What Is ICMP?
ICMP — the Internet Control Message Protocol — is one of the core protocols of the Internet Protocol suite.
Defined in RFC 792 (1981), it lives at the Network Layer (Layer 3) of the OSI model, sitting alongside IP rather than on top of it like TCP or UDP.
Unlike TCP or UDP, ICMP is not used to exchange data between applications. Its purpose is purely diagnostic and control: it lets network devices report errors, check reachability, and communicate operational information back to the source of a packet.
How ICMP Works
Every ICMP message is encapsulated inside an IP packet but has no port numbers — it belongs to the network layer itself. An ICMP message has a compact structure:
| Field | Size | Description |
|---|---|---|
Type | 1 byte | Category of the message (e.g. Echo Request = 8) |
Code | 1 byte | Sub-type / detail within the Type |
Checksum | 2 bytes | Error detection over the header + data |
Data | varies | Depends on Type/Code |
Common ICMP Types
| Type | Name | Direction | Common Use |
|---|---|---|---|
0 | Echo Reply | ← response | Reply to a ping |
3 | Destination Unreachable | ← error | Port/host/net not reachable |
5 | Redirect | ← router | Better route available |
8 | Echo Request | → outbound | The "ping" packet itself |
11 | Time Exceeded | ← error | TTL hit zero (used by traceroute) |
IPv6 note: ICMPv6 (RFC 4443) is the equivalent for IPv6 and also handles neighbor discovery (ARP replacement) and MLD (multicast).
The TTL Field and Why It Matters
Every IP packet carries a Time To Live (TTL) field — an integer decremented by 1 at each router hop. When it reaches 0, the packet is discarded and the router sends back an ICMP Type 11 — Time Exceeded message.
This mechanism prevents packets from looping forever and is what
traceroute exploits: it sends packets with TTL = 1, then TTL = 2, etc., collecting the "Time Exceeded" replies to map each hop along the route.The ping Tool
ping is the most widely known use of ICMP. It sends ICMP Echo Request (Type 8) packets to a target and waits for ICMP Echo Reply (Type 0) packets in return.Basic Usage
Bash
ping google.comCODE
PING google.com (142.250.74.46) 56(84) bytes of data.
64 bytes from 142.250.74.46: icmp_seq=1 ttl=117 time=12.3 ms
64 bytes from 142.250.74.46: icmp_seq=2 ttl=117 time=11.9 ms
64 bytes from 142.250.74.46: icmp_seq=3 ttl=117 time=12.1 ms
--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 11.9/12.1/12.3/0.163 ms
Reading the Output
| Field | Meaning |
|---|---|
bytes | Size of the ICMP payload sent |
icmp_seq | Sequence number — helps detect out-of-order or lost packets |
ttl | Remaining TTL when the reply arrived |
time | Round-Trip Time (RTT) in milliseconds |
packet loss | % of sent packets that got no reply |
mdev | Mean deviation — a measure of jitter |
Useful Flags
Bash
# Send only 4 packets (default on Windows, optional on Linux/macOS)
ping -c 4 google.com
# Set a custom packet size (bytes)
ping -s 1400 google.com
# Set TTL manually (useful for hop-counting experiments)
ping -t 5 google.com # macOS/BSD
ping --ttl 5 google.com # Linux
# Flood ping — sends as fast as possible (requires root)
sudo ping -f 192.168.1.1
# Specify interval between packets (seconds)
ping -i 0.2 google.com
# Quiet output — only print summary
ping -q -c 10 google.comWhat Ping Can (and Cannot) Tell You
✅ What ping tells you
- Host reachability — is the IP responding at all?
- Round-trip latency — how long is the path?
- Packet loss — is the network dropping packets?
- Jitter — how consistent is the latency? (look at
mdev) - Basic DNS resolution — if you ping a hostname, it resolves it first
❌ What ping does NOT tell you
- Whether a specific service (HTTP, SSH, etc.) is running — a host can reply to ping but have port 80 closed
- Whether firewalls are blocking traffic — many firewalls silently drop ICMP without sending back a "Destination Unreachable"
- Application-level performance — latency to
ping≠ latency for your API
ICMP and Firewalls
ICMP is sometimes blocked by firewalls or cloud security groups. A common misconception is that a host "is down" if ping fails — in reality it may simply have ICMP filtered.
Bash
# Host unreachable (network-level)
ping 10.0.0.99
# Request timeout for icmp_seq 1
# ...
# vs. host up but ICMP blocked — same symptom, different cause💡 Tip: Ifpingfails butcurlorsshworks, the host is up — ICMP is just firewalled. Use tools likenmap,nc, orcurlto probe specific ports.
ICMP in Everyday DevOps
| Scenario | ICMP Role |
|---|---|
| Health checks in load balancers | Ping-based checks to verify backend node reachability |
| Network monitoring (Nagios, Zabbix) | ICMP Echo as the simplest liveness probe |
| Latency baselines | Continuous ping to track RTT trends over time |
traceroute / tracepath | Uses TTL expiry + ICMP Time Exceeded to map routes |
| MTU discovery (PMTUD) | ICMP "Fragmentation Needed" (Type 3, Code 4) negotiates MTU |
Quick Recap
CODE
You type: ping google.com
│
├─ DNS resolves google.com → 142.250.74.46
│
└─ Your OS sends: IP packet
└─ ICMP Type 8 (Echo Request)
└─ payload + sequence number
Google responds: IP packet
└─ ICMP Type 0 (Echo Reply)
└─ same payload mirrored back
Your terminal shows: RTT, TTL, sequence number
ICMP is small, stateless, and incredibly useful. Mastering what it reports — and what it doesn't — is a foundational skill for anyone working with networks, infrastructure, or distributed systems.
Thanks for reading! If you found this useful, check out the follow-up post on
traceroute and path analysis using ICMP and UDP.20 views
2 comments
Discussion
Nice
Nice