ICMP is a network layer protocol used by network devices to diagnose network communication issues. Tcpdump command on Linux can be used to filter ICMP packets. We can use the following examples to capture ICMP and ICMPv6 packets with tcpdump command on Linux.
What is ICMP?
ICMP is short for Internet Control Message Protocol.
ICMP is mainly used to determine whether or not data is reaching its intended destination in a timely manner. ICMP is crucial for error reporting and testing.
Ping operates by sending ICMP echo request packets to the target host and waiting for an ICMP echo reply.
Change Ping Packet Size in Ping Command
In some scenarios, we may want to use -s to increase the packet size from the default value of 64 bytes.
For example, to increase the packet size to 1000 bytes:
ping -s 1000 google.com
How to Capture ICMP Packets With Tcpdump
In IPV4, we can use this tcpdump command to filter all ICMP packets. We use eth0 network interface in all our examples. Please change it based on your environment.
# tcpdump -i eth0 icmp
To filter ICMP echo-requests, we can use this tcpdump command.
# tcpdump -i eth0 “icmp == 8”
These are the packets we get captured with tcpdump command.
14:37:14.555295 IP 10.79.101.23 > 188.8.131.52: ICMP echo request, id 61205, seq 0, length 64
14:37:15.557948 IP 10.79.101.23 > 184.108.40.206: ICMP echo request, id 61205, seq 1, length 64
14:37:16.562905 IP 10.79.101.23 > 220.127.116.11: ICMP echo request, id 61205, seq 2, length 64
How to Capture ICMPv6 packets With Tcpdump
In IPv6, an IPv6 packet is 40 bytes long, and the first 8 bits of the ICMPv6 header specify its type. We can use this tcpdump command to filter all ICMPv6 packets.
# tcpdump -i eth0 icmp6
We can use this tcpdump command to filter ICMPv6 echo-requests.
# tcpdump -i eth0 “icmp6 && ip6 == 128”
In the latest versions of tcpdump/libpcap, we can use the following command to capture ICMPv6 echo packets.
# tcpdump -i eth0 ‘icmp6[icmp6type]=icmp6-echo’