Localhost icmp package found in capture file: why?

Question

Localhost icmp package found in capture file: why?

Here is my tcpdump filter ( ip[8] is the IP ttl field, and icmp[0]=11 corresponds to time-out ICMP messages):

 (ip and ip[8]=2 and src host $myIPAddress) or (icmp and dst host $myIPAddress and icmp[0]=11)

And here is what I found in the capture file:

 >>> p.show() ###[ Ethernet ]### dst = 00:15:f2:e3:90:e9 src = 00:11:43:e5:48:10 type = 0x800 ###[ IP ]### version = 4L ihl = 5L tos = 0xc0 len = 56 id = 19126 flags = frag = 0L ttl = 254 proto = icmp chksum = 0xa697 src = 127.0.0.1 dst = 127.0.0.1 \options \

Why did I capture the localhost ICMP packet? What is the purpose of such a package? And, most importantly, why wasn’t it rejected by the above filter?

+4

ip localhost icmp packet-capture tcpdump

Ricky robinson Feb 18 '13 at 14:02

source share

1 answer

benc · Answer 1 · 2014-02-07T12:12:48+0000

What is the "$ myIpAddress"? Was it literally an IPv4 address? If it really looked like a fully qualified domain name or host name, then the manual page explains what happens:

http://www.tcpdump.org/manpages/pcap-filter.7.html

  host host (stuff removed) If host is a name with multiple IP addresses, each address will be checked for a match.

I'm not sure what will happen if this is the case, probably the IP is mapped to a MAC address

I like Guy's suggestion for using -d.

Localhost icmp package found in capture file: why?

More articles: