Network Analysis: Investigating ICMP Redirects

Many network analysts have little interest in investigating small issues if they don't think the fine-tuning will make a perceivable difference. They want the biggest bang for their troubleshooting buck. I counter that assumption with some basic logic: “How do you know what the result is if you don’t make the change?”

Internet Control Message Protocol (ICMP) redirects can be overlooked by network analysts, but investigating them often pays off. ICMP redirect packets might be the result of an intentional design, a misconfiguration problem or a security issue. A redirect packet basically informs the host that there is a better way to get to the destination host or network. ICMP redirects are ICMP Field Type 5 and include codes that provide specific information:   

   0 = Redirect datagrams for the network

   1 = Redirect datagrams for the host

   2 = Redirect datagrams for the type of service and network

   3 = Redirect datagrams for the type of service and host

In this video, you will see that while working at a client's site, I saw some ICMP redirect packets that turned out to be a simple client reconfiguration issue.

I’ve seen applications or routers silently rely on ICMP redirects or other messages for everyday operation. Then one day, someone blindly blocks all ICMP redirects and things go wonky.

If you’re lucky, the change causes an outage. I say lucky, because an outage would force you to investigate and resolve the issue. If you’re not lucky, you will get reports of what seems to be intermittent application slowdowns and disconnects. The randomness of these reports would make it difficult for an analyst to figure out the root cause.

There are a few caveats you should be aware of when capturing ICMP redirect packets;