Skip to Content

Capture Ping Packets With Tcpdump

ICMP is a network layer protocol used by network devices to diagnose network communication issues. Tcpdump command on Linux can be used to capture network packets. We can use the following examples to capture ICMP and ICMPv6 packets with tcpdump command on Linux.

What is ICMP?

The Internet Control Message Protocol (ICMP) is a protocol that is used to send control messages between hosts on the network.

ICMP is mainly used to determine whether or not data is reaching its intended destination in a timely manner. ICMP is crucial for error reporting and testing.

The Ping command is a network diagnostic tool that utilizes ICMP messages to test the reachability of a host on the network.

Ping operates by sending ICMP echo request packets to the target host and waiting for an ICMP echo reply.

how to use ping command in Linux?

The ping command is used to test the reachability of a host on the network.The ping command has the following syntax:

ping [OPTION]... HOST

The “HOST” parameter specifies the name of the host that you want to ping.

The ping command can be used to send a single packet to a host or to send a series of packets.

To send a single packet to a host, you can use the following command:

ping -c 1 192.168.1.1

To send a series of packets to a host, use the following command:

ping -c 10 192.168.1.1

The following is the output of the ping command when it is executed from the command line:

PING 192.168.1.254 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.457 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.236 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=0.239 ms
64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 time=0.271 ms

^C

— 192.168.1.1 ping statistics —

4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.236/0.269/0.457/0.097 ms

The output of the ping command shows that the four packets were successfully transmitted and received, and there was no packet loss. The output also shows the minimum, average, and maximum round-trip time.

  • The “-c” parameter is used to specify the number of packets that you want to send.
  • The “-I” parameter is used to specify the interface that you want to use.
  • The “-s” parameter is used to specify the size of the packet. The default is 56, which translates into 64 ICMP data bytes when combined with the 8 bytes of header data.

 

How to Capture ICMP Packets With Tcpdump

The tcpdump command can be used to capture packets that are being transmitted and received on a network.

In IPV4, we can use the following tcpdump command to filter all ICMP packets. We use eth0 network interface in all our examples. Please change it based on your environment.

This command will capture ICMP packets that are being transmitted and received on the eth0 interface.

# tcpdump -i eth0 icmp

Let’s break down the command:

  • “-i eth0”: This option specifies the network interface to capture packets from. In this case, it is eth0, which is a common naming convention for the first Ethernet interface on a Linux system.
  • “icmp”: This is a filter expression that specifies the type of traffic to capture. In this case, it filters for ICMP packets, allowing only ICMP traffic to be captured.

 

To filter ICMP echo-requests, we can use this tcpdump command.

# tcpdump -i eth0 "icmp[0] == 8"

These are the packets we get captured with tcpdump command.

14:37:14.555295 IP 10.79.101.23 > 108.177.125.101: ICMP echo request, id 61205, seq 0, length 64
14:37:15.557948 IP 10.79.101.23 > 108.177.125.101: ICMP echo request, id 61205, seq 1, length 64
14:37:16.562905 IP 10.79.101.23 > 108.177.125.101: ICMP echo request, id 61205, seq 2, length 64

These lines represent a series of ICMP echo request packets being sent from a source IP address to a destination IP address. The ID and sequence numbers are used to track the individual packets, while the length indicates the size of the packets in bytes.

How to Capture ICMPv6 packets With Tcpdump

In IPv6, an IPv6 packet is 40 bytes long, and the first 8 bits of the ICMPv6 header specify its type. We can use this tcpdump command to filter all ICMPv6 packets.

# tcpdump -i eth0 icmp6

We can use this tcpdump command to filter ICMPv6 echo-requests.

# tcpdump -i eth0 "icmp6 && ip6[40] == 128"

In the latest versions of tcpdump/libpcap, we can use the following command to capture ICMPv6 echo packets.

# tcpdump -i eth0 'icmp6[icmp6type]=icmp6-echo'

Here are more info about tcpdump options.

Tcpdump provides several options that enhance or modify its output. The following are the commonly used options for tcpdump command.

Option Description
-i Listen on the specified interface.
-n Don’t resolve hostnames. You can use -nn to don’t resolve hostnames or port names.
-t Print human-readable timestamp on each dump line, -tttt: Give maximally human-readable timestamp output.
-X Show the packet’s contents in both hex and ascii.
-v enables verbose logging/details (which among other things will give us a running total on how many packets are captured
-c Only get N number of packets and then stop.
-s Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
-S Print absolute sequence numbers.
-q Show less protocol information.
-w Write the raw packets to file
-C tells tcpdump to store up to x MB of packet data per file.
-G Create a new file every time the specified number of seconds has elapsed.

Here are more tcpdump examples.

Command Description
tcpdump -i eth0 Captures all network traffic on the eth0 interface.
tcpdump -i eth0 tcp Filters and captures only TCP (Transmission Control Protocol) packets on the eth0 interface.
tcpdump -i eth0 udp Filters and captures only UDP (User Datagram Protocol) packets on the eth0 interface.
tcpdump -i eth0 port 80 Filters and captures packets with a source or destination port of 80 (commonly used for HTTP traffic) on the eth0 interface.
tcpdump -i eth0 host 192.168.0.1 Filters and captures packets with a source or destination IP address of 192.168.0.1 on the eth0 interface.
tcpdump -i eth0 icmp Filters and captures only ICMP (Internet Control Message Protocol) packets on the eth0 interface.
tcpdump -i eth0 src host 192.168.0.2 Filters and captures packets with a source IP address of 192.168.0.2 on the eth0 interface.
tcpdump -i eth0 dst host 192.168.0.2 Filters and captures packets with a destination IP address of 192.168.0.2 on the eth0 interface.
tcpdump -i eth0 portrange 10000-20000 Filters and captures packets with a source or destination port within the specified range on the eth0 interface.
tcpdump -i eth0 -s 1500 Captures packets with a snapshot length of 1500 bytes on the eth0 interface.
tcpdump -i eth0 -c 10 Captures and displays the first 10 packets on the eth0 interface, then exits.

These commands demonstrate some of the common tcpdump options and filters that can be used to capture and analyze network traffic based on specific criteria such as protocol, port number, IP address, and more.

Related Post: