Ping involves sending an ICMP ping request and looking for an ICMP ping response. The ICMP protocol is crucial to the operation of the ping and traceroute protocols. Two of the most common are using the protocol for network scanning/mapping and for data exfiltration and command-and-control. However, an attacker can also actively use ICMP in a number of different ways. Eavesdropping on ICMP packet can help to identify the hosts on a network and if certain systems are up, down or malfunctioning. As such, even passive monitoring of ICMP traffic on a network can provide a wealth of data to an adversary. The ICMP protocol is designed to provide error information and perform simple diagnostic actions (like ping) i.e incident response. Since ICMP is a stateless protocol, these values help to match a response received by the sender to the corresponding request. Next, the packet contains a checksum, which is important since a single bit flip in the type or code can convey a completely different error message.Īfter that, ping packets contain identifiers and sequence numbers. The first two values in the packet are the type and code, indicating the purpose of the packet. The images below show an ICMP ping request and response in Wireshark.Īs shown above, a ping packet (and any ICMP packet in general) is fairly simple. Typing ping into the Windows or Linux terminal will send a series of ping packets and provide a percentage value for the reachability of the destination based upon the number of ping requests that received a response. The purpose of ping is to determine if the system at a certain IP address exists and is currently functional, and that a route to that system can be found. While many ICMP messages are designed to be sent as error messages in response to packets of other protocols, some are designed to implement standalone functionality. For example, a type 3 ICMP message with a 0 code points to issues with the destination network, while a 1 code means that the issue is that the particular host is unreachable. For example, a type value of 3 means that the intended destination is unreachable.įor some types, there are multiple code values intended to provide additional information. Error data in ICMP is carried in two values: the type and the code.Īs shown above, the type of an ICMP packet contains the overall message that the message is intended to convey. ICMP in WiresharkĪs an error messaging protocol, the structure of an ICMP packet is designed to provide the necessary information to the recipient. As a result, an organization’s ICMP traffic should largely be confined inside the network boundary, but it is a common protocol to see in network traffic captures.
0 kommentar(er)
