tcpdump & ICMP pkt size

tcpdump & ICMP pkt size

Post by maxmagn » Sat, 29 Dec 2001 01:53:12



Hello,
I have a question concerning tcpdump. I want to monitor ICMP echo request/reply
traffic, and I'm interested in tracking the size of ICMP packets. Currently the
only way I could find to obtain such information is to use tcpdump with the
"-e" option, so that it dumps link-level headers. These contain information
about the packet size (including Ethernet headers). I am just curious to know
if there is a different way to obtain the same type of information (ICMP packet
size) or the "-e" option is the appropriate thing to use.

Thanks in advance, Max

--
Posted from proxy2.fna.fujitsu.com [192.240.0.202]
via Mailgate.ORG Server - http://www.Mailgate.ORG

 
 
 

tcpdump & ICMP pkt size

Post by Karl Heye » Sat, 29 Dec 2001 03:17:17



> Hello,
> I have a question concerning tcpdump. I want to monitor ICMP echo request/reply
> traffic, and I'm interested in tracking the size of ICMP packets. Currently the
> only way I could find to obtain such information is to use tcpdump with the
> "-e" option, so that it dumps link-level headers. These contain information
> about the packet size (including Ethernet headers). I am just curious to know
> if there is a different way to obtain the same type of information (ICMP packet
> size) or the "-e" option is the appropriate thing to use.

use -v

karl.

 
 
 

tcpdump & ICMP pkt size

Post by Ian Jone » Sat, 29 Dec 2001 04:27:33


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> I have a question concerning tcpdump. I want to monitor ICMP echo request/reply
> traffic, and I'm interested in tracking the size of ICMP packets. Currently the
> only way I could find to obtain such information is to use tcpdump with the
> "-e" option, so that it dumps link-level headers. These contain information
> about the packet size (including Ethernet headers). I am just curious to know
> if there is a different way to obtain the same type of information (ICMP packet
> size) or the "-e" option is the appropriate thing to use.

You might be sorry you asked :)

The way to do this is with filter strings to the tcpdump
command. These can be used at the command line or you can put complex
filters in a file and load 'em with the "-F" option.

The following tcpdump command will grab ICMP echo requests with an
*ICMP data length* greater than or equal to 80 bytes:

tcpdump 'icmp[0]=8 && (ip[2:2] - (((ip[0] & 0x0f)*4) + 8) >= 80)'

...breaking it down:
'icmp[0]=8' selects only echo requests by looking at only ICMP packets
where the first byte (the ICMP type field) is 8

and (&&)

ip[2:2] is the total length of the datagram from which we want to
subtract

ip[0] & 0x0f -> the IP header length, converted to bytes (*4), plus
the length of the icmp header (8 bytes)

and finally comparing it to the length of 80.

-----BEGIN PGP SIGNATURE-----
Comment: Keeping the world safe for geeks.

iD8DBQE8K3YfwBVKl/Nci0oRAgNzAKC+xJekcumetQX1YkSu02DtDCFSgwCfW+3t
YxGZHPZtTAvfDZMq6VBUSo8=
=EEFJ
-----END PGP SIGNATURE-----

 
 
 

1. tcpdump (wrong icmp csum)

Helping in diagnosing and resolving the following problem would be
enormously appreciated by this newbie.

Boxie                                            Tyronius
10.0.0.1                                            10.0.0.13

regardless of which I ping and run tcpdump on, I get:
icmp: echo request (wrong icmp csum) on the machine running tcpdump.

2. Can not add FreeBSD 3.3 to OS/2 bootmanager

3. Dos/smurf/icmp/tcpdump/snmp-mib2

4. linux and midi on a notebook

5. WATTCP, NCSA telnet, pkt drvs & Linux slip

6. bindung ntpd to specific interfaces only?

7. Sol 2.5 & traceroute & icmp

8. Update to srm_env.c driver (for Alpha arch.)

9. iad2 & iad3 UDP and rawdevices icmp & tcp

10. Pb: in.timed, kernel error, incorrect ICMP size

11. icmp type 3 fragmentation needed: size of tcp header included

12. timed - ICMP: Size (28) of ICMP_TIMESTAMP request should be 20!