Capture ICMP Packets With Tcpdump
Updated: Jul 15
ICMP is a network layer protocol used by network devices to diagnose network communication issues. Tcpdump command on Linux can be used to filter ICMP packets. We can use the following examples to capture ICMP and ICMPv6 packets with tcpdump command on Linux.
What is ICMP?
ICMP is short for Internet Control Message Protocol.
ICMP is mainly used to determine whether or not data is reaching its intended destination in a timely manner. ICMP is crucial for error reporting and testing.
Ping operates by sending ICMP echo request packets to the target host and waiting for an ICMP echo reply.
How to Capture ICMP Packets With Tcpdump
In IPV4, we can use this tcpdump command to filter all ICMP packets. We use eth0 network interface in all our examples. Please change it based on your environment.
# tcpdump -i eth0 icmp
To filter ICMP echo-requests, we can use this tcpdump command.
# tcpdump -i eth0 "icmp == 8"
These are the packets we get captured with tcpdump command.
14:37:14.555295 IP 10.79.101.23 > 126.96.36.199: ICMP echo request, id 61205, seq 0, length 64 14:37:15.557948 IP 10.79.101.23 > 188.8.131.52: ICMP echo request, id 61205, seq 1, length 64 14:37:16.562905 IP 10.79.101.23 > 184.108.40.206: ICMP echo request, id 61205, seq 2, length 64
How to Capture ICMPv6 packets With Tcpdump
In IPv6, an IPv6 packet is 40 bytes long, and the first 8 bits of the ICMPv6 header specify its type. We can use this tcpdump command to filter all ICMPv6 packets.
# tcpdump -i eth0 icmp6
We can use this tcpdump command to filter ICMPv6 echo-requests.
# tcpdump -i eth0 "icmp6 && ip6 == 128"
In the latest versions of tcpdump/libpcap, we can use the following command to capture ICMPv6 echo packets.
# tcpdump -i eth0 'icmp6[icmp6type]=icmp6-echo'