howtouselinux

Capture Ping Packets With Tcpdump

Table of Contents

ICMP is a network layer protocol used by network devices to diagnose network communication issues. Tcpdump command on Linux can be used to filter ICMP packets. We can use the following examples to capture ICMP and ICMPv6 packets with tcpdump command on Linux.

What is ICMP?

The Internet Control Message Protocol (ICMP) is a protocol that is used to send control messages between hosts on the network. ICMP messages are used to report errors and other information about the network.

ICMP is mainly used to determine whether or not data is reaching its intended destination in a timely manner. ICMP is crucial for error reporting and testing.

Some of the most common ICMP messages include the Ping and Traceroute commands.

The Ping command is used to test the reachability of a host on the network. The Traceroute command is used to find the path that a packet takes from one host to another.

Ping operates by sending ICMP echo request packets to the target host and waiting for an ICMP echo reply.

how to use ping command in Linux?

The ping command is used to test the reachability of a host on the network.The ping command has the following syntax: ping [OPTION]… HOST

The “HOST” parameter specifies the name of the host that you want to ping.

  • The “-c” parameter is used to specify the number of packets that you want to send.
  • The “-I” parameter is used to specify the interface that you want to use.
  • The “-s” parameter is used to specify the size of the packet.

 

The ping command can be used to send a single packet to a host or to send a series of packets.

To send a single packet to a host, use the following command:

ping -c 1 192.168.1.1

To send a series of packets to a host, use the following command:

ping -C 10 192.168.1.1

The following is the output of the ping command when it is executed from the command line:

PING 192.168.1.254 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.457 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.236 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=0.239 ms
64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 time=0.271 ms

^C

— 192.168.1.1 ping statistics —

4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.236/0.269/0.457/0.097 ms

The output of the ping command shows that the four packets were successfully transmitted and received, and there was no packet loss. The output also shows the minimum, average, and maximum round-trip time.

Change Ping Packet Size in Ping Command

The “-s” parameter is used to specify the size of the packet. You can use this parameter to change the size of the packet. In some scenarios, we may want to use -s to increase the packet size from the default value of 64 bytes.

For example, to increase the packet size to 1000 bytes:

ping -s 1000 google.com

How to Capture ICMP Packets With Tcpdump

The tcpdump command can be used to capture packets that are being transmitted and received on a network.

In IPV4, we can use the following tcpdump command to filter all ICMP packets. We use eth0 network interface in all our examples. Please change it based on your environment.

This command will capture ICMP packets that are being transmitted and received on the eth0 interface.

# tcpdump -i eth0 icmp

To filter ICMP echo-requests, we can use this tcpdump command.

# tcpdump -i eth0 “icmp[0] == 8”

These are the packets we get captured with tcpdump command.

14:37:14.555295 IP 10.79.101.23 > 108.177.125.101: ICMP echo request, id 61205, seq 0, length 64
14:37:15.557948 IP 10.79.101.23 > 108.177.125.101: ICMP echo request, id 61205, seq 1, length 64
14:37:16.562905 IP 10.79.101.23 > 108.177.125.101: ICMP echo request, id 61205, seq 2, length 64

How to Capture ICMPv6 packets With Tcpdump

In IPv6, an IPv6 packet is 40 bytes long, and the first 8 bits of the ICMPv6 header specify its type. We can use this tcpdump command to filter all ICMPv6 packets.

# tcpdump -i eth0 icmp6

We can use this tcpdump command to filter ICMPv6 echo-requests.

# tcpdump -i eth0 “icmp6 && ip6[40] == 128”

In the latest versions of tcpdump/libpcap, we can use the following command to capture ICMPv6 echo packets.

# tcpdump -i eth0 ‘icmp6[icmp6type]=icmp6-echo’

Related Post: