Lab 6.7.

2: Examining ICMP Packets (Instructor Version)

Topology Diagram

Addressing Table
Device

Interface

IP Address

Subnet Mask

S0/0/0

10.10.10.6

255.255.255.252 N/A

Fa0/0

192.168.254.253 255.255.255.0

S0/0/0

10.10.10.5

255.255.255.252 10.10.10.6

Fa0/0

172.16.255.254

255.255.0.0

N/A

192.168.254.254 255.255.255.0

192.168.254.253

N/A

172.31.24.254

255.255.255.0

N/A

hostPod#A

N/A

172.16.Pod#.1

255.255.0.0

172.16.255.254

hostPod#B

N/A

172.16.Pod#.2

255.255.0.0

172.16.255.254

S1-Central

N/A

172.16.254.1

255.255.0.0

172.16.255.254

R1-ISP
R2-Central
Eagle Server

Default Gateway

N/A
N/A

Learning Objectives
Upon completion of this lab, you will be able to:
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 1 of 8

CCNA Exploration
Network Fundamentals: Addressing the Network - IPV4

Understand the format of ICMP packets.

Use Wireshark to capture and examine ICMP messages.

Lab 6.7.2: Examining ICMP Packets

Background
The Internet Control Message Protocol (ICMP) was first defined in RFC 792, September, 1981. ICMP
message types were later expanded in RFC 1700. ICMP operates at the TCP/IP Network layer and is
used to exchange information between devices.
ICMP packets serve many uses in todays computer network. When a router cannot deliver a packet to a
destination network or host, an informational message is returned to the source. Also, the ping and
tracert commands send ICMP messages to destinations, and destinations respond with ICMP
messages.

Scenario
Using the Eagle 1 Lab, Wireshark captures will be made of ICMP packets between network devices.
Depending on the classroom situation, the lab topology may have been modified before this class. It is
best to use one host to verify infrastructure connectivity. If the default web page cannot be accessed from
eagle-server.example.com, troubleshoot end-to-end network connectivity:
1. Verify that all network equipment is powered on, and eagle-server is on.
2. From a known good host computer, ping eagle-server. If the ping test fails, ping S1-Central, R2Central, R1-ISP, and finally eagle-server. Take corrective action on devices that fail ping tests.
3. If an individual host computer cannot connect to eagle-server, check the cable connection
between the host and S1-Central. Verify that the host computer has the correct IP address,
shown in the logical addressing table above, and can ping R2-Central, 172.16.255.254. Verify
that the host computer has the correct Gateway IP address, 172.16.255.254, and can ping R1ISP, 10.10.10.6. Finally, verify that the host has the correct DNS address, and can ping eagleserver.example.com.

Task 1: Understand the Format of ICMP Packets.

Figure 1. ICMP Message Header

Refer to Figure 1, the ICMP header fields common to all ICMP message types. Each ICMP message
starts with an 8-bit Type field, an 8-bit Code field, and a computed 16-bit Checksum. The ICMP message
type describes the remaining ICMP fields. The table in Figure 2 shows ICMP message types from RFC
792:
Value
0
3
4
5
8
11
12
13

Meaning
Echo Reply
Destination Unreachable
Source Quench
Redirect
Echo
Time Exceeded
Parameter Problem
Timestamp

All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 2 of 8

CCNA Exploration
Network Fundamentals: Addressing the Network - IPV4

Value
14
15
16

Lab 6.7.2: Examining ICMP Packets

Meaning
Timestamp Reply
Information Request
Information Reply

Figure 2. ICMP Message Types

Codes provide additional information to the Type field. For example, if the Type field is 3, destination
unreachable, additional information about the problem is returned in the Code field. The table in Figure 3
shows message codes for an ICMP Type 3 message, destination unreachable, from RFC 1700:

Code
Value
0
1
2
3
4
5
6
7
8
9
10
11
12

Meaning
Net Unreachable
Host Unreachable
Protocol Unreachable
Port Unreachable
Fragmentation Needed and Don't Fragment was Set
Source Route Failed
Destination Network Unknown
Destination Host Unknown
Source Host Isolated
Communication with Destination Network is
Administratively Prohibited
Communication with Destination Host is
Administratively Prohibited
Destination Network Unreachable for Type of Service
Destination Host Unreachable for Type of Service
Figure 3. ICMP Type 3 Message Codes

