ICMP_Scanning_40
ICMP Usage in Scanning
40
Copyright Ó Ofir Arkin, 2000
http://www.sys-security.com
A.1 ICMP Messages
ICMP messages are sent in IP datagrams. The protocol number will be always one (ICMP), and
the Type-of-Service will be zero. The IP data field will contain the actual ICMP message:
4 bit
Version
4 bit
Header
Length
8-bit type of service
(TOS)=0
16-bit total length ( in bytes )
16-bit identification
3 bit
Flags
13-bit Fragment Offset
8-bit time to live
( TTL )
8-bit protocol=1
(ICMP)
16-bit header checksum
32-bit source IP address
Options ( if any )
32-bit destination IP address
Type
Code
Checksum
20 bytes
4 bytes
ICMP data (depending on the type of message)
IP Data
Field
0
8
16
31
4
Figure 10: ICMP Message Format
ICMP error message length
Every ICMP error message includes the Internet (IP) Header and at least the first 8 data octets
(bytes) of the datagram that triggered the error; more than 8 octets (bytes) may be sent; this
header and data must be unchanged from the received datagram.
The TYPE field specifies the type of the message, while the error code for the datagram reported
on by this ICMP message is contained in the CODE field. The code interpretation is dependent
upon the message type.