Tcpdump command in Linux can be used to capture ICMP packets. We will start with ICMP protocol introduction and then check out how to filter ICMP and ICMPv6 packets with tcpdump command.
- What is ICMP?
- Use tcpdump to capture ICMP Packets
- Filtering ICMP echo reply echo request Packets
- Use tcpdump to capture ICMPv6 packets
What is ICMP?
ICMP is short for Internet Control Message Protocol. It is a network layer protocol used by network devices to diagnose network communication issues.
Ping is one of the most basic network debugging tools. It sends ICMP echo request packets to a host. If the host gets the packet and feels nice enough, it sends an ICMP echo-response packet in return.
Check this post to learn more about ICMP protocol.
Understanding Ping command
Ping is a tool commonly used to find the status of a device on a network. Ping is based on the ICMP protocol. When a Ping process request is sent out as an ICMP echo to the target device, it replies with an ICMP echo reply if the device is available.
Ping command has two important purpose.
- test the network availability to device
- network latency or network packet loss between two devices
A simple way to check whether we have access to the particular host is through ICMP by sending ping packets to the host. But this method works only if ICMP and ping is enabled in that network. If ICMP is disabled, we can not get a proper response.
Let’s send an ICMP packet with ping command like below.
$ ping google.com
PING google.com (184.108.40.206): 56 data bytes
64 bytes from 220.127.116.11: icmp_seq=0 ttl=111 time=49.412 ms
How to use tcpdump to capture ICMP Packets
We can use ping command to send out ICMP echo requests. This is the output of the ICMP echo request and echo reply packet.
# tcpdump -i eth0 icmp
16:17:46.354621 IP 10.79.97.62 > 18.104.22.168: ICMP echo request, id 33817, seq 1707, length 64
16:17:46.399959 IP 22.214.171.124 > 10.79.97.62: ICMP echo reply, id 33817, seq 1707, length 64
Understanding ICMP Types and Codes
The ICMP protocol has a field called type, which indicates what type the ICMP packet is. If the type field is 8, then the packet is an ICMP echo (ping) request, while if the type field is 0, then the packet is an ICMP echo (ping) reply.
That type of field is a one-byte field at the very beginning of the ICMP protocol header.
We might consider the ICMP Type field the packet’s classification and the Code field its subclass. For example, a Type field value of 3 indicates “destination unreachable.”
While this information alone might not be enough to troubleshoot a problem, if that packet were also to specify a Code field value of 3, indicating “port unreachable,” We could conclude that there is an issue with the port with which we are attempting to communicate.
Filtering ICMP echo reply echo request Packets with tcpdump command
Here are the common ICMP types :
- 0 Echo Reply
- 3 Destination Unreachable
- 4 Source Quench
- 5 Redirect
- 8 Echo
- 11 Time Exceeded
With the following command, we can filter ICMP echo-reply,
# tcpdump -i eth0 “icmp == 0”
To filter ICMP echo-requests, we can use this tcpdump command.
# tcpdump -i eth0 “icmp == 8”
How to use tcpdump to capture ICMPv6 packets
In IPv6, an IPv6 packet is 40 bytes long, and the first 8 bits of the ICMPv6 header specify its type. We can use this tcpdump command to filter all ICMPv6 packets.
# tcpdump -i eth0 icmp6
We can use this tcpdump command to filter ICMPv6 echo-requests.
# tcpdump -i eth0 “icmp6 && ip6 == 128”
In the latest versions of tcpdump/libpcap, we can use the following command to capture ICMPv6 echo packets.
# tcpdump -i eth0 ‘icmp6[icmp6type]=icmp6-echo’