Using ICMP message capture shown in Figure 4, fill in the fields for the ICMP packet echo request.
Values beginning with 0x are hexadecimal numbers:

Figure 4. ICMP Packet Echo Request

Using the ICMP message capture shown in Figure 5, fill in the fields for the ICMP packet echo reply:
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 3 of 8

CCNA Exploration
Network Fundamentals: Addressing the Network - IPV4

Lab 6.7.2: Examining ICMP Packets

Figure 5. ICMP Packet Echo Reply

At the TCP/IP Network layer, communication between devices is not guaranteed. However, ICMP does
provide minimal checks for a reply to match the request. From the information provided in the ICMP
messages above, how does the sender know that the reply is to a specific echo?
___________________________________________________________________________________
___________________________________________________________________________________
Answer: The identifier is used to identify this host computer, and the sequence number is used to identify
this echo request.

Task 2: Use Wireshark to Capture and Examine ICMP Messages.

Figure 6. Wireshark Download Site

If Wireshark has not been loaded on the pod host computer, it can be downloaded from Eagle Server.
1. Open a web browser, URL FTP://eagleserver.example.com/pub/eagle_labs/eagle1/chapter6, as shown in Figure 6.
2. Right-click the Wireshark filename, click Save Link As, and save the file to the pod host
computer.
3. When the file has been downloaded, open and install Wireshark.

All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 4 of 8

CCNA Exploration
Network Fundamentals: Addressing the Network - IPV4

Lab 6.7.2: Examining ICMP Packets

Step 1: Capture and evaluate ICMP echo messages to Eagle Server.

In this step, Wireshark will be used to examine ICMP echo messages.
1. Open a Windows terminal on the pod host computer.
2. When ready, start Wireshark capture.
C:\> ping eagle-server.example.com
Pinging eagle-server.example.com [192.168.254.254] with 32 bytes of
data:
Reply from 192.168.254.254: bytes=32 time<1ms TTL=63
Reply from 192.168.254.254: bytes=32 time<1ms TTL=63
Reply from 192.168.254.254: bytes=32 time<1ms TTL=63
Reply from 192.168.254.254: bytes=32 time<1ms TTL=63
Ping statistics for 192.168.254.254:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\>
Figure 7. Successful ping Replies from Eagle Server
3. From the Windows terminal, ping Eagle Server. Four successful replies should be received from
Eagle Server, as shown in Figure 7.
4. Stop Wireshark capture. There should be a total of four ICMP echo requests and matching echo
replies, similar to those shown in Figure 8.

Figure 8. Wireshark Capture of ping Requests and Replies

Which network device responds to the ICMP echo request? __The destination device______
5. Expand the middle window in Wireshark, and expand the Internet Control Message Protocol
record until all fields are visible. The bottom window will also be needed to examine the Data
field.
6. Record information from the first echo request packet to Eagle Server:
Field
Type

Value
8 (Echo (ping) request)

All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 5 of 8

CCNA Exploration
Network Fundamentals: Addressing the Network - IPV4

Code
Checksum
Identifier
Sequence number
Data

Lab 6.7.2: Examining ICMP Packets

0
Answers may vary
Answers may vary
Answers may vary
abcdefghijklmnopqrstuvwabcdefghi

Are there 32 bytes of data? ___Yes__

7. Record information from the first echo reply packet from Eagle Server:
Field
Type
Code
Checksum
Identifier
Sequence number
Data

Value
0 (Echo (ping) reply)
0
Answers may vary
Answers may vary
Answers may vary
acdefghijklmnopqrstuvwabcdefghi

Which fields, if any, changed from the echo request?

