Filtering ICMP Packets with Tcpdump

Updated: Aug 12

Tcpdump command in Linux can be used to capture ICMP packets. We will start with ICMP protocol introduction and then check out how to filter ICMP and ICMPv6 packets with tcpdump command.

What is ICMP?

ICMP is short for Internet Control Message Protocol. It is a network layer protocol used by network devices to diagnose network communication issues.

Ping is one of the most basic network debugging tools. It sends ICMP echo request packets to a host. If the host gets the packet and feels nice enough, it sends an ICMP echo-response packet in return.

Check this post to learn more about ICMP port.

How to use tcpdump to capture ICMP Packets

In IPV4, we can use this tcpdump command to filter all ICMP packets.

# tcpdump -i eth0 icmp

We can use ping command to send out ICMP echo requests. This is the output of the ICMP echo request and echo reply packet.

16:17:46.354621 IP > ICMP echo request, id 33817, seq 1707, length 64
16:17:46.399959 IP > ICMP echo reply, id 33817, seq 1707, length 64

Filtering ICMP echo reply echo request Packets

Here are the common ICMP types :

  • 0 Echo Reply

  • 3 Destination Unreachable

  • 4 Source Quench

  • 5 Redirect

  • 8 Echo

  • 11 Time Exceeded

With the following command, we can filter ICMP echo-reply,

# tcpdump -i eth0 "icmp[0] == 0"

To filter ICMP echo-requests, we can use this tcpdump command.

# tcpdump -i eth0 "icmp[0] == 8"

How to use tcpdump to capture ICMPv6 packets

In IPv6, an IPv6 packet is 40 bytes long, and the first 8 bits of the ICMPv6 header specify its type. We can use this tcpdump command to filter all ICMPv6 packets.

# tcpdump -i eth0 icmp6

We can use this tcpdump command to filter ICMPv6 echo-requests.

# tcpdump -i eth0 "icmp6 && ip6[40] == 128"

In the latest versions of tcpdump/libpcap, we can use the following command to capture ICMPv6 echo packets.

# tcpdump -i eth0 'icmp6[icmp6type]=icmp6-echo'

Related Post: