IPv6 upper-layer protocol is not supported by proto[x]
When I was setting up a new system it was configured to have 2 IPv6 addresses. One fixed IPv6 address and one IPv6 via automatic configuration. I wanted to know which IPv6 address was used for as default, so I started tcpdump on a different host with IPv6. But this resulted in a lot of traffic.
root@nynaeve:~# tcpdump -nni eth0 icmp6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:36:29.233603 IP6 fe80::4:1 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a01:8:4:5::1, length 32
14:36:29.234108 IP6 fe80::4:1 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a01:8:4:f::1, length 32
14:36:29.234119 IP6 fe80::4:1 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a01:8:4:4::1, length 32
14:36:29.234122 IP6 fe80::4:1 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a01:8:4:e::1, length 32
14:36:29.234215 IP6 fe80::4:1 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a01:8:4:c::1, length 32
14:36:29.234337 IP6 fe80::4:1 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a01:8:4:1::1, length 32
14:36:29.250866 IP6 fe80::5054:ff:feac:88c2 > ff02::1:ffea:c8c5: ICMP6, neighbor solicitation, who has fe80::6600:6aff:feea:c8c5, length 32
14:36:29.683534 IP6 fe80::4:1 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a01:8:4:1::1, length 32
14:36:29.683772 IP6 fe80::4:1 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a01:8:4:6::1, length 32
With that much traffic it is hard to see which my ICMP6 packets are my ping packets. And since I can’t filter on IPv6 address. Because I don’t know which IPv6 address will be used. So I wanted to filter on ICMP6 echo request and reply packages.
root@nynaeve:~# tcpdump -nni eth0 icmp6[0]=128
tcpdump: IPv6 upper-layer protocol is not supported by proto[x]
root@nynaeve:~#
The solution
So that is not going to work and I found a good article, which shows how it can be done. It mentions the following:
Looks like looking into icmp6 messages has not yet been implemented. However, you can use the IPv6 layer with an index (as long as there are no extra IPv6 headers):
root@nynaeve:~# tcpdump -nni eth0 "icmp6 and (ip6[40] == 128 or ip6[40] == 129)"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:45:26.884048 IP6 2001:1:7::a:38ff:fe9f:7 > 2a01:8:4:c::1: ICMP6, echo request, seq 1, length 64
14:45:26.884116 IP6 2a01:8:4:c::1 > 2001:1:7::a:38ff:fe9f:7: ICMP6, echo reply, seq 1, length 64
14:45:27.885415 IP6 2001:1:7::a:38ff:fe9f:7 > 2a01:8:4:c::1: ICMP6, echo request, seq 2, length 64
14:45:27.885457 IP6 2a01:8:4:c::1 > 2001:1:7::a:38ff:fe9f:7: ICMP6, echo reply, seq 2, length 64
14:45:28.886770 IP6 2001:1:7::a:38ff:fe9f:7 > 2a01:8:4:c::1: ICMP6, echo request, seq 3, length 64
14:45:28.886825 IP6 2a01:8:4:c::1 > 2001:1:7::a:38ff:fe9f:7: ICMP6, echo reply, seq 3, length 64
root@nynaeve:~# tcpdump --version
tcpdump version 4.9.2
libpcap version 1.8.1
OpenSSL 1.0.2l 25 May 2017
root@nynaeve:~#
The 128 is the echo request and the 129 is the echo reply.
So this is a bit harder than ping with an IPv4 address:
root@nynaeve:~# tcpdump -nni eth0 "icmp[icmptype] == 8 or icmp[icmptype] == 0"