ICMP filter filtering only Destination Unreachable(type) - icmp[0] == 3 .

ICMP filter filtering Destination Unreachable(type),Destination host unreachable(code) - icmp[0:2] == ?

Regards Dinged

asked 27 Mar '13, 06:14

Dinged's gravatar image

Dinged
31559
accept rate: 0%


The capture filter you are probably thinking of is:

icmp[0:2]==0x0301

But to be more descriptive, you could use something like this instead:

icmp[icmptype]==icmp-unreach and icmp[icmpcode]==1

Note that the compiled BPF code isn't exactly the same though. It seems that the first format is slightly more efficient, taking 2 fewer instructions.

Compare icmp[0:2]==0x0301:

(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 10
(002) ldb      [23]
(003) jeq      #0x1             jt 4    jf 10
(004) ldh      [20]
(005) jset     #0x1fff          jt 10   jf 6
(006) ldxb     4*([14]&0xf)
(007) ldh      [x + 14]
(008) jeq      #0x301           jt 9    jf 10
(009) ret      #65535
(010) ret      #0

to icmp[icmptype]==icmp-unreach and icmp[icmpcode]==1:

(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 12
(002) ldb      [23]
(003) jeq      #0x1             jt 4    jf 12
(004) ldh      [20]
(005) jset     #0x1fff          jt 12   jf 6
(006) ldxb     4*([14]&0xf)
(007) ldb      [x + 14]
(008) jeq      #0x3             jt 9    jf 12
(009) ldb      [x + 15]
(010) jeq      #0x1             jt 11   jf 12
(011) ret      #65535
(012) ret      #0

Refer to the pcap-filter man page for more information.

(If instead you're looking for a Wireshark display filter, then refer to pfuender's answer.)

link

answered 27 Mar '13, 09:35

cmaynard's gravatar image

cmaynard ♦
5.8k725100
accept rate: 17%

edited 27 Mar '13, 20:56

Great detailed answer. I am wondering how does the hex value 0x0301 come about ? 03 = type 3, 01 = code 1 ?

(27 Mar '13, 20:15) Dinged
1

The 1st byte of an ICMP packet is the type, and type 3 is the "Destination Unreachable" message. The 2nd byte of the ICMP packet is the code, and code 1 of a "Destination Unreachable" message is "host unreachable". For more details refer to RFC 792 or to your favorite on-line help for ICMP, such as Inacon's help for the ICMP code field or even wikipedia's article on ICMP.

(27 Mar '13, 21:02) cmaynard ♦

Oh, after reading Inacon's guide, then did I know that the type and code values are actually hex values. Thanks for the link to this great resource.

(28 Mar '13, 07:33) Dinged

You can combine several filters using '&&', so you can use the two filters as you've requested. Here's an example to only show ICMP 'Host Unreachable' messages:

(icmp.type==3) && (icmp.code==1)
link

answered 27 Mar '13, 07:12

pfuender's gravatar image

pfuender
414
accept rate: 0%

Sorry for not being clear in the question, I am looking for a capture filter. But nevertheless, good to know. :D

(27 Mar '13, 20:15) Dinged
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×96
×31

Asked: 27 Mar '13, 06:14

Seen: 1,392 times

Last updated: 28 Mar '13, 07:33

powered by OSQA