___Type field and Checksum field___________________________________
Note: The Identifier field may change for subsequent echo request messages, depending on the
operating system. For example, Cisco IOS increments the Identifier field by 1, but Windows keeps the
Identifier field the same.
8. Continue to evaluate the remaining echo requests and replies. Fill in the following information
from each new ping:
Packet
Request # 2
Reply # 2
Request # 3
Reply # 3
Request # 4
Reply # 4

Checksum
Answers
vary
Answers
vary
Answers
vary
Answers
vary
Answers
vary
Answers
vary

Identifier
Answers vary

Sequence number
Answers vary

Same as request #2

Same as request #2

Same as request #2

Answers vary

Same as request #2

Same as request #3

Same as request #2

Answers vary

Same as request #2

Same as request #4

Why did the Checksum values change with each new request?
___________________________________________________________________________________
Answer: While the Identifier remained the same, the sequence number changed.
Step 2: Capture and evaluate ICMP echo messages to 192.168.253.1.
In this step, pings will be sent to a fictitious network and host. The results from the Wireshark capture will
be evaluatedand may be surprising.
Try to ping IP address 192.168.253.1.
C:\> ping 192.168.253.1
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 6 of 8

CCNA Exploration
Network Fundamentals: Addressing the Network - IPV4

Lab 6.7.2: Examining ICMP Packets

C:\> ping 192.168.253.1

Pinging 192.168.253.1 with 32 bytes of data:
Reply from 172.16.255.254: Destination host unreachable.
Reply from 172.16.255.254: Destination host unreachable.
Reply from 172.16.255.254: Destination host unreachable.
Reply from 172.16.255.254: Destination host unreachable.
Ping statistics for 192.168.253.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\>
Figure 9. Ping Results from a Fictitious Destination
See Figure 9. Instead of a request timeout, there is an echo response.
What network device responds to pings to a fictitious destination?
_____The gateway router_________________________________________________

Figure 10. Wireshark Capture from a Fictitious Destination

Wireshark captures to a fictitious destination are shown in Figure 10. Expand the middle Wireshark
window and the Internet Control Message Protocol record.
Which ICMP message type is used to return information to the sender?
_____Type 3 message___________________________________________________
What is the code associated with the message type?
_____ Code 1, host unreachable._______________________________________________
Step 3: Capture and evaluate ICMP echo messages that exceed the TTL value.
In this step, pings will be sent with a low TTL value, simulating a destination that is unreachable. Ping
Eagle Server, and set the TTL value to 1:
C:\> ping -i 1 192.168.254.254
C:\> ping -i 1 192.168.254.254
Pinging 192.168.254.254 with 32 bytes of data:
Reply from 172.16.255.254: TTL expired in transit.
Reply from 172.16.255.254: TTL expired in transit.
Reply from 172.16.255.254: TTL expired in transit.
Reply from 172.16.255.254: TTL expired in transit.
Ping statistics for 192.168.254.254:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\>
Figure 11. Ping Results for an Exceeded TTL
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 7 of 8

CCNA Exploration
Network Fundamentals: Addressing the Network - IPV4

Lab 6.7.2: Examining ICMP Packets

See Figure 11, which shows ping replies when the TTL value has been exceeded.
What network device responds to pings that exceed the TTL value?
________The gateway router__________________________________________________

Figure 12. Wireshark Capture of TTL Value Exceeded

Wireshark captures to a fictitious destination are shown in Figure 12. Expand the middle Wireshark
window and the Internet Control Message Protocol record.
Which ICMP message type is used to return information to the sender?
________Type 11 message__________________________________________________
What is the code associated with the message type?
________ Code 0, Time to live exceeded in transit __________________________________________
Which network device is responsible for decrementing the TTL value?
_________ Routers decrement the TTL value._________________________________________

Task 3: Challenge
Use Wireshark to capture a tracert session to Eagle Server and then to 192.168.254.251. Examine the
ICMP TTL exceeded message. This will demonstrate how the tracert command traces the network
path to the destination.

Task 4: Reflection
The ICMP protocol is very useful when troubleshooting network connectivity issues. Without ICMP
messages, a sender has no way to tell why a destination connection failed. Using the ping command,
different ICMP message type values were captured and evaluated.

Task 5: Clean Up
Wireshark may have been loaded on the pod host computer. If the program must be removed, click Start
> Control Panel > Add or Remove Programs, and scroll down to Wireshark. Click the filename, click
Remove, and follow uninstall instructions.
Remove any Wireshark pcap files that were created on the pod host computer.
Unless directed otherwise by the instructor, turn off power to the host computers. Remove anything that
was brought into the lab, and leave the room ready for the next class.

All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 8 of 8