP header. Pointer = 0 means byte 0 (the Version/IHL byte). Pointer = 8 means the Source IP Address begins. Pointer = 12 means the Destination IP Address begins. Values beyond the standard header (20+) point to IP options.

Common Pointer Values and Their Meaning
Pointer Value	IP Header Field	Common Error
0	Version/IHL	Invalid IP version or IHL too small
1	Type of Service (DSCP/ECN)	Rare; usually accepted regardless of value
2-3	Total Length	Length inconsistent with packet size received
4-5	Identification	Very rare; usually any value accepted
6-7	Flags/Fragment Offset	Invalid flag combination
8	TTL	TTL = 0 (though Type 11 is usually used instead)
9	Protocol	Unknown protocol number
10-11	Header Checksum	Checksum mismatch
12-15	Source IP Address	Invalid source address (e.g., broadcast)
16-19	Destination IP Address	Invalid destination address
20+	Options	Malformed IP option (most common)

The Pointer's Precision Value:

Without the Pointer, troubleshooting would involve:

Capture the original packet
Manually inspect every header field
Guess which field the router rejected

With the Pointer:

Receive Parameter Problem with Pointer = 24
Look at byte 24 of the original IP header → This is in the Options area
Immediately know the problem is with an IP option

This precision transforms hours of debugging into seconds of focused analysis.

Code Values in Detail

The Code field provides additional context about the type of parameter problem encountered. Three codes are defined for IPv4:

Code 0: Pointer Indicates Error

•Most common code — The Pointer field contains the byte offset of the erroneous field
•Generated when: Router/host finds an unacceptable value in a specific header location
•Examples: Invalid IHL value, unknown protocol, malformed option
•Diagnostic approach: Examine the byte at the Pointer offset in the original header
•Response expected: Source should fix the identified field before resending

Code 1: Missing Required Option

•Less common — A required IP option was not present
•Generated when: Router requires certain security or routing options that are absent
•Historical context: Military/government networks sometimes required specific options
•Pointer usage: May point to where the option should have been, or be set to 0
•Modern relevance: Rare; most networks don't mandate specific IP options

Code 2: Bad Length

•Specific to length fields — A length value is invalid
•Generated when: IHL, Total Length, or Option Length values are inconsistent
•Examples: IHL says 5 (20 bytes) but options are present; Total Length > actual packet size
•Pointer usage: Points to the length field in question
•Common cause: Packet corruption, buggy network stack implementation

Practical Distribution of Codes

In practice, Code 0 dominates. Codes 1 and 2 are rarely seen because: (1) Required options (Code 1) are uncommon in modern networks, (2) Length problems (Code 2) are often detected as checksum failures first, (3) Many implementations just use Code 0 for all parameter problems.

Common Causes of Parameter Problems

Understanding what triggers Parameter Problem messages helps in both prevention and diagnosis. Most causes fall into identifiable categories.

Parameter Problem Causes and Diagnostics
Cause Category	Specific Examples	Typical Pointer Value
Invalid IP Version	Version field ≠ 4 (for IPv4 processing)	0
IHL Too Small	IHL < 5 (minimum 20 bytes)	0
IHL Too Large	IHL > actual header size	0
Length Mismatch	Total Length doesn't match actual packet	2
Invalid Flags	Reserved bit set, conflicting fragment flags	6
Unknown Protocol	Protocol number not implemented	9
Checksum Failure	Header checksum doesn't validate	10
Invalid Source IP	Source = broadcast address	12
Malformed Options	Option length > remaining header, invalid option code	20+
Option Processing	Source routing specifies unreachable hop	Variable in options

IP Options Problems (Most Common)

•Option type unknown or unsupported
•Option length extends beyond header
•Option length = 0 (infinite loop potential)
•Source route specifies unreachable hop
•Timestamp option has invalid flags
•Security option fails policy check

Basic Header Problems

•MTU exceeded without DF (if fragmentation disabled)
•Packet truncated before complete header received
•Header checksum mismatch
•Version field corrupted
•IHL specifies impossible header length
•Total length claims more bytes than received

IP Options Are the Primary Cause

The vast majority of Parameter Problem messages relate to IP options. Modern networks rarely use IP options (security concerns, performance overhead, firewall blocking), so receiving Parameter Problem often indicates: (1) Legacy application using options, (2) Network equipment injecting options, (3) Malicious packets crafted with intentionally malformed options.

