Skip to main content
Version: 1.4.0

ICMP Type

Network Analysis Protocol Analysis Data Enrichment

Synopsis

A network analysis processor that converts ICMP type codes to their corresponding human-readable type names using the IANA ICMP type registry, enhancing network packet analysis and security monitoring for ICMP traffic.

Schema

- icmp_type:
    field: <ident>
    target_field: <ident>
    description: <text>
    if: <script>
    ignore_failure: <boolean>
    ignore_missing: <boolean>
    on_failure: <processor[]>
    on_success: <processor[]>
    tag: <string>

Configuration

The following fields are used to define the processor:

FieldRequiredDefaultDescription
fieldY-Field containing the ICMP type code to convert
target_fieldNfieldField to store the ICMP type name
descriptionN-Explanatory note
ifN-Condition to run
ignore_failureNfalseContinue if conversion fails
ignore_missingNfalseContinue if source field doesn't exist
on_failureN-See Handling Failures
on_successN-See Handling Success
tagN-Identifier

Details

The processor maintains a comprehensive mapping of IANA ICMP type codes to their standard names, supporting all registered ICMP message types including Echo Request, Echo Reply, Destination Unreachable, and many specialized ICMP messages used in network diagnostics.

note

The processor supports multiple input formats including integers, floats, and string representations of ICMP type codes.

ICMP type code resolution follows the official IANA registry for Internet Control Message Protocol (ICMP) Parameters. Unknown or unassigned ICMP type codes are handled gracefully by returning "Unassigned" for debugging and analysis purposes.

The processor automatically handles type conversion from various numeric types and string representations. Floating-point values are truncated to integers during conversion, following ASIM normalization standards.

warning

Ensure ICMP type code fields contain valid numeric values to avoid conversion errors.

Examples

Basic ICMP Type Conversion

Converting common ICMP type codes...

{
  "icmp_type": 8,
  "response_type": "0"
}
- icmp_type:
    field: icmp_type
    target_field: icmp_type_name
- icmp_type:
    field: response_type
    target_field: response_type_name

produces readable ICMP type names:

{
  "icmp_type": 8,
  "response_type": "0",
  "icmp_type_name": "Echo",
  "response_type_name": "Echo Reply"
}

In-Place Conversion

Converting ICMP type code in place...

{
  "network": {
    "icmp_type": 3
  }
}
- icmp_type:
    field: network.icmp_type

replaces the original field:

{
  "network": {
    "icmp_type": "Destination Unreachable"
  }
}

Multiple ICMP Fields

Processing multiple ICMP type fields...

{
  "icmp_request": 8,
  "icmp_response": 0,
  "icmp_error": 11
}
- icmp_type:
    field: icmp_request
    target_field: request_type
- icmp_type:
    field: icmp_response
    target_field: response_type
- icmp_type:
    field: icmp_error
    target_field: error_type

identifies all ICMP message types:

{
  "icmp_request": 8,
  "icmp_response": 0,
  "icmp_error": 11,
  "request_type": "Echo",
  "response_type": "Echo Reply",
  "error_type": "Time Exceeded"
}

Router Advertisement Messages

Converting router-related ICMP types...

{
  "icmp_router_adv": 9,
  "icmp_router_sol": 10,
  "icmp_redirect": 5
}
- icmp_type:
    field: icmp_router_adv
    target_field: router_adv_type
- icmp_type:
    field: icmp_router_sol
    target_field: router_sol_type
- icmp_type:
    field: icmp_redirect
    target_field: redirect_type

identifies router message types:

{
  "icmp_router_adv": 9,
  "icmp_router_sol": 10,
  "icmp_redirect": 5,
  "router_adv_type": "Router Advertisement",
  "router_sol_type": "Router Solicitation",
  "redirect_type": "Redirect"
}

Timestamp Messages

Converting timestamp-related ICMP types...

{
  "timestamp_request": 13,
  "timestamp_reply": 14
}
- icmp_type:
    field: timestamp_request
    target_field: timestamp_req_type
- icmp_type:
    field: timestamp_reply
    target_field: timestamp_rep_type

identifies timestamp message types:

{
  "timestamp_request": 13,
  "timestamp_reply": 14,
  "timestamp_req_type": "Timestamp",
  "timestamp_rep_type": "Timestamp Reply"
}

Unknown Type Handling

Handling unknown ICMP type codes...

{
  "custom_icmp": 200,
  "reserved_icmp": 44
}
- icmp_type:
    field: custom_icmp
    target_field: custom_name
- icmp_type:
    field: reserved_icmp
    target_field: reserved_name

provides fallback identification:

{
  "custom_icmp": 200,
  "reserved_icmp": 44,
  "custom_name": "Unassigned",
  "reserved_name": "Unassigned"
}

Conditional ICMP Analysis

Converting ICMP types based on conditions...

{
  "icmp_type_code": 42,
  "protocol": "icmp"
}
- icmp_type:
    field: icmp_type_code
    target_field: message_type
    if: "protocol == 'icmp'"

applies conversion when conditions match:

{
  "icmp_type_code": 42,
  "protocol": "icmp",
  "message_type": "Extended Echo Request"
}