0

I'm creating a Tracert program and am wondering if the value "buffer" used in the Ping payload really matters. Can it be anything, or do routers respond differently based on the contents of the buffer?

What about the other parts of an ICMP ping message? Don't Fragment, etc...

http://msdn.microsoft.com/en-us/library/ms144962.aspx

I found one sample that sets the buffer like this:

    byte[] Buffer
    {
        get
        {
            if (_buffer == null)
            {
                _buffer = new byte[32];
                for (int i = 0; i < Buffer.Length; i++)
                {
                    _buffer[i] = 0x65;
                }
            }
            return _buffer;
        }
    }
HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
makerofthings7
  • 8,911
  • 34
  • 121
  • 197

3 Answers3

1

No, the data section of an ICMP echo is not meaningful.

It serves as a means to make the request and reply packets larger (potentially past the point of fragmentation, the path's MTU) to test network conditions, but is not handled in any way by ICMP implementations (aside from being copied into the echo reply by a responding device).

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • Will any WAN optimization features have an effect here, or does it not matter for these purposes? – makerofthings7 Sep 01 '11 at 18:06
  • Some OSes (particularly Windows) include timestamps in echo requests and replies. – Gerald Combs Sep 01 '11 at 18:14
  • Interesting question - I suppose if a compressing optimizer were set to act on ICMP packets, with a remote peer decompressing (which wouldn't make a ton of sense, really - they aren't a ton of traffic and you can't really improve the metric that matters for them, response time), then a packet with pure random data in that section would compress less well than one that just sticks predictable data in there, such as the `0x65` in every byte above. It'd completely depend on the optimizer, though. – Shane Madden Sep 01 '11 at 18:16
1

The data section of an echo request is optional. You only need to include it if you wish to

  • make the message larger to test for fragmentation-realated problems
  • test whether specific bit-patterns cause problems for your network devices (e.g. they might interpret long strings of ones or zeroes as a command to enter test mode)

A good reference on this topic is Eric Hall's Internet Core Protocols.

sciurus
  • 12,678
  • 2
  • 31
  • 49
0

It depends. For timestamps, redirects, and unreachable messages the payload contains valuable information. Even echo request and reply payloads can contain information like timestamps.

You say that you're writing a traceroute program, but then you use the phrase "Ping payload" which suggests that you're trying to process ICMP echo requests and replies. While it's certainly possible to use ICMP messages for tracing routes (it's your only option with tracert on Windows) you won't be able to trace the complete path in many cases since overzealous admins often block echoes.

You might want to consider using other protocols for your probes, specifically TCP. When tracing the route to a web server for example, traceroute (which uses UDP by defualt) or tracert (ICMP) isn't nearly as useful as nmap -Pn --traceroute -p 80 or tcptraceroute.

Gerald Combs
  • 6,441
  • 25
  • 35
  • I'm a little confused by this answer... can you be more detailed on the protocols used? Comparing UDP against ICMP isn't clear to me. – makerofthings7 Sep 01 '11 at 18:15
  • 1
    You're trying to write a traceroute program, correct? Traceroute works by sending probes with low IP (*not* ICMP) time-to-live values and looking for matching ICMP time-to-live exceeded responses. Although the responses will always be ICMP, the probes themselves can be *any* protocol that runs on top of IP -- ICMP, UDP, TCP, SCTP, AH, ESP, etc. – Gerald Combs Sep 01 '11 at 18:29