IP Options and Parameter Problems

Since IP options are the primary source of Parameter Problem messages, understanding option structure is essential for diagnosis.

IP Options Format

Structure

IP Option Format (TLV - Type, Length, Value):
 
Single-byte options (no length/value):
+-+-+-+-+-+-+-+-+
|    Option     |   → End of Options List (0) or No Operation (1)
+-+-+-+-+-+-+-+-+
 
Multi-byte options:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
|    Option     |    Length     |     Data...      
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
 
Option Type breakdown:
+-+-+-+-+-+-+-+-+
|C|CL |  Number |
+-+-+-+-+-+-+-+-+
 ↑ ↑↑     ↑
 | ||     └── Option number (5 bits)
 | |└──────── Class (0=control, 2=debugging/measurement)
 | └───────── Copy bit (copy to all fragments?)
 └─────────── Copied flag
 
Common Option Types:
  0   = End of Options List
  1   = No Operation (padding)
  7   = Record Route
  68  = Timestamp
  131 = Loose Source Routing
  137 = Strict Source Routing
  148 = Router Alert

Option-Related Parameter Problems:

Scenario 1: Unknown Option Type

Original packet contains option type 99 (undefined)
Router doesn't recognize this option
→ Parameter Problem (Type 12, Code 0)
→ Pointer = byte position of the unknown option type

Scenario 2: Invalid Option Length

Loose Source Route option present
Option says length = 23 bytes
But only 10 bytes remain in IP header
→ Parameter Problem (Type 12, Code 2)
→ Pointer = byte position of the length field

Scenario 3: Exhausted Option Space

Record Route option is collecting hop addresses
Option is full (all allocated slots used)
Router cannot add its address
→ Parameter Problem (Type 12, Code 0)
→ Pointer = position of the pointer subfield in option

Why Modern Networks Avoid IP Options

IP options require per-packet processing in the router's slow path (CPU, not hardware forwarding). They're also security risks (source routing enables bypass of security controls). Many firewalls block all packets with IP options. This is why Parameter Problem messages from options are rare in normal traffic but common in attack traffic.

Diagnostic Techniques

When you receive a Parameter Problem message or capture one in traffic, a systematic approach reveals the exact issue.

Analyzing Parameter Problem Messages
Bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# Capture Parameter Problem messages
sudo tcpdump -i any 'icmp[0]=12' -nn -vv -X
 
# Sample output (annotated):
# 15:30:45.123456 IP 192.168.1.1 > 10.0.0.100: 
#     ICMP parameter problem - pointer = 24, length 56
#
# Interpretation:
# - 192.168.1.1: Router/host that rejected the packet
# - 10.0.0.100: Original source (receiving this error)
# - pointer = 24: Error at byte 24 (first byte of IP options)
 
# Detailed analysis with tshark
tshark -i eth0 -f 'icmp[0]=12' -V
 
# Output shows:
# Internet Control Message Protocol
#     Type: 12 (Parameter problem)
#     Code: 0 (Pointer indicates the error)
#     Checksum: 0x1234 [correct]
#     Pointer: 24
#     [This points to byte 24 in the original datagram]
#     [Original datagram follows...]
 
