traceroute is a utility for identifying the network path a packet will take to a destination. Like ping, it can be called a number of ways. traceroute takes advantage of a the TTL in an IP packet to determine hop by hop the reachability and addressing of routers between the traceroute host and the intended destination.
The tool traceroute is available on most Unix-like platforms and even under Windows as tracert. Here, we will only consider the common traceroute installed on linux systems.
The default packet type created by traceroute is a UDP packet. The first packet will be addressed to udp/33435 and each subsequent packet will be addressed to an incremented port number. This allows traceroute to keep track of which return ICMP packets correspond to which outbound packets.
Example G.10. Simple usage of traceroute
[root@isolde]#
traceroute -n 192.168.99.35
[root@isolde]#
tcpdump -nn -i eth0 not tcp
tcpdump: listening on eth0 20:13:36.905537 192.168.100.17.32978 > 192.168.99.35.33435: udp 10 [ttl 1] 20:13:36.905668 192.168.100.254 > 192.168.100.17. icmp: time exceeded in-transit [tos 0xc0] 20:13:36.906005 192.168.100.17.32978 > 192.168.99.35.33436: udp 10 [ttl 1] 20:13:36.906112 192.168.100.254 > 192.168.100.17. icmp: time exceeded in-transit [tos 0xc0] 20:13:36.906357 192.168.100.17.32978 > 192.168.99.35.33437: udp 10 [ttl 1] 20:13:36.906457 192.168.100.254 > 192.168.100.17. icmp: time exceeded in-transit [tos 0xc0] 20:13:36.906759 192.168.100.17.32978 > 192.168.99.35.33438: udp 10 20:13:36.907061 192.168.99.35 > 192.168.100.17. icmp: 192.168.99.35 udp port 33438 unreachable [tos 0xc0] 20:13:36.907293 192.168.100.17.32978 > 192.168.99.35.33439: udp 10 20:13:36.907543 192.168.99.35 > 192.168.100.17. icmp: 192.168.99.35 udp port 33439 unreachable [tos 0xc0] 20:13:36.907753 192.168.100.17.32978 > 192.168.99.35.33440: udp 10 20:13:36.907990 192.168.99.35 > 192.168.100.17. icmp: 192.168.99.35 udp port 33440 unreachable [tos 0xc0] 13 packets received by filter 0 packets dropped by kernel
Note in Example G.10, “Simple usage of traceroute” that tcpdump conveniently reports the low TTL on the first packets. Packets transmitted from a router with a TTL of 1 will expire at the next router they hit. This is the concept and mechanism by which traceroute is able to detect the path by which packets arrive at their destination.
Each of the first three packets transmitted in the above example
receive ICMP time exceeded replies from the upstream router
(masq-gw
). The second set of packets have their TTL set to 2,
which is not reported by tcpdump. This allows
these packets to reach the intended destination, tristan
.
There is a liability of using UDP traceroute on the Internet. Many screening routers, firewalls, and even hosts will silently drop UDP packets, effectively destroying the usability of traceroute. On internal networks, or networks known to have no firewalls, conventional traceroute can continue to provide diagnostic value. In the case that the network is known to have a firewall, traceroute can use ICMP, and mtr is a good example of a network diagnostic tool which uses ICMP only.