howtouselinux

Filtering ICMP Packets with Tcpdump

Table of Contents

Tcpdump command in Linux can be used to capture ICMP packets. We will start with ICMP protocol introduction and then check out how to filter ICMP and ICMPv6 packets with tcpdump command.

  • What is ICMP?
  • Use tcpdump to capture ICMP Packets
  • Filtering ICMP echo reply echo request Packets
  • Use tcpdump to capture ICMPv6 packets

What is ICMP?

ICMP is short for Internet Control Message Protocol. It is a network layer protocol used by network devices to diagnose network communication issues.

Ping is one of the most basic network debugging tools. It sends ICMP echo request packets to a host. If the host gets the packet and feels nice enough, it sends an ICMP echo-response packet in return.

Check this post to learn more about ICMP protocol.

Understanding Ping command

Ping is a tool commonly used to find the status of a device on a network. Ping is based on the ICMP protocol. When a Ping process request is sent out as an ICMP echo to the target device, it replies with an ICMP echo reply if the device is available.

Ping command has two important purpose.

  • test the network availability to device
  • network latency or network packet loss between two devices

 

A simple way to check whether we have access to the particular host is through ICMP by sending ping packets to the host. But this method works only if ICMP and ping is enabled in that network. If ICMP is disabled, we can not get a proper response.

Let’s send an ICMP packet with ping command like below.

$ ping google.com
PING google.com (172.217.25.14): 56 data bytes
64 bytes from 172.217.25.14: icmp_seq=0 ttl=111 time=49.412 ms

Related: Understanding Ping Command and ICMP with Examples

How to use tcpdump to capture ICMP Packets

In IPV4, we can use this tcpdump command to filter all ICMP packets.

We can use ping command to send out ICMP echo requests. This is the output of the ICMP echo request and echo reply packet.

# tcpdump -i eth0 icmp

16:17:46.354621 IP 10.79.97.62 > 216.58.200.14: ICMP echo request, id 33817, seq 1707, length 64
16:17:46.399959 IP 216.58.200.14 > 10.79.97.62: ICMP echo reply, id 33817, seq 1707, length 64

Understanding ICMP Types and Codes

The ICMP protocol has a field called type, which indicates what type the ICMP packet is. If the type field is 8, then the packet is an ICMP echo (ping) request, while if the type field is 0, then the packet is an ICMP echo (ping) reply.

That type of field is a one-byte field at the very beginning of the ICMP protocol header.

We might consider the ICMP Type field the packet’s classification and the Code field its subclass. For example, a Type field value of 3 indicates “destination unreachable.”

While this information alone might not be enough to troubleshoot a problem, if that packet were also to specify a Code field value of 3, indicating “port unreachable,” We could conclude that there is an issue with the port with which we are attempting to communicate.

Filtering ICMP echo reply echo request Packets with tcpdump command

Here are the common ICMP types :

  • 0 Echo Reply
  • 3 Destination Unreachable
  • 4 Source Quench
  • 5 Redirect
  • 8 Echo
  • 11 Time Exceeded

With the following command, we can filter ICMP echo-reply,

# tcpdump -i eth0 “icmp[0] == 0”

To filter ICMP echo-requests, we can use this tcpdump command.

# tcpdump -i eth0 “icmp[0] == 8”

How to use tcpdump to capture ICMPv6 packets

In IPv6, an IPv6 packet is 40 bytes long, and the first 8 bits of the ICMPv6 header specify its type. We can use this tcpdump command to filter all ICMPv6 packets.

# tcpdump -i eth0 icmp6

We can use this tcpdump command to filter ICMPv6 echo-requests.

# tcpdump -i eth0 “icmp6 && ip6[40] == 128”

In the latest versions of tcpdump/libpcap, we can use the following command to capture ICMPv6 echo packets.

# tcpdump -i eth0 ‘icmp6[icmp6type]=icmp6-echo’

What is ICMP type?

 

20 Advanced Tcpdump Examples in Linux

Understanding Ping Command and ICMP with Examples

2 Ways to Disable or Block Ping in Linux

Related Post:

Welcome to howtouselinux.com!

Our website is dedicated to providing comprehensive information on using Linux.

We hope you find our site helpful and informative, and we welcome your feedback and suggestions for future content.

Learn More

Facebook
Twitter
LinkedIn