Abstract

RFC 792 requires most ICMP error messages to quote the IP header and the next eight bytes of the packet to which the ICMP error message applies. The quoted packet is used by the receiver to match the ICMP message to an appropriate process. An operating system may examine the quoted source and destination IP addresses, IP protocol, and source and destination port numbers to determine the socket or process corresponding to the ICMP message. In an idealised end- to-end Internet, the portion of the packet quoted should be the same as that which was sent, except for the IP TTL, DSCP, ECN bits, and checksum fields. In the modern Internet, this may not always be the case. This paper presents an analysis of ICMP quotations where the quote does not match the probe.