This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do you filter different types of ICMPv6 messages?

1

Libpcap lets you filter ICMP messages with named field values, e.g.

icmp[icmptype] = icmp-echo

What is the ICMPv6 equivalent?

asked 08 Sep '10, 11:46

Gerald%20Combs's gravatar image

Gerald Combs ♦♦
3.3k92258
accept rate: 24%

edited 08 Sep '10, 11:47


One Answer:

2

Looks like looking into icmp6 messages has not yet been implemented. However, you can use the IPv6 layer with an index (as long as there are no extra IPv6 headers):

[email protected]:~$ tcpdump -nli en1 icmp6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes
07:39:03.127714 IP6 2001:888:1cb7:1a:fa1e:dfff:fed8:8748 > 2001:888:0:1::666: ICMP6, echo request, seq 486, length 16
07:39:03.144453 IP6 2001:888:0:1::666 > 2001:888:1cb7:1a:fa1e:dfff:fed8:8748: ICMP6, echo reply, seq 486, length 16
07:39:04.127686 IP6 2001:888:1cb7:1a:fa1e:dfff:fed8:8748 > 2001:888:0:1::666: ICMP6, echo request, seq 487, length 16
07:39:04.144941 IP6 2001:888:0:1::666 > 2001:888:1cb7:1a:fa1e:dfff:fed8:8748: ICMP6, echo reply, seq 487, length 16
^C
4 packets captured
8 packets received by filter
0 packets dropped by kernel
[email protected]:~$ tcpdump -nli en1 icmp6[0]=128
tcpdump: IPv6 upper-layer protocol is not supported by proto[x]
[email protected]:~$ tcpdump -nli en1 icmp6 and ip6[40]=128
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes
07:39:22.127170 IP6 2001:888:1cb7:1a:fa1e:dfff:fed8:8748 > 2001:888:0:1::666: ICMP6, echo request, seq 505, length 16
07:39:23.127169 IP6 2001:888:1cb7:1a:fa1e:dfff:fed8:8748 > 2001:888:0:1::666: ICMP6, echo request, seq 506, length 16
^C
2 packets captured
8 packets received by filter
0 packets dropped by kernel
[email protected]:~$ tcpdump -nli en1 icmp6 and ip6[40]=129
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes
07:39:51.144359 IP6 2001:888:0:1::666 > 2001:888:1cb7:1a:fa1e:dfff:fed8:8748: ICMP6, echo reply, seq 534, length 16
07:39:52.219218 IP6 2001:888:0:1::666 > 2001:888:1cb7:1a:fa1e:dfff:fed8:8748: ICMP6, echo reply, seq 535, length 16
07:39:53.143163 IP6 2001:888:0:1::666 > 2001:888:1cb7:1a:fa1e:dfff:fed8:8748: ICMP6, echo reply, seq 536, length 16
07:39:54.148842 IP6 2001:888:0:1::666 > 2001:888:1cb7:1a:fa1e:dfff:fed8:8748: ICMP6, echo reply, seq 537, length 16
^C
4 packets captured
20 packets received by filter
0 packets dropped by kernel
[email protected]:~$ tcpdump --version
tcpdump version 4.0.0
libpcap version 1.0.0
Usage: tcpdump [-aAdDefgIKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]
        [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
        [ -i interface ] [ -M secret ] [ -r file ]
        [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ]
        [ -y datalinktype ] [ -z command ] [ -Z user ]
        [ expression ]
[email protected]:~$

answered 15 Sep '10, 22:45

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%