This site was behind a Cloudflare proxy between September 22, 2016 and February 18th, 2017 and might be subject to sensitive information leaks. See this blog post for more details.

ICMP filter filtering only Destination Unreachable(type) - icmp[0] == 3 .

ICMP filter filtering Destination Unreachable(type),Destination host unreachable(code) - icmp[0:2] == ?

Regards Dinged

asked 27 Mar '13, 06:14

Dinged's gravatar image

Dinged
367711
accept rate: 0%


The capture filter you are probably thinking of is:

icmp[0:2]==0x0301

But to be more descriptive, you could use something like this instead:

icmp[icmptype]==icmp-unreach and icmp[icmpcode]==1

Note that the compiled BPF code isn't exactly the same though. It seems that the first format is slightly more efficient, taking 2 fewer instructions.

Compare icmp[0:2]==0x0301:

(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 10
(002) ldb      [23]
(003) jeq      #0x1             jt 4    jf 10
(004) ldh      [20]
(005) jset     #0x1fff          jt 10   jf 6
(006) ldxb     4*([14]&0xf)
(007) ldh      [x + 14]
(008) jeq      #0x301           jt 9    jf 10
(009) ret      #65535
(010) ret      #0

to icmp[icmptype]==icmp-unreach and icmp[icmpcode]==1:

(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 12
(002) ldb      [23]
(003) jeq      #0x1             jt 4    jf 12
(004) ldh      [20]
(005) jset     #0x1fff          jt 12   jf 6
(006) ldxb     4*([14]&0xf)
(007) ldb      [x + 14]
(008) jeq      #0x3             jt 9    jf 12
(009) ldb      [x + 15]
(010) jeq      #0x1             jt 11   jf 12
(011) ret      #65535
(012) ret      #0

Refer to the pcap-filter man page for more information.

(If instead you're looking for a Wireshark display filter, then refer to pfuender's answer.)

link

answered 27 Mar '13, 09:35

cmaynard's gravatar image

cmaynard ♦
8.7k836131
accept rate: 20%

edited 27 Mar '13, 20:56

Great detailed answer. I am wondering how does the hex value 0x0301 come about ? 03 = type 3, 01 = code 1 ?

(27 Mar '13, 20:15) Dinged
1

The 1st byte of an ICMP packet is the type, and type 3 is the "Destination Unreachable" message. The 2nd byte of the ICMP packet is the code, and code 1 of a "Destination Unreachable" message is "host unreachable". For more details refer to RFC 792 or to your favorite on-line help for ICMP, such as Inacon's help for the ICMP code field or even wikipedia's article on ICMP.

(27 Mar '13, 21:02) cmaynard ♦

Oh, after reading Inacon's guide, then did I know that the type and code values are actually hex values. Thanks for the link to this great resource.

(28 Mar '13, 07:33) Dinged

You can combine several filters using '&&', so you can use the two filters as you've requested. Here's an example to only show ICMP 'Host Unreachable' messages:

(icmp.type==3) && (icmp.code==1)
link

answered 27 Mar '13, 07:12

pfuender's gravatar image

pfuender
564
accept rate: 0%

Sorry for not being clear in the question, I am looking for a capture filter. But nevertheless, good to know. :D

(27 Mar '13, 20:15) Dinged
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×174
×67

Asked: 27 Mar '13, 06:14

Seen: 7,552 times

Last updated: 28 Mar '13, 07:33

p​o​w​e​r​e​d by O​S​Q​A