Ask Your Question

Revision history [back]

ICMP Destination Unreachable: too much data?

Hi all!

I performed the following procedure:

  • Start the capture with WireShark.
  • Using a Python script, send a single UDP packet to my server, port 1235. The server is online but not listening on port 1235.
  • Stop the capture with WireShark.

As expected, in the capture I find two packets: the UDP packet I sent (coming from me) and an ICMP Destination Unreachable packet (coming from the server). Now, here is the Wikipedia page for the ICMP protocol. It says that a Destination Unreachable packet includes the original IP header and the first eight bytes of the IP payload (in the case of UDP, this amounts to only the UDP header).

However, the ICMP Destination Unreachable packet I find in my capture includes all the original UDP packet including, e.g., the data I sent. I wonder how is this possible? Which of the two following options is true?

  • The server actually sends back the entire packet, not stopping after the 8th byte of the IPdata.
  • WireShark does something under the hood which I am missing altogether?

I tried inspecting the raw bytes of the .pcap file generated when I save my capture, and indeed the payload of my original UDP message seems to appear only once. I don't know if this actually means something or not.