Capture ICMP Packets With Tcpdump

Updated: Feb 9

ICMP is a network layer protocol used by network devices to diagnose network communication issues. Tcpdump command on Linux can be used to filter ICMP packets. We can use the following examples to capture ICMP and ICMPv6 packets with tcpdump command on Linux.




What is ICMP?

ICMP is short for Internet Control Message Protocol.


ICMP is mainly used to determine whether or not data is reaching its intended destination in a timely manner. ICMP is crucial for error reporting and testing.


Ping operates by sending ICMP echo request packets to the target host and waiting for an ICMP echo reply.


How to Capture ICMP Packets With Tcpdump

In IPV4, we can use this tcpdump command to filter all ICMP packets. We use eth0 network interface in all our examples. Please change it based on your environment.

# tcpdump -i eth0 icmp

To filter ICMP echo-requests, we can use this tcpdump command.

# tcpdump -i eth0 "icmp[0] == 8"

These are the packets we get captured with tcpdump command.

14:37:14.555295 IP 10.79.101.23 > 108.177.125.101: ICMP echo request, id 61205, seq 0, length 64
14:37:15.557948 IP 10.79.101.23 > 108.177.125.101: ICMP echo request, id 61205, seq 1, length 64
14:37:16.562905 IP 10.79.101.23 > 108.177.125.101: ICMP echo request, id 61205, seq 2, length 64

How to Capture ICMPv6 packets With Tcpdump

In IPv6, an IPv6 packet is 40 bytes long, and the first 8 bits of the ICMPv6 header specify its type. We can use this tcpdump command to filter all ICMPv6 packets.

# tcpdump -i eth0 icmp6

We can use this tcpdump command to filter ICMPv6 echo-requests.

# tcpdump -i eth0 "icmp6 && ip6[40] == 128"

In the latest versions of tcpdump/libpcap, we can use the following command to capture ICMPv6 echo packets.

# tcpdump -i eth0 'icmp6[icmp6type]=icmp6-echo'

Related Post:


528 views

Join our newsletter. Get a free Linux account on Cloud.

Get a Free Cloud Server! 

We can use this cloud server to practice Linux commands. Never miss a post!

Thanks for submitting!