TCPDUMP and IPv6

tcpdump -i eth0 “icmp6 && ip6[40] == 128”

The most common ICMPv6 types are:

unreachable: 1
too-big: 2
time-exceeded: 3
echo-request: 128
echo-reply: 129
router-solicitation: 133
router-advertisement: 134
neighbor-solicitation: 135
neighbor-advertisement: 136
tcpdump -i eth0 “icmp6 && ip6[40] == 128”
tcpdump -i eth0 -nr ipv6_traffic.pcap “ip6 and not tcp port 22”

IPv6 and TCP
tcpdump -nr ipv6_traffic.pcap ip6 proto 6
tcpdump -nr ipv6_traffic.pcap ip6 protochain 6
IPv6 and UDP
tcpdump -nr ipv6_traffic.pcap ip6 proto 17
tcpdump -nr ipv6_traffic.pcap ip6 and udp

2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether fa:16:3e:28:33:5f brd ff:ff:ff:ff:ff:ff
    inet 10.10.18.115/24 brd 10.10.18.255 scope global dynamic enp1s0
       valid_lft 81764sec preferred_lft 81764sec
    inet6 2001::1/64 scope global dadfailed tentative 
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe28:335f/64 scope link 
       valid_lft forever preferred_lft forever

root@ubuntu:~# ping6 fe80::f816:3eff:fe1c:eec8%enp1s0
PING fe80::f816:3eff:fe1c:eec8%enp1s0(fe80::f816:3eff:fe1c:eec8%enp1s0) 56 data bytes

2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether fa:16:3e:1c:ee:c8 brd ff:ff:ff:ff:ff:ff
    inet 10.10.18.114/24 brd 10.10.18.255 scope global dynamic enp1s0
       valid_lft 35504sec preferred_lft 35504sec
    inet6 2001::2/64 scope global dadfailed tentative 
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe1c:eec8/64 scope link 
       valid_lft forever preferred_lft forever

root@ubuntu:~# tcpdump -i enp1s0  icmp6 -nnvv
tcpdump: listening on enp1s0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:45:20.253228 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::f816:3eff:fe28:335f > fe80::f816:3eff:fe1c:eec8: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::f816:3eff:fe1c:eec8
          source link-address option (1), length 8 (1): fa:16:3e:28:33:5f
            0x0000:  fa16 3e28 335f
09:45:20.253289 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::f816:3eff:fe1c:eec8 > fe80::f816:3eff:fe28:335f: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is fe80::f816:3eff:fe1c:eec8, Flags [router, solicited]
09:45:25.445479 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::f816:3eff:fe1c:eec8 > fe80::f816:3eff:fe28:335f: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::f816:3eff:fe28:335f
          source link-address option (1), length 8 (1): fa:16:3e:1c:ee:c8
            0x0000:  fa16 3e1c eec8
09:45:25.458828 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::f816:3eff:fe28:335f > fe80::f816:3eff:fe1c:eec8: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is fe80::f816:3eff:fe28:335f, Flags [router, solicited]
09:45:57.372951 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::f816:3eff:fe28:335f > fe80::f816:3eff:fe1c:eec8: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::f816:3eff:fe1c:eec8
          source link-address option (1), length 8 (1): fa:16:3e:28:33:5f
            0x0000:  fa16 3e28 335f
09:45:57.373002 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::f816:3eff:fe1c:eec8 > fe80::f816:3eff:fe28:335f: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is fe80::f816:3eff:fe1c:eec8, Flags [router, solicited]
09:46:02.565467 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::f816:3eff:fe1c:eec8 > fe80::f816:3eff:fe28:335f: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::f816:3eff:fe28:335f
          source link-address option (1), length 8 (1): fa:16:3e:1c:ee:c8
            0x0000:  fa16 3e1c eec8
09:46:03.033839 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::f816:3eff:fe28:335f > fe80::f816:3eff:fe1c:eec8: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is fe80::f816:3eff:fe28:335f, Flags [router, solicited]

root@ubuntu:~# tcpdump -i enp1s0  icmp6 && ip6[40] == 128 -nnvv
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp1s0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:48:27.132124 IP6 fe80::f816:3eff:fe28:335f > ubuntu: ICMP6, neighbor solicitation, who has ubuntu, length 32
09:48:27.132201 IP6 ubuntu > fe80::f816:3eff:fe28:335f: ICMP6, neighbor advertisement, tgt is ubuntu, length 24
09:48:32.325468 IP6 ubuntu > fe80::f816:3eff:fe28:335f: ICMP6, neighbor solicitation, who has fe80::f816:3eff:fe28:335f, length 32
09:48:32.325718 IP6 fe80::f816:3eff:fe28:335f > ubuntu: ICMP6, neighbor advertisement, tgt is fe80::f816:3eff:fe28:335f, length 24