size of ICMP type 11 packet payload

Asked 3/8, 2012 at 15:1 Answered 29/7, 2013 at 22:58

What's the size of the ICMP packet payload when the type is 11, i.e. time exceeded? Since it contains an IP header and the first 8 Bytes of the IP packet payload generating the ICMP message, I thought its size was 20 + 8 = 28.

I'm replaying some common user traffic with TTL=1. In the ICMP messages I have dumped I noticed that:

all ICMP packets generated by UDP packets have payload of size 28 Bytes
all those generated by TCP packets have payload of size 40 Bytes

Since I need to match ICMP time-exceeded messages with the packets that triggered them by comparing those bytes, this piece of information is essential, but I can't find figure out why this happens.

Cyrilcyrill answered 3/8, 2012 at 15:1 Comment(1)

Deleted my answer because I didn't realise you were sending a time exceeded package. You might want to add some information about how you're generating the message. – Penneypenni 6/8, 2012 at 16:48

The problem is that you're quoting the 8-byte header payload from RFC 792, Page 4, but the requirements were changed by RFC 1812...

Time Exceeded Message (in RFC 792)

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Type      |     Code      |          Checksum             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                             unused                            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |      Internet Header + 64 bits of Original Data Datagram      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

RFC 1812, Section 4.3.2.3 dramatically increases the allowable payload in an ICMP Error message (emphasis mine):

4.3.2.3 Original Message Header

Historically, every ICMP error message has included the Internet header and at least the first 8 data bytes of the datagram that triggered the error. This is no longer adequate, due to the use of IP-in-IP tunneling and other technologies. Therefore, the ICMP datagram SHOULD contain as much of the original datagram as possible without the length of the ICMP datagram exceeding 576 bytes. The returned IP header (and user data) MUST be identical to that which was received, except that the router is not required to undo any modifications to the IP header that are normally performed in forwarding that were performed before the error was detected (e.g., decrementing the TTL, or updating options).

The ICMP Errors you're generating from Scapy packets should contain all the information from the IP and TCP layers of the original packet.

Succursal answered 13/8, 2012 at 9:27 Comment(5)

Thank you. I "manually" matched data packets and their time-exceeded ICMP messages, only to find out that I was getting one match for each TCP packet if the ICMP payload considered was 28B long and when I considered more than 28B, I hardly ever got a match. I really think it has something to do with the library I'm using to inspect packets (Scapy). I wrote something more in answer to stuart's reply. – Cyrilcyrill 13/8, 2012 at 14:59

I am curious, is responding to the one-byte payload difference part of the bounty award, or was the reference for the payload size sufficient? – Succursal 13/8, 2012 at 16:18

If you could help with that thing too, it'd be great. Otherwise, no worries! – Cyrilcyrill 14/8, 2012 at 7:45

Recently I found out about ICMP extensions for MPLS. tools.ietf.org/html/draft-ietf-mpls-icmp-01 It reminded me of this question of mine ;) – Cyrilcyrill 29/7, 2013 at 22:59

fyi, draft-ietf-mpls-icmp-01 is most recently updated as rfc 4950... not yet approved though – Succursal 29/7, 2013 at 23:11

As you noted, the ICMP payload is the IP header plus 8 octets of the original packet's payload. IP headers, however, are not always 20 octets long; 20 is only the minimum. The IP header itself may contain options, and the header length is indicated by the value in the IHL field of the header. See sec 3.1 of RFC 791. So it looks like the TCP packets have 12 additional octets of options in their IP headers. RFC 791 defines some standard options such as source routing and timestamping. You'll have to decode the header to determine what options are being used.

Doreendorelia answered 13/8, 2012 at 8:44 Comment(2)

I digged a bit more into the problem and according to Scapy, the tool with which I'm sending and forging my packets, the IP header is always 20B in size. I had a look at those 20 Bytes of TCP header and it looks like Scapy is padding some additional bytes into them each time, because the last extra bytes differ only in like 1 byte, all the other ones being always the same. Not sure why this happens... it still baffles me. – Cyrilcyrill 13/8, 2012 at 8:53

While that was the case at the time I wrote the comment, now I'm finally getting ICMP payloads larger than 28 Bytes. Dreams come true... – Cyrilcyrill 19/3, 2013 at 14:28

I would like to add for future reference that not only do ICMP payloads vary in size as Mike said, they might also be longer than 128 Bytes in the case of ICMP extensions for MPLS. See this draft for more information

Cyrilcyrill answered 29/7, 2013 at 22:58 Comment(0)

Recommended topics

Hot tags