# Manual byte analysis:
# Given Pointer = 24, and basic IP header is 20 bytes:
# Byte 24 = byte 4 of IP options (offset 20-23 = first option)
# Look at what option is at that position
 
# Wireshark filter for Parameter Problem
# icmp.type == 12
 
# With specific pointer value (e.g., options area)
# icmp.type == 12 && icmp[4] >= 20

Systematic Diagnosis Steps

•Capture the Parameter Problem message — Get the full ICMP packet including the original IP header and 8 bytes
•Extract the Pointer value — This is byte 4 of the ICMP message (after Type, Code, Checksum)
•Map Pointer to field — Use the IP header layout to identify which field the Pointer indicates
•Examine the original header — Look at the actual bytes at that position in the encapsulated original header
•Identify the specific problem — Invalid value? Malformed option? Length mismatch?
•Trace to source — Determine what system originally generated the problematic packet
•Fix or filter — Update the source system or filter the problematic traffic

Example Diagnosis:

Received ICMP Parameter Problem:
  Type: 12, Code: 0, Pointer: 0
  
Original IP Header (hex): 34 00 00 54 12 34 ...
                          ^^ 
                          Byte 0 = 0x34

Interpretation:
  - Byte 0 contains Version (high nibble) and IHL (low nibble)
  - 0x34 = Version 3, IHL 4
  - Version 3 is INVALID (should be 4 for IPv4)
  - IHL 4 means 16 bytes, but minimum is 20 (IHL=5)
  
Conclusion: Corrupted packet or non-IP traffic misrouted

IPv6 Parameter Problem Differences

IPv6 enhances the Parameter Problem message with additional codes and a larger pointer field.

IPv4 vs IPv6 Parameter Problem Comparison
Aspect	IPv4 (ICMPv4)	IPv6 (ICMPv6)
Type Number	12	4
Pointer Size	8 bits (0-255)	32 bits (0-4,294,967,295)
Pointer Scope	Header only (max ~60 bytes)	Can point into extension headers
Code 0	Pointer indicates error	Erroneous header field encountered
Code 1	Missing required option	Unrecognized Next Header type
Code 2	Bad length	Unrecognized IPv6 option
Code 3	N/A	IPv6 First Fragment has incomplete header chain

ICMPv6 Parameter Problem Enhancements:

32-bit Pointer: IPv6's extension header model means problems can occur far beyond byte 60. The 32-bit pointer can identify errors in any extension header, regardless of how many headers are chained.

Code 1 (Unrecognized Next Header): This is critical for IPv6 evolution. When a node encounters a Next Header value it doesn't recognize, it sends Parameter Problem Code 1. This provides feedback about unsupported extensions.

Code 2 (Unrecognized Option): Hop-by-Hop and Destination Options headers contain TLV options. Code 2 reports unknown option types—essential for option negotiation and capability detection.

Code 3 (First Fragment Incomplete): If the first fragment of an IPv6 packet doesn't contain the complete extension header chain, this code is generated. It prevents processing packets where header structure can't be determined.

ICMPv6 Parameter Problem Structure

Packet Layout

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|     Type (4)  |     Code      |          Checksum             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                         Pointer (32-bit)                      |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
+                As much of invoking packet as possible         +
+               without exceeding MTU (typically 1280)          +
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 
ICMPv6 Type 4 Codes:
  0 = Erroneous header field encountered
  1 = Unrecognized Next Header type encountered  
  2 = Unrecognized IPv6 option encountered
  3 = IPv6 First Fragment has incomplete IPv6 Header Chain

Extension Header Implications

IPv6's extension header model (Hop-by-Hop, Routing, Fragment, Authentication, ESP, Destination) can create long header chains. The 32-bit Pointer is essential for identifying problems in, say, byte 150—impossible with IPv4's 8-bit pointer. This reflects IPv6's more flexible but more complex header architecture.

Security Considerations

Parameter Problem messages have specific security implications, both as indicators of attack traffic and as potential attack vectors themselves.

Security Indicators

•Attack Traffic Indicator: Malformed packets often indicate attack attempts. Seeing Parameter Problem for unusual option types or malformed headers may signal reconnaissance or exploitation attempts.
•Evasion Technique Detection: Attackers craft packets with unusual headers to evade security devices. Parameter Problem responses reveal that such packets are reaching (and being rejected by) parts of your network.
•IDS Signature Triggers: Specific Pointer values and patterns can trigger Intrusion Detection System rules. Parameter Problem for source routing options is particularly suspicious.
•Denial of Service: Flooding with malformed packets forces routers to generate Parameter Problem responses, consuming CPU. Rate-limiting ICMP generation mitigates this.
•Information Leakage: Parameter Problem responses confirm that a host/router exists and is processing packets—potentially useful for reconnaissance.

