Practical 18: To Analyze ICMP Packets in Wireshark and Check Addresses

Objective:
To capture and analyze ICMP (Internet Control Message Protocol) packets using Wireshark
and identify source and destination IP addresses.

Equipment and Software:

1. A computer with internet connectivity.
2. Wireshark software installed.
3. Command Prompt (Windows) or Terminal (Linux/Mac).

Theory:
ICMP is a network layer protocol used by devices to communicate error messages and
operational information. Common ICMP messages include:
• Echo Request (ping): Sent to test the reachability of a host.
• Echo Reply: Sent as a response to an Echo Request.
• Destination Unreachable, Time Exceeded, etc.: Used for error reporting. Wireshark
is a network protocol analyzer used to capture and inspect network traffic, including ICMP
packets.

Procedure:
1. Start Wireshark:
o Open Wireshark and select the appropriate network interface (e.g., Wi-Fi,
Ethernet). o Click Start to begin capturing packets.
2. Generate ICMP Traffic:
o Open Command Prompt or Terminal.
o Use the ping command to generate ICMP Echo Request packets.
▪ Example: bash ping www.google.com
▪ On Windows, you may need to stop the ping manually by pressing
Ctrl+C. 3. Filter ICMP Packets in Wireshark:
o In Wireshark, type icmp in the filter bar and press Enter to display only ICMP
packets. 4. Analyze the Packets:
o Look for packets labeled ICMP Echo (ping) request and ICMP Echo reply in
the Protocol column.
o Select a packet to view its details in the middle pane and its hex dump in the
bottom pane.
5. Check Addresses:
o In the Packet Details pane, expand the Internet Protocol Version 4 (IPv4)
section. o Note the following:
▪ Source IP Address: The IP address of your device.
▪ Destination IP Address: The IP address of the target host (e.g.,
Google's server).
o For reply packets, the source and destination addresses will be reversed.
6. Save the Capture (Optional):
o Save the captured packets for future reference by going to File > Save As.
Observations:
1. Packet Types:
o Echo Request packets sent by your device.
o Echo Reply packets sent by the target host.
2. Addresses:
o Source IP Address: Matches your device’s IP configuration.
o Destination IP Address: Matches the server’s IP address (e.g., Google's).
3. Other Details:
o TTL (Time-to-Live) value in the IPv4 header.
o ICMP Type and Code values indicating the message type.

Result:
The ICMP packets were successfully captured and analyzed using Wireshark. The source
and destination IP addresses were identified, confirming the reachability of the target host.

Conclusion:
This practical demonstrated the process of capturing and analyzing ICMP packets. It
highlighted the use of ICMP for diagnostic purposes, such as testing connectivity and
understanding network paths.

Questions:
1. What are the main functions of ICMP in networking?

ICMP (Internet Control Message Protocol) is a fundamental protocol used in networking for
error reporting and diagnostic purposes. Its main functions include:

1. Error Reporting: ICMP is used by network devices (like routers and gateways) to
communicate errors in packet delivery. For example, when a router cannot deliver a
packet to its destination due to issues like network congestion or an unreachable host,
ICMP sends an error message back to the sender (e.g., "Destination Unreachable").
2. Diagnostic Tools: ICMP plays a key role in network troubleshooting. Tools like ping
and traceroute rely on ICMP to diagnose network connectivity and performance. Ping
sends ICMP Echo Request messages to a destination and waits for an ICMP Echo
Reply, helping verify if a host is reachable.
3. Flow Control and Congestion Management: ICMP helps manage network traffic
flow by sending messages like "Time Exceeded" when a packet's time-to-live (TTL)
expires, indicating network congestion or routing loops. This assists in optimizing
traffic routing and preventing network overload.
4. Redirecting Traffic: ICMP Redirect messages allow routers to inform hosts about a
better route for reaching a destination, improving routing efficiency.
5. Network Path Discovery: By using ICMP Echo and Time Exceeded messages, ICMP
can help determine the best path between network nodes, aiding in network design and
optimization.

2. Why does the TTL value change during packet traversal?

The TTL (Time to Live) value in a packet changes during packet traversal across a network to
prevent packets from endlessly circulating in case of routing loops or misconfigurations. The
TTL is a field in the IP header that is initialized to a set value (often 64 or 128) when a packet
is created. Each time the packet passes through a router (or any device that forwards the
packet), the TTL is decremented by 1.

Here’s why the TTL value changes:

1. Prevention of Routing Loops: In a network, routing loops can occur when packets
keep circulating between routers due to misconfigurations. The TTL ensures that, after
a certain number of hops (router crossings), the packet will be discarded, preventing it
from endlessly circulating in the loop.
2. Avoiding Infinite Packet Lifetime: The TTL serves as a safeguard against packets
that could otherwise persist forever in the network. If the TTL reaches zero, the packet
is discarded by the router, and an ICMP "Time Exceeded" message is sent back to the
sender.
3. Network Path Monitoring: The TTL value can also be used to measure the number
of hops a packet takes to reach its destination, which is helpful in tools like
traceroute. By setting the TTL value incrementally and observing where the packet is
dropped, traceroute can determine the path and performance of the network between
two endpoints.

3. How can ICMP analysis help in network troubleshooting?

ICMP analysis plays a crucial role in network troubleshooting by providing valuable

diagnostic information about the state of network connectivity and identifying issues such as
packet loss, delays, and routing problems. Here's how ICMP can help in troubleshooting:

1. Ping for Connectivity Testing: The ping command uses ICMP Echo Request and
Echo Reply messages to check if a device (e.g., a server or router) is reachable. By
sending a request and receiving a reply, administrators can confirm if the destination
host is active and reachable over the network.
2. Identifying Network Latency: When using ping, the round-trip time (RTT) displayed
in the results indicates the time it takes for a packet to travel to the destination and
back. High RTT values can indicate network congestion or long delays, which help
pinpoint issues in the network performance.
3. Traceroute for Path Discovery: The traceroute command relies on ICMP "Time
Exceeded" messages to map out the network path between a source and destination.
By incrementally increasing the TTL value, traceroute identifies each hop the packet
takes and highlights where the packet may be delayed or dropped, helping to locate
problematic routers or links in the network.
4. Detecting Routing Loops: ICMP messages, such as "Time Exceeded," can reveal
routing loops. When a packet’s TTL expires due to continuous looping between
routers, the packet is discarded, and an ICMP error message is sent. This helps identify
where loops are occurring, aiding in resolving routing configuration issues.
5. Error Reporting for Troubleshooting: ICMP provides error messages, such as
Destination Unreachable or Network Unreachable, which help pinpoint network
problems like broken links, misconfigured routing, or inaccessible destinations.