tcpdump host unreachables for specific host

Question

I'm trying to rule out some issues and needing to capture all ICMP messages except echo/echo reply. However the issue I'm struggling to find a way around is I only want these involving a particular host.

The filter I've been trying is tcpdump icmp and 'icmp[0] != 8 and icmp[0] != 0' and host x.x.x.x However that is only giving what is the x.x.x.x or y.y.y.y hosts. Example of what I get but wanting to only have for z.z.z.z portion

18:06:07.823692 IP x.x.x.x > y.y.y.y: ICMP host z.z.z.z unreachable, length 48

Does anyone have any ideas on how to accomplish this?

tuntap · Accepted Answer · 2017-12-19T10:22:25.223

0

If I understand you correctly, you want to filter for z.z.z.z in the ICMP response. Let's assume the IP of the unreachable host is z1.z2.z3.z4, then you should replace host x.x.x.x in your filter with the following filter icmp[24] == z1 and icmp[25] == z2 and icmp[26] == z3 and icmp[27] == z4.

If you only want the ICMP destination unreachable messages, consider using icmp[icmptype] == icmp-unreach instead of icmp[0] != 8 and icmp[0] != 0.

edited Dec 19 '17 at 10:22

answered Dec 19 '17 at 08:39

tuntap

161
3

Awesome thanks! I've just tested it and is exactly what I'm after :) – Cameron Moody Dec 19 '17 at 19:46

tcpdump host unreachables for specific host

1 Answers1