Parameter Problem in Attack Scenarios
Attack Type	Parameter Problem Role	Defensive Action
IP Option Attacks	Malformed options trigger response	Block packets with IP options at perimeter
Protocol Fuzzing	Invalid protocol numbers reveal stack behavior	Rate-limit ICMP generation
Fragmentation Attacks	Inconsistent fragment parameters	Use fragment reassembly timeouts
Reconnaissance	Parameter Problem confirms host presence	Consider limiting ICMP responses
Version Confusion	Non-IPv4 traffic processed as IPv4	Verify ingress filtering

Monitoring Parameter Problems for Security
Bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Monitor for Parameter Problem messages (potential attack indicator)
sudo tcpdump -i eth0 'icmp[0]=12' -nn -c 100 -w param_problems.pcap
 
# Count Parameter Problems over time
sudo tcpdump -i eth0 'icmp[0]=12' -nn -q 2>/dev/null | \
    awk '{print strftime("%Y-%m-%d %H:%M")}' | uniq -c
 
# Alert on high frequency (simple bash monitoring)
while true; do
    count=$(timeout 60 tcpdump -i eth0 'icmp[0]=12' -nn -c 50 2>/dev/null | wc -l)
    if [ "$count" -ge 50 ]; then
        echo "ALERT: High Parameter Problem rate detected: $count/min"
        # Send alert to security team
    fi
    sleep 60
done
 
# Snort/Suricata rule for Parameter Problem monitoring
# alert icmp any any -> any any (msg:"ICMP Parameter Problem"; 
#     itype:12; classtype:misc-activity; sid:1000001; rev:1;)
 
# Security-focused logging
iptables -A INPUT -p icmp --icmp-type parameter-problem \
    -j LOG --log-prefix "ICMP ParamProb: " --log-level info

Baseline Before Alerting

Before treating Parameter Problem as an attack indicator, establish your network's baseline. Some legitimate traffic patterns (VoIP with certain QoS markings, legacy applications with IP options, experimental protocols) may trigger occasional Parameter Problems. Alert on anomalies above baseline, not on mere presence.

Real-World Troubleshooting Scenarios

Let's walk through realistic scenarios where Parameter Problem messages provide diagnostic insight.

Scenario 1: Legacy Application Failure

•Symptom: 20-year-old industrial control application suddenly stops communicating
•Investigation: Capture shows ICMP Parameter Problem (Type 12, Code 0, Pointer 20)
•Analysis: Pointer 20 = first byte of IP options. Application uses Record Route option
•Root cause: New firewall was deployed that blocks packets with IP options
•Solution: Create firewall exception for this specific application's traffic, or update application

Scenario 2: Network Equipment Bug

•Symptom: Intermittent connectivity from specific subnet; some packets never arrive
•Investigation: Capture shows Parameter Problem (Type 12, Code 2, Pointer 2)
•Analysis: Pointer 2 = Total Length field. Code 2 = Bad Length
•Root cause: Buggy NIC driver on aging server corrupting Total Length field
•Solution: Update NIC driver; if unavailable, replace network card

Scenario 3: MTU/Fragmentation Issue

•Symptom: VPN tunnel works for small transfers, fails for large ones
•Investigation: Capture shows Parameter Problem for tunnel packets
•Analysis: Pointer indicates fragment offset field issues
•Root cause: Tunnel adds overhead; fragmentation creates malformed fragments
•Solution: Reduce MTU on tunnel interfaces; enable Path MTU Discovery

The Value of Capture Early

When troubleshooting connectivity issues, start packet capture immediately. Parameter Problem messages are transient—once you stop seeing them, you've lost diagnostic data. Capture both at the source and near where you suspect the problem occurs.

Summary: Mastering Parameter Problem

ICMP Parameter Problem is the network's syntax error reporter, providing precise diagnostics for malformed packet headers. While less common than other ICMP types, its Pointer field makes it invaluable when header issues arise.

