If you want to filter ICMP echo-requests with tcpdump, you can use this command:<\/p>\n
tcpdump -i em0 \"icmp[0] == 8\"\r\n<\/pre>\nBut it doesn’t work if you try the same syntax with ICMPv6:<\/p>\n
tcpdump -i em0 \"icmp6[0] == 128\"\r\ntcpdump: IPv6 upper-layer protocol is not supported by proto[x]\r\n<\/pre>\nInstead you can parse directly the IPv6 payload. An IPv6 packet is 40 bytes long, and the first 8 bits of the ICMPv6 header specify its type:<\/p>\n
tcpdump -i eth0 \"icmp6 && ip6[40] == 128\"\r\n<\/pre>\nThe most common ICMPv6 types<\/a> are:<\/p>\n
\n
- unreachable<\/strong>: 1<\/li>\n
- too-big<\/strong>: 2<\/li>\n
- time-exceeded<\/strong>: 3<\/li>\n
- echo-request<\/strong>: 128<\/li>\n
- echo-reply<\/strong>: 129<\/li>\n
- router-solicitation<\/strong>: 133<\/li>\n
- router-advertisement<\/strong>: 134<\/li>\n
- neighbor-solicitation<\/strong>: 135<\/li>\n
- neighbor-advertisement<\/strong>: 136<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
If you want to filter ICMP echo-requests with tcpdump, you can use this command: tcpdump -i em0 “icmp[0] == 8” But it doesn’t work if you try the same syntax with ICMPv6: tcpdump -i em0 “icmp6[0] == 128” tcpdump: IPv6 … Continue reading