Capturing specific ICMPv6 traffic using tcpdump

calendar September 15, 2021 nav_categories Networking nav_categories Tech nav_tags ipv6 nav_tags icmp6 nav_tags icmp nav_tags tcpdump

While doing some troubleshooting on my home lab, I was trying to ping from one device to another device, both configured with IPv6, and only IPv6, addresses.

I was using tcpdump to attempt to capture the ICMP echo-requests (only), which in the IPv4 world, I would use this tcpdump syntax:

sudo tcpdump -nni ens192 "icmp[0] == 8"

However, trying to use the same syntax, but modified for IPv6, tcpdump puked:

sudo tcpdump -nni ens192 "icmp6[0] == 128"
tcpdump: IPv6 upper-layer protocol is not supported by proto[x]

The IPv6 header is exactly 40 bytes, and the first 8 bits of the ICMP6 header specifies its type.

Knowing that, we can see only the ICMP6 echo requests using this syntax:

sudo tcpdump -nni ens192 "icmp6 && ip6[40] == 128"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on Internal, link-type EN10MB (Ethernet), capture size 262144 bytes
15:58:47.290538 IP6 fdc4:9f07:a86b:c256::1 > fdc4:9f07:a86b:c256::: ICMP6, echo request, seq 1, length 64
15:58:48.314215 IP6 fdc4:9f07:a86b:c256::1 > fdc4:9f07:a86b:c256::: ICMP6, echo request, seq 2, length 64
15:58:49.338119 IP6 fdc4:9f07:a86b:c256::1 > fdc4:9f07:a86b:c256::: ICMP6, echo request, seq 3, length 64

Common ICMP6v6 types

  • unreachable: 1
  • too-big: 2
  • time-exceeded: 3
  • echo-request: 128
  • echo-reply: 129
  • router-solicitation: 133
  • router-advertisement: 134
  • neighbor-solicitation: 135
  • neighbor-advertisement: 136

References

Internet Control Message Protocol version 6 (ICMPv6) Parameters https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml

Wikipedia - Internet Control Message Protocol for IPv6 https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol_for_IPv6#Types