Introduction

The ICMP - Time exceeded message is one which is usually created by gateways or routers. In order to fully understand this ICMP message, you must be familiar with the IP header within a packet. If you like you can go to the Download - Documents section and grab a copy of the TCP/IP in a Ethernet II Frame file which breaks down the IP header nicely.

When looking at an IP header, you will see the TTL and Fragment Flag fields which play a big part in how this ICMP message works. Please make sure you check them out before attempting to continue !

The ICMP - Time exceeded message is generated when the gateway processing the datagram (or packet, depending on how you look at it) finds the Time To Live field (this field is in the IP header of all packets) is equal to zero and therefore must be discarded. The same gateway may also notify the source host via the time exceeded message.

The term 'fragment' means to 'cut to pieces'. When the data is too large to fit into one packet, it is cut into smaller pieces and sent to the destination. On the other end, the destination host will receive the fragmented pieces and put them back together to create the original large data packet which was fragmented at the source.

Analysis

Let's have a look at the structure of an ICMP - Time exceeded message:

If a host reassembling a fragmented datagram (or packet) cannot complete the reassembly due to missing fragments within its time limit it discards the datagram and it may send an ICMP - time exceeded message.

If fragment zero is not available then no ICMP - time exceeded message is needed to be sent at all. Code 0 may be received from a gateway and Code 1 from a host.

So, summing it up, an ICMP - Time exceeded message can be generated because the Time to live field in the IP header has reached a value of zero (0) or because a host reassembling a fragmented datagram cannot complete the reassembly within its time limit because there are missing fragments (Fragment reassembly time exceeded the allocated time).