Home/ Questions/Q 7808891
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-02T03:15:59+00:00

I need to send a bunch of IP packets that I’m sure will trigger

  • 0

I need to send a bunch of IP packets that I’m sure will trigger an ICMP TTL-expired error message. How exactly can I associate each error message with the packet that generated it? What field in the ICMP header is used for this?

Should I rather use some custom ID number in the original IP header, so that I can tell which error message corresponds to which packet? If so, which field is most suitable for this?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The body of ICMP TTL Expired messages must include the IP header of the original packet (which includes the source-port / destination-port) and 64 bits beyond the original header.

    Based on timing and that header information, you can derive which packet triggered the TTL-expired message.

    I am including a sample triggered by an NTP packet below…

    See RFC 792 (Page 5) for more details.

    ICMP TTL-Expired Message

    Ethernet II, Src: JuniperN_c3:a0:00 (b0:c6:9a:c3:a0:00), Dst: 78:2b:cb:37:4c:7a (78:2b:cb:37:4c:7a)
    Destination: 78:2b:cb:37:4c:7a (78:2b:cb:37:4c:7a)
        Address: 78:2b:cb:37:4c:7a (78:2b:cb:37:4c:7a)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: JuniperN_c3:a0:00 (b0:c6:9a:c3:a0:00)
        Address: JuniperN_c3:a0:00 (b0:c6:9a:c3:a0:00)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 172.25.116.254 (172.25.116.254), Dst: 172.25.116.10 (172.25.116.10)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 56
    Identification: 0x86d7 (34519)
    Flags: 0x02 (Don't Fragment)
        0.. = Reserved bit: Not Set
        .1. = Don't fragment: Set
        ..0 = More fragments: Not Set
    Fragment offset: 0
    Time to live: 255
    Protocol: ICMP (0x01)
    Header checksum: 0xb3b1 [correct]
        [Good: True]
        [Bad : False]
    Source: 172.25.116.254 (172.25.116.254)
    Destination: 172.25.116.10 (172.25.116.10)
Internet Control Message Protocol
    Type: 11 (Time-to-live exceeded)
    Code: 0 (Time to live exceeded in transit)
    Checksum: 0x4613 [correct]
    Internet Protocol, Src: 172.25.116.10 (172.25.116.10), Dst: 172.25.0.11 (172.25.0.11)
        Version: 4
        Header length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
            0000 00.. = Differentiated Services Codepoint: Default (0x00)
            .... ..0. = ECN-Capable Transport (ECT): 0
            .... ...0 = ECN-CE: 0
        Total Length: 36
        Identification: 0x0001 (1)
        Flags: 0x00
            0.. = Reserved bit: Not Set
            .0. = Don't fragment: Not Set
            ..0 = More fragments: Not Set
        Fragment offset: 0
        Time to live: 0
            [Expert Info (Note/Sequence): "Time To Live" only 0]
                [Message: "Time To Live" only 0]
                [Severity level: Note]
                [Group: Sequence]
        Protocol: UDP (0x11)
        Header checksum: 0xee80 [correct]
            [Good: True]
            [Bad : False]
        Source: 172.25.116.10 (172.25.116.10)
        Destination: 172.25.0.11 (172.25.0.11)
    User Datagram Protocol, Src Port: telindus (1728), Dst Port: ntp (123)
        Source port: telindus (1728)
        Destination port: ntp (123)
        Length: 16
        Checksum: 0xa7a1 [unchecked, not all data available]
            [Good Checksum: False]
            [Bad Checksum: False]
    • 0