Key Takeaways

•Type 12 = Parameter Problem — Reports header field errors that prevent normal packet processing
•Pointer field pinpoints the error — 8-bit offset (0-indexed) into the original IP header showing the problematic byte
•Three codes defined: Code 0 (pointer indicates error—most common), Code 1 (missing required option), Code 2 (bad length)
•IP options are the primary cause — Malformed options, unknown option types, and exhausted option space trigger most Parameter Problems
•Diagnostic precision — Map the Pointer to IP header fields for immediate identification of the problem
•IPv6 enhances the message — 32-bit Pointer for extension header chains, additional codes for Next Header and option issues
•Security implications — May indicate attack traffic; also useful for detecting evasion attempts
•Rare but significant — When you see Parameter Problem, pay attention—something unusual is happening

Module Complete!

Congratulations! You've completed the comprehensive study of ICMP Message Types. You now understand all five major error message types: Destination Unreachable, Time Exceeded, Redirect, Source Quench, and Parameter Problem. This knowledge enables professional-level network diagnostics and troubleshooting. Continue to the next module to explore Ping and Traceroute—practical applications of ICMP query messages.

Parameter Problem

The Network's Syntax Error Report

What You Will Learn

Message Structure and Pointer Field

ICMP Parameter Problem Message Structure

Packet Layout

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|   Type (12)   |     Code      |          Checksum             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|    Pointer    |                  Unused (zeros)               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
+                 Original IP Header (20-60 bytes)              +
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|              First 8 Bytes of Original Datagram              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 
Type:     12 (Parameter Problem)
Code:     0 = Pointer indicates the error location
          1 = Missing a required option
          2 = Bad length
Pointer:  Byte offset (0-indexed) in original IP header where error found
Unused:   24 bits, must be zero

Understanding the Pointer Field

Common Pointer Values and Their Meaning
Pointer Value	IP Header Field	Common Error
0	Version/IHL	Invalid IP version or IHL too small
1	Type of Service (DSCP/ECN)	Rare; usually accepted regardless of value
2-3	Total Length	Length inconsistent with packet size received
4-5	Identification	Very rare; usually any value accepted
6-7	Flags/Fragment Offset	Invalid flag combination
8	TTL	TTL = 0 (though Type 11 is usually used instead)
9	Protocol	Unknown protocol number
10-11	Header Checksum	Checksum mismatch
12-15	Source IP Address	Invalid source address (e.g., broadcast)
16-19	Destination IP Address	Invalid destination address
20+	Options	Malformed IP option (most common)

The Pointer's Precision Value:

Without the Pointer, troubleshooting would involve:

Capture the original packet
Manually inspect every header field
Guess which field the router rejected

With the Pointer:

Receive Parameter Problem with Pointer = 24
Look at byte 24 of the original IP header → This is in the Options area
Immediately know the problem is with an IP option

This precision transforms hours of debugging into seconds of focused analysis.

Code Values in Detail

The Code field provides additional context about the type of parameter problem encountered. Three codes are defined for IPv4:

Code 0: Pointer Indicates Error

•Most common code — The Pointer field contains the byte offset of the erroneous field
•Generated when: Router/host finds an unacceptable value in a specific header location
•Examples: Invalid IHL value, unknown protocol, malformed option
•Diagnostic approach: Examine the byte at the Pointer offset in the original header
•Response expected: Source should fix the identified field before resending

Code 1: Missing Required Option

•Less common — A required IP option was not present
•Generated when: Router requires certain security or routing options that are absent
•Historical context: Military/government networks sometimes required specific options
•Pointer usage: May point to where the option should have been, or be set to 0
•Modern relevance: Rare; most networks don't mandate specific IP options

Code 2: Bad Length

•Specific to length fields — A length value is invalid
•Generated when: IHL, Total Length, or Option Length values are inconsistent
•Examples: IHL says 5 (20 bytes) but options are present; Total Length > actual packet size
•Pointer usage: Points to the length field in question
•Common cause: Packet corruption, buggy network stack implementation

Practical Distribution of Codes

Common Causes of Parameter Problems

Understanding what triggers Parameter Problem messages helps in both prevention and diagnosis. Most causes fall into identifiable categories.

