Routers, Hops, Executioners and Obituaries: A Look at ICMP

ICMP is the Internet Control Message Protocol which works at Layer 3 or the Network layer. It is used for all kinds of network messaging services utilized by IP, the Internet Protocol.
In fact, here’s how it is defined by Wikipedia:

“The Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet Protocol Suite. It is chiefly used by the operating systems of networked computers to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached. ICMP can also be used to relay query messages”
(see RFC 1256, if you are into that kind of thing).

Bottom line, ICMPs are used by routers, intermediary devices, or hosts to communicate updates or error information to other routers, intermediary devices, or hosts. It is a useful error reporting and diagnostic utility and is considered a required part of any IP implementation.

My focus today is on the morbid language used to describe some of the services provided by ICMP.
Each ICMP message contains three fields that define its purpose and provide a checksum – type, code, and checksum. The “TYPE” field identifies the ICMP message, the “CODE” field provides further information about the associated TYPE field, and the “CHECKSUM” provides a method for determining the integrity of the message.

Type Description
Echo Reply
Destination Unreachable
Source Quench
Redirect Message
Echo Request
Time Exceeded
Parameter Problem
Timestamp Request
Timestamp Reply
Address Mask Request
Address Mask Reply

Take for example, the case of type 3 “Destination Unreachable”.
When an IP packet is sent from one host to another, each packet is allotted a number of stopping points, usually routers, to pass through in order to reach its destination and these are called “hops” or “hop count”.
When a packet is undeliverable, a Destination Unreachable, Type 3, ICMP is generated. Type 3 ICMPs can have a Code value of 0 to 15:

Type 3
Code Value Description
Network Unreachable
Host Unreachable
Protocol Unreachable
Port Unreachable
Fragmentation needed and DF (Don’t Fragment) set
Source route failed
Destination Network unknown
Destination Host unknown
Source Host isolated
Communication with Destination Network Administratively Prohibited
Communication with Destination Host Administratively Prohibited
Network Unreachable for Type Of Service
Host Unreachable for Type Of Service
Communication Administratively Prohibited by Filtering
Host Precedence Violation
Precedence Cutoff in Effect


If an IP packet reaches its limit of hops, the last receiving router usually just deletes the message. Now this is where the language issue comes in. The router that deletes the datagram is called an executioner. After “killing” the datagram, this “executioner” uses ICMP to send an “obituary” message to the machine that sent the message to inform it that its message met an untimely death. I am not making this up. Actually, here’s a paper called “Providing Packet Obituaries” that discusses the obituary concept.

What is the world coming to?

And oh, by the way, did I tell you about the “selfish” way Microsoft uses PING, the Packet InterNet Groper? PING uses the alphabet in the data portion of a packet as payload. But when you use ping on a Windows device, we seem to be a little short on our alphabet count.

For example:

ICMP Data Area:
abcdefghijklmnop 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d
qrstuvwabcdefghi 71 72 73 74 75 76 77 61 62 63 64 65 66

Notice how the alphabet stops at “w”. Hmm. What happened to x, y,z? Windows, anyone?

Props to Todd Lammle for that tidbit.