localhost icmp packet found in capture file: why?

Question

Here's my tcpdump filter (ip[8] is the IP ttl field and icmp[0]=11 corresponds to time-exceeded ICMP messages):

(ip and ip[8]=2 and src host $myIPAddress) or (icmp and dst host $myIPAddress and icmp[0]=11)

And here's what I found in the capture file:

>>> p.show()
###[ Ethernet ]###
  dst       = 00:15:f2:e3:90:e9
  src       = 00:11:43:e5:48:10
  type      = 0x800
###[ IP ]###
     version   = 4L
     ihl       = 5L
     tos       = 0xc0
     len       = 56
     id        = 19126
     flags     = 
     frag      = 0L
     ttl       = 254
     proto     = icmp
     chksum    = 0xa697
     src       = 127.0.0.1
     dst       = 127.0.0.1
     \options   \

Why did I capture an ICMP localhost packet? What's the purpose of such packet anyway? And, most importantly, why didn't it get rejected by the above filter?

myIpAddress contains something different than 127.0.0.1, right? — Davide Berra, Feb 20 '13 at 12:15
A weird part is also that this packet has different src/dst mac addresses but in the ip layer we have the same IP. If you open the pcap file with wireshark you get the same result? — Davide Berra, Feb 21 '13 at 09:36
What happens if you run tcpdump with the same filter, and on the same network interface, and with the `-d` flag? It will print the code generated for the filter expression, so that we can see exactly what it's checking for, and therefore determine why a packet with 127.0.0.1 in the source and destination IP address field would match the filter. — , Feb 21 '13 at 10:53

score 0 · Answer 1 · answered Feb 07 '14 at 12:12

0

What is "$myIpAddress"? Was it literally an IPv4 address? If it was actually anything resembling an FQDN or hostname, then the man page explains what happens:

http://www.tcpdump.org/manpages/pcap-filter.7.html

 host host
 (stuff removed)
 If host is a name with multiple IP addresses, each address will be checked for a match.

I'm not sure what happens if it was, probably the IP is mapped to the MAC address?

I like Guy's suggestion about using -d.

answered Feb 07 '14 at 12:12

benc

1,381
5
31
39

it was the IP address of the machine where I ran my script. As for the rest, it was one year ago. I don't remember :) – Ricky Robinson Feb 07 '14 at 14:31

localhost icmp packet found in capture file: why?

1 Answers1