Parameter Problem Causes and Diagnostics
Cause Category	Specific Examples	Typical Pointer Value
Invalid IP Version	Version field ≠ 4 (for IPv4 processing)	0
IHL Too Small	IHL < 5 (minimum 20 bytes)	0
IHL Too Large	IHL > actual header size	0
Length Mismatch	Total Length doesn't match actual packet	2
Invalid Flags	Reserved bit set, conflicting fragment flags	6
Unknown Protocol	Protocol number not implemented	9
Checksum Failure	Header checksum doesn't validate	10
Invalid Source IP	Source = broadcast address	12
Malformed Options	Option length > remaining header, invalid option code	20+
Option Processing	Source routing specifies unreachable hop	Variable in options

IP Options Problems (Most Common)

•Option type unknown or unsupported
•Option length extends beyond header
•Option length = 0 (infinite loop potential)
•Source route specifies unreachable hop
•Timestamp option has invalid flags
•Security option fails policy check

Basic Header Problems

•MTU exceeded without DF (if fragmentation disabled)
•Packet truncated before complete header received
•Header checksum mismatch
•Version field corrupted
•IHL specifies impossible header length
•Total length claims more bytes than received

IP Options Are the Primary Cause

IP Options and Parameter Problems

Since IP options are the primary source of Parameter Problem messages, understanding option structure is essential for diagnosis.

IP Options Format

Structure

IP Option Format (TLV - Type, Length, Value):
 
Single-byte options (no length/value):
+-+-+-+-+-+-+-+-+
|    Option     |   → End of Options List (0) or No Operation (1)
+-+-+-+-+-+-+-+-+
 
Multi-byte options:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
|    Option     |    Length     |     Data...      
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
 
Option Type breakdown:
+-+-+-+-+-+-+-+-+
|C|CL |  Number |
+-+-+-+-+-+-+-+-+
 ↑ ↑↑     ↑
 | ||     └── Option number (5 bits)
 | |└──────── Class (0=control, 2=debugging/measurement)
 | └───────── Copy bit (copy to all fragments?)
 └─────────── Copied flag
 
Common Option Types:
  0   = End of Options List
  1   = No Operation (padding)
  7   = Record Route
  68  = Timestamp
  131 = Loose Source Routing
  137 = Strict Source Routing
  148 = Router Alert

Option-Related Parameter Problems:

Scenario 1: Unknown Option Type

Original packet contains option type 99 (undefined)
Router doesn't recognize this option
→ Parameter Problem (Type 12, Code 0)
→ Pointer = byte position of the unknown option type

Scenario 2: Invalid Option Length

Loose Source Route option present
Option says length = 23 bytes
But only 10 bytes remain in IP header
→ Parameter Problem (Type 12, Code 2)
→ Pointer = byte position of the length field

Scenario 3: Exhausted Option Space

Record Route option is collecting hop addresses
Option is full (all allocated slots used)
Router cannot add its address
→ Parameter Problem (Type 12, Code 0)
→ Pointer = position of the pointer subfield in option

Why Modern Networks Avoid IP Options

Diagnostic Techniques

When you receive a Parameter Problem message or capture one in traffic, a systematic approach reveals the exact issue.

Analyzing Parameter Problem Messages
Bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# Capture Parameter Problem messages
sudo tcpdump -i any 'icmp[0]=12' -nn -vv -X
 
# Sample output (annotated):
# 15:30:45.123456 IP 192.168.1.1 > 10.0.0.100: 
#     ICMP parameter problem - pointer = 24, length 56
#
# Interpretation:
# - 192.168.1.1: Router/host that rejected the packet
# - 10.0.0.100: Original source (receiving this error)
# - pointer = 24: Error at byte 24 (first byte of IP options)
 
# Detailed analysis with tshark
tshark -i eth0 -f 'icmp[0]=12' -V
 
# Output shows:
# Internet Control Message Protocol
#     Type: 12 (Parameter problem)
#     Code: 0 (Pointer indicates the error)
#     Checksum: 0x1234 [correct]
#     Pointer: 24
#     [This points to byte 24 in the original datagram]
#     [Original datagram follows...]
 
