Tcpdump command in Linux can be used to capture ICMP packets. We will start with ICMP protocol introduction and then check out how to filter ICMP and ICMPv6 packets with tcpdump command.
What is ICMP?
ICMP is short for Internet Control Message Protocol. It is a network layer protocol used by network devices to diagnose network communication issues.
Ping is one of the most basic network debugging tools. It sends ICMP echo request packets to a host. If the host gets the packet and feels nice enough, it sends an ICMP echo-response packet in return.
Check this post to learn more about ICMP port.
How to use tcpdump to capture ICMP Packets
In IPV4, we can use this tcpdump command to filter all ICMP packets.
# tcpdump -i eth0 icmp
We can use ping command to send out ICMP echo requests. This is the output of the ICMP echo request and echo reply packet.
16:17:46.354621 IP 10.79.97.62 > 220.127.116.11: ICMP echo request, id 33817, seq 1707, length 64 16:17:46.399959 IP 18.104.22.168 > 10.79.97.62: ICMP echo reply, id 33817, seq 1707, length 64
Filtering ICMP echo reply echo request Packets
Here are the common ICMP types :
0 Echo Reply
3 Destination Unreachable
4 Source Quench
11 Time Exceeded
With the following command, we can filter ICMP echo-reply,
# tcpdump -i eth0 "icmp == 0"
To filter ICMP echo-requests, we can use this tcpdump command.
# tcpdump -i eth0 "icmp == 8"
How to use tcpdump to capture ICMPv6 packets
In IPv6, an IPv6 packet is 40 bytes long, and the first 8 bits of the ICMPv6 header specify its type. We can use this tcpdump command to filter all ICMPv6 packets.
# tcpdump -i eth0 icmp6
We can use this tcpdump command to filter ICMPv6 echo-requests.
# tcpdump -i eth0 "icmp6 && ip6 == 128"
In the latest versions of tcpdump/libpcap, we can use the following command to capture ICMPv6 echo packets.
# tcpdump -i eth0 'icmp6[icmp6type]=icmp6-echo'