This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Libpcap lets you filter ICMP messages with named field values, e.g.

icmp[icmptype] = icmp-echo

What is the ICMPv6 equivalent?

asked 08 Sep '10, 11:46

Gerald%20Combs's gravatar image

Gerald Combs ♦♦
3.3k92258
accept rate: 24%

edited 08 Sep '10, 11:47


Looks like looking into icmp6 messages has not yet been implemented. However, you can use the IPv6 layer with an index (as long as there are no extra IPv6 headers):

[email protected]:~$ tcpdump -nli en1 icmp6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes
07:39:03.127714 IP6 2001:888:1cb7:1a:fa1e:dfff:fed8:8748 > 2001:888:0:1::666: ICMP6, echo request, seq 486, length 16
07:39:03.144453 IP6 2001:888:0:1::666 > 2001:888:1cb7:1a:fa1e:dfff:fed8:8748: ICMP6, echo reply, seq 486, length 16
07:39:04.127686 IP6 2001:888:1cb7:1a:fa1e:dfff:fed8:8748 > 2001:888:0:1::666: ICMP6, echo request, seq 487, length 16
07:39:04.144941 IP6 2001:888:0:1::666 > 2001:888:1cb7:1a:fa1e:dfff:fed8:8748: ICMP6, echo reply, seq 487, length 16
^C
4 packets captured
8 packets received by filter
0 packets dropped by kernel
[email protected]:~$ tcpdump -nli en1 icmp6[0]=128
tcpdump: IPv6 upper-layer protocol is not supported by proto[x]
[email protected]:~$ tcpdump -nli en1 icmp6 and ip6[40]=128
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes
07:39:22.127170 IP6 2001:888:1cb7:1a:fa1e:dfff:fed8:8748 > 2001:888:0:1::666: ICMP6, echo request, seq 505, length 16
07:39:23.127169 IP6 2001:888:1cb7:1a:fa1e:dfff:fed8:8748 > 2001:888:0:1::666: ICMP6, echo request, seq 506, length 16
^C
2 packets captured
8 packets received by filter
0 packets dropped by kernel
[email protected]:~$ tcpdump -nli en1 icmp6 and ip6[40]=129
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes
07:39:51.144359 IP6 2001:888:0:1::666 > 2001:888:1cb7:1a:fa1e:dfff:fed8:8748: ICMP6, echo reply, seq 534, length 16
07:39:52.219218 IP6 2001:888:0:1::666 > 2001:888:1cb7:1a:fa1e:dfff:fed8:8748: ICMP6, echo reply, seq 535, length 16
07:39:53.143163 IP6 2001:888:0:1::666 > 2001:888:1cb7:1a:fa1e:dfff:fed8:8748: ICMP6, echo reply, seq 536, length 16
07:39:54.148842 IP6 2001:888:0:1::666 > 2001:888:1cb7:1a:fa1e:dfff:fed8:8748: ICMP6, echo reply, seq 537, length 16
^C
4 packets captured
20 packets received by filter
0 packets dropped by kernel
[email protected]:~$ tcpdump --version
tcpdump version 4.0.0
libpcap version 1.0.0
Usage: tcpdump [-aAdDefgIKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]
        [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
        [ -i interface ] [ -M secret ] [ -r file ]
        [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ]
        [ -y datalinktype ] [ -z command ] [ -Z user ]
        [ expression ]
[email protected]:~$
permanent link

answered 15 Sep '10, 22:45

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×184
×51
×6

question asked: 08 Sep '10, 11:46

question was seen: 18,603 times

last updated: 15 Sep '10, 22:45

p​o​w​e​r​e​d by O​S​Q​A