# Manual byte analysis:
# Given Pointer = 24, and basic IP header is 20 bytes:
# Byte 24 = byte 4 of IP options (offset 20-23 = first option)
# Look at what option is at that position
 
# Wireshark filter for Parameter Problem
# icmp.type == 12
 
# With specific pointer value (e.g., options area)
# icmp.type == 12 && icmp[4] >= 20

Systematic Diagnosis Steps

•Capture the Parameter Problem message — Get the full ICMP packet including the original IP header and 8 bytes
•Extract the Pointer value — This is byte 4 of the ICMP message (after Type, Code, Checksum)
•Map Pointer to field — Use the IP header layout to identify which field the Pointer indicates
•Examine the original header — Look at the actual bytes at that position in the encapsulated original header
•Identify the specific problem — Invalid value? Malformed option? Length mismatch?
•Trace to source — Determine what system originally generated the problematic packet
•Fix or filter — Update the source system or filter the problematic traffic

Example Diagnosis:

Received ICMP Parameter Problem:
  Type: 12, Code: 0, Pointer: 0
  
Original IP Header (hex): 34 00 00 54 12 34 ...
                          ^^ 
                          Byte 0 = 0x34

Interpretation:
  - Byte 0 contains Version (high nibble) and IHL (low nibble)
  - 0x34 = Version 3, IHL 4
  - Version 3 is INVALID (should be 4 for IPv4)
  - IHL 4 means 16 bytes, but minimum is 20 (IHL=5)
  
Conclusion: Corrupted packet or non-IP traffic misrouted

IPv6 Parameter Problem Differences

IPv6 enhances the Parameter Problem message with additional codes and a larger pointer field.

IPv4 vs IPv6 Parameter Problem Comparison
Aspect	IPv4 (ICMPv4)	IPv6 (ICMPv6)
Type Number	12	4
Pointer Size	8 bits (0-255)	32 bits (0-4,294,967,295)
Pointer Scope	Header only (max ~60 bytes)	Can point into extension headers
Code 0	Pointer indicates error	Erroneous header field encountered
Code 1	Missing required option	Unrecognized Next Header type
Code 2	Bad length	Unrecognized IPv6 option
Code 3	N/A	IPv6 First Fragment has incomplete header chain

ICMPv6 Parameter Problem Enhancements:

Code 2 (Unrecognized Option): Hop-by-Hop and Destination Options headers contain TLV options. Code 2 reports unknown option types—essential for option negotiation and capability detection.

ICMPv6 Parameter Problem Structure

Packet Layout

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|     Type (4)  |     Code      |          Checksum             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                         Pointer (32-bit)                      |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
+                As much of invoking packet as possible         +
+               without exceeding MTU (typically 1280)          +
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 
ICMPv6 Type 4 Codes:
  0 = Erroneous header field encountered
  1 = Unrecognized Next Header type encountered  
  2 = Unrecognized IPv6 option encountered
  3 = IPv6 First Fragment has incomplete IPv6 Header Chain

Extension Header Implications

Security Considerations

Parameter Problem messages have specific security implications, both as indicators of attack traffic and as potential attack vectors themselves.

Security Indicators

•Attack Traffic Indicator: Malformed packets often indicate attack attempts. Seeing Parameter Problem for unusual option types or malformed headers may signal reconnaissance or exploitation attempts.
•Evasion Technique Detection: Attackers craft packets with unusual headers to evade security devices. Parameter Problem responses reveal that such packets are reaching (and being rejected by) parts of your network.
•IDS Signature Triggers: Specific Pointer values and patterns can trigger Intrusion Detection System rules. Parameter Problem for source routing options is particularly suspicious.
•Denial of Service: Flooding with malformed packets forces routers to generate Parameter Problem responses, consuming CPU. Rate-limiting ICMP generation mitigates this.
•Information Leakage: Parameter Problem responses confirm that a host/router exists and is processing packets—potentially useful for reconnaissance.

