ICMP redirect messages are used by routers to inform hosts in the broadcast domain that a better path exists to the destination. It happens when a router has to switch a packet out of the same interface it received it to reach the destination.
To understand this let’s look at the following topology
The host H1 access internet through its default gateway of 10.0.12.1, which is router R1. The host does not have any other routes other than the default route (gateway). If H1 wants to access the server at 10.0.23.3, it will send the packet to its gateway (10.0.12.1). Router R1 finds that to reach the destination it has to send the packet to R2. R2 is also in the same broadcast domain as the host.
Since R1 has to send the packet out of the same interface where it arrived, it will send an ICMP redirect message to H1. R1 will anyway route the first packet which it received from H1 to the Server. The subsequent communication will not arrive at R1.
R1# *Mar 1 00:15:07.419: ICMP: redirect sent to 10.0.12.3 for dest 10.0.23.3, use gw 10.0.12.2
In the Wireshark capture we can see that an ICMP redirect (packet number 4) is sent from R1 to the host. The packet number 3 is the initial TCP SYN from the host, this packet is being switched by R1 out of the same interface where it arrived. The subsequent packets to the server are sent directly to R2.
When the host receives a redirect message, it installs a host route to the destination.
C:\>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0c 29 3c 85 ea ...... VMware Accelerated AMD PCNet Adapter #2 - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.12.1 10.0.12.3 10
10.0.12.0 255.255.255.0 10.0.12.3 10.0.12.3 10
10.0.12.3 255.255.255.255 127.0.0.1 127.0.0.1 10
10.0.23.3 255.255.255.255 10.0.12.2 10.0.12.3 1
10.255.255.255 255.255.255.255 10.0.12.3 10.0.12.3 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.0.12.3 10.0.12.3 10
255.255.255.255 255.255.255.255 10.0.12.3 10.0.12.3 1
Default Gateway: 10.0.12.1
===========================================================================
Persistent Routes:
None
The ICMP redirects are turned on by default on a Cisco router. It could be turned off with the interface command no ip redirects.
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int f0/0
R1(config-if)#no ip redirects
Since no redirection messages are sent, each packet from H1 to Server arrives at R1. Then R1 sends it to R1 out of the same Interface. When we capture the packets from the f0/0 interface of R1 we could see all packets are doubled. We could only see the packets from H1 to Server, but not the packets from Server to H1.
Wireshark interprets these duplicate packets as retransmissions. We could see that each packet from H1 to Server is displayed 2 times. The first packet is from H1 to Server which arrives at R1, the second one is the packet which R1 routes out of the same interface towards R2.