ICMP Destination Unreachable and Packet Too Big PCAP Analysis: What the Network Is Telling You

ICMP is often ignored until something breaks. Then it becomes one of the clearest sources of network evidence. A packet capture may show Destination Unreachable, Port Unreachable, Host Unreachable, Fragmentation Needed, Packet Too Big, or Time Exceeded. Users search for "ICMP Destination Unreachable pcap", "ICMP Port Unreachable meaning", "Packet Too Big path MTU", and "fragmentation needed Wireshark" because ICMP messages explain failures that TCP or UDP applications report vaguely.

PCAP Surgery is useful because ICMP messages are small but important. They are easy to lose when trimming a capture. If you remove them, you may remove the network's explanation.

ICMP is error reporting

ICMP does not carry application data. It reports network-layer conditions. For troubleshooting, ICMP can reveal:

• Destination host unreachable.
• Destination network unreachable.
• Port unreachable.
• Communication administratively prohibited.
• Fragmentation needed.
• IPv6 packet too big.
• TTL exceeded.
• Redirects or routing behavior.

Each message should be interpreted with the original packet that triggered it.

Port unreachable

For UDP, port unreachable is common. If a host receives UDP for a closed port, it may reply:

ICMP Destination Unreachable: Port Unreachable

This can explain DNS, syslog, telemetry, QUIC, RTP, or custom UDP failures. The application might call it a timeout, but the network capture shows an explicit rejection.

If no ICMP response appears, the packet may have been dropped silently.

Host or network unreachable

Host/network unreachable messages suggest routing or reachability problems. They may come from an intermediate router, firewall, gateway, or local host.

Important questions:

• Who sent the ICMP message?
• Which original packet triggered it?
• Does it affect all destinations or one subnet?
• Does routing change during the capture?
• Is a VPN or tunnel involved?

The source of the ICMP message often identifies the device that knows about the problem.

Fragmentation needed and Packet Too Big

For IPv4 with Don't Fragment set, routers may send "Fragmentation Needed" when a packet exceeds path MTU. For IPv6, "Packet Too Big" is essential for Path MTU Discovery.

If these messages are present and the sender adapts, PMTUD works. If they are absent or blocked, large packets may vanish and the connection may stall.

This evidence is critical for VPN, tunnel, cloud overlay, and large TLS handshake problems.

Administratively prohibited

Some ICMP unreachable messages indicate policy filtering. That is different from a host being down. A firewall or router may explicitly say communication is prohibited.

If you see policy-related ICMP, the right team is often firewall/network policy, not application development.

Checklist

Use this process:

1. Filter ICMP and ICMPv6.
2. Identify message type and code.
3. Identify who sent the ICMP message.
4. Inspect the embedded original packet.
5. Correlate ICMP timing with application failure.
6. Preserve ICMP when trimming the capture.
7. For Packet Too Big, inspect MTU value and whether sender adapts.
8. For Port Unreachable, identify UDP service and port.
9. For policy messages, identify firewall or gateway source.
10. Compare with routing/VPN topology.

Final diagnosis

ICMP messages are not noise. They are network-layer evidence. Destination Unreachable, Port Unreachable, Fragmentation Needed, Packet Too Big, and policy messages can explain failures that applications report only as timeout or reset.

PCAP Surgery helps preserve these small but decisive packets so the final trace still contains the network's own explanation.