This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What does ICMP | Redirect | (redirect for host) mean?

0

I'm trying to troubleshoot a strange problem with some of my switches dropping pings. When the problem happens I get these black/green lines that read ICMP | Redirect | (redirect for host) in Wireshark. I don't see these when the network is running normally.

In the screenshot below:

  • 172.16.1.1 (me) Wireshark Laptop
  • 172.16.0.2 Internet Gateway
  • 172.16.7.254 Core switch gateway for 172 subnet/vlan
  • 10.236.67.12 Suspect switch

alt text

asked 27 Aug '14, 21:13

aj-admin's gravatar image

aj-admin
6113
accept rate: 0%


2 Answers:

1

RFC 792, "Internet Control Message Protocol" says:

Redirect Message
0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Code | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Gateway Internet Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Internet Header + 64 bits of Original Data Datagram | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

IP Fields:

Destination Address

  The source network and address of the original datagram's data.

ICMP Fields:

Type

  5

Code

  0 = Redirect datagrams for the Network.

  1 = Redirect datagrams for the Host.

  2 = Redirect datagrams for the Type of Service and Network.

  3 = Redirect datagrams for the Type of Service and Host.

Checksum

  The checksum is the 16-bit ones's complement of the one's
  complement sum of the ICMP message starting with the ICMP Type.
  For computing the checksum , the checksum field should be zero.
  This checksum may be replaced in the future.

Gateway Internet Address

  Address of the gateway to which traffic for the network specified
  in the internet destination network field of the original
  datagram's data should be sent.

Internet Header + 64 bits of Data Datagram

  The internet header plus the first 64 bits of the original
  datagram's data.  This data is used by the host to match the
  message to the appropriate process.  If a higher level protocol
  uses port numbers, they are assumed to be in the first 64 data
  bits of the original datagram's data.

Description

  The gateway sends a redirect message to a host in the following
  situation.  A gateway, G1, receives an internet datagram from a
  host on a network to which the gateway is attached.  The gateway,
  G1, checks its routing table and obtains the address of the next
  gateway, G2, on the route to the datagram's internet destination
  network, X.  If G2 and the host identified by the internet source
  address of the datagram are on the same network, a redirect
  message is sent to the host.  The redirect message advises the
  host to send its traffic for network X directly to gateway G2 as
  this is a shorter path to the destination.  The gateway forwards
  the original datagram's data to its internet destination.

  For datagrams with the IP source route options and the gateway
  address in the destination address field, a redirect message is
  not sent even if there is a better route to the ultimate
  destination than the next address in the source route.

  Codes 0, 1, 2, and 3 may be received from a gateway.</code></pre><p>So the ICMP Redirect packet should contain the "Internet Header + 64 bits of Data Datagram" of a packet that was sent to a router in order to get it one routing hop closer to the host whose IP address appears as the destination address in the "Internet Header". However, the router to which it was sent thinks it isn't the right router, and thinks that some <em>other</em> router provides a better route to that particular host, so it's saying "pick another route" ("redirect") "for packets to that particular host ("for host"), and provides the IP address of the router to which the packet <em>should</em> have been sent in order to get it to the host in question.</p><p>I.e., the host that sent the packet <em>should</em> have routed it to 172.16.7.254 rather than to the host with the MAC address of 00:26?b9:68:4f:52.</p></div><div class="answer-controls post-controls"></div><div class="post-update-info-container"><div class="post-update-info post-update-info-user"><p>answered <strong>27 Aug '14, 22:24</strong></p><img src="https://secure.gravatar.com/avatar/f93de7000747ab5efb5acd3034b2ebd7?s=32&amp;d=identicon&amp;r=g" class="gravatar" width="32" height="32" alt="Guy%20Harris&#39;s gravatar image" /><p><span>Guy Harris ♦♦</span><br />

17.4k335196
accept rate: 19%

1

ICMP redirects are messages telling a host to deliver the next packet for the same destination IP address to a different router. This can happen for two reasons:

  1. There are two routers in the subnet, the first being the default gateway. The host sends a packet to a remote network which is only reachable through the second router. Instead of sending it to that router the host sends it to its default gateway, which forwards it to the correct (second) router, and tells the client to sent it to that router the next time.

Solution: add static route to host to tell it to use the second router for that specific destination

  1. The host has a bad subnet mask configured, so when trying to send a packet to a node in the same subnet it sends the packet to the default gateway instead. That happens when the subnet mask is too narrow, forcing the host to think that it cannot reach the target directly.

Solution: fix the bad subnet mask setting on the host

By the way, ICMP Redirects are usually not accepted by modern operating systems, because if they would it would be easy to do a man-in-the-middle attack (at least for one packet direction). An attacker could tell hosts to send packets over his own system next time, and reading whats in the packet before passing it on.

answered 28 Aug '14, 00:29

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thanks very much for the information - it has been helpful. Problem is not fixed yet so I'll update with more info when it is.

(28 Aug '14, 17:26) aj-admin