Parameter Problem in Attack Scenarios
Attack Type	Parameter Problem Role	Defensive Action
IP Option Attacks	Malformed options trigger response	Block packets with IP options at perimeter
Protocol Fuzzing	Invalid protocol numbers reveal stack behavior	Rate-limit ICMP generation
Fragmentation Attacks	Inconsistent fragment parameters	Use fragment reassembly timeouts
Reconnaissance	Parameter Problem confirms host presence	Consider limiting ICMP responses
Version Confusion	Non-IPv4 traffic processed as IPv4	Verify ingress filtering

Monitoring Parameter Problems for Security
Bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Monitor for Parameter Problem messages (potential attack indicator)
sudo tcpdump -i eth0 'icmp[0]=12' -nn -c 100 -w param_problems.pcap
 
# Count Parameter Problems over time
sudo tcpdump -i eth0 'icmp[0]=12' -nn -q 2>/dev/null | \
    awk '{print strftime("%Y-%m-%d %H:%M")}' | uniq -c
 
# Alert on high frequency (simple bash monitoring)
while true; do
    count=$(timeout 60 tcpdump -i eth0 'icmp[0]=12' -nn -c 50 2>/dev/null | wc -l)
    if [ "$count" -ge 50 ]; then
        echo "ALERT: High Parameter Problem rate detected: $count/min"
        # Send alert to security team
    fi
    sleep 60
done
 
# Snort/Suricata rule for Parameter Problem monitoring
# alert icmp any any -> any any (msg:"ICMP Parameter Problem"; 
#     itype:12; classtype:misc-activity; sid:1000001; rev:1;)
 
# Security-focused logging
iptables -A INPUT -p icmp --icmp-type parameter-problem \
    -j LOG --log-prefix "ICMP ParamProb: " --log-level info

Baseline Before Alerting

Real-World Troubleshooting Scenarios

Let's walk through realistic scenarios where Parameter Problem messages provide diagnostic insight.

Scenario 1: Legacy Application Failure

•Symptom: 20-year-old industrial control application suddenly stops communicating
•Investigation: Capture shows ICMP Parameter Problem (Type 12, Code 0, Pointer 20)
•Analysis: Pointer 20 = first byte of IP options. Application uses Record Route option
•Root cause: New firewall was deployed that blocks packets with IP options
•Solution: Create firewall exception for this specific application's traffic, or update application

Scenario 2: Network Equipment Bug

•Symptom: Intermittent connectivity from specific subnet; some packets never arrive
•Investigation: Capture shows Parameter Problem (Type 12, Code 2, Pointer 2)
•Analysis: Pointer 2 = Total Length field. Code 2 = Bad Length
•Root cause: Buggy NIC driver on aging server corrupting Total Length field
•Solution: Update NIC driver; if unavailable, replace network card

Scenario 3: MTU/Fragmentation Issue

•Symptom: VPN tunnel works for small transfers, fails for large ones
•Investigation: Capture shows Parameter Problem for tunnel packets
•Analysis: Pointer indicates fragment offset field issues
•Root cause: Tunnel adds overhead; fragmentation creates malformed fragments
•Solution: Reduce MTU on tunnel interfaces; enable Path MTU Discovery

The Value of Capture Early

Summary: Mastering Parameter Problem

Key Takeaways

•Type 12 = Parameter Problem — Reports header field errors that prevent normal packet processing
•Pointer field pinpoints the error — 8-bit offset (0-indexed) into the original IP header showing the problematic byte
•Three codes defined: Code 0 (pointer indicates error—most common), Code 1 (missing required option), Code 2 (bad length)
•IP options are the primary cause — Malformed options, unknown option types, and exhausted option space trigger most Parameter Problems
•Diagnostic precision — Map the Pointer to IP header fields for immediate identification of the problem
•IPv6 enhances the message — 32-bit Pointer for extension header chains, additional codes for Next Header and option issues
•Security implications — May indicate attack traffic; also useful for detecting evasion attempts
•Rare but significant — When you see Parameter Problem, pay attention—something unusual is happening

Module Complete!