G.2. traceroute

traceroute is a utility for identifying the network path a packet will take to a destination. Like ping, it can be called a number of ways. traceroute takes advantage of a the TTL in an IP packet to determine hop by hop the reachability and addressing of routers between the traceroute host and the intended destination.

The tool traceroute is available on most Unix-like platforms and even under Windows as tracert. Here, we will only consider the common traceroute installed on linux systems.

G.2.1. Using traceroute

The default packet type created by traceroute is a UDP packet. The first packet will be addressed to udp/33435 and each subsequent packet will be addressed to an incremented port number. This allows traceroute to keep track of which return ICMP packets correspond to which outbound packets.

Example G.10. Simple usage of traceroute

[root@isolde]# traceroute -n
[root@isolde]# tcpdump -nn -i eth0 not tcp
tcpdump: listening on eth0
20:13:36.905537 >  udp 10 [ttl 1]
20:13:36.905668 > icmp: time exceeded in-transit [tos 0xc0] 
20:13:36.906005 >  udp 10 [ttl 1]
20:13:36.906112 > icmp: time exceeded in-transit [tos 0xc0] 
20:13:36.906357 >  udp 10 [ttl 1]
20:13:36.906457 > icmp: time exceeded in-transit [tos 0xc0] 
20:13:36.906759 >  udp 10
20:13:36.907061 > icmp: udp port 33438 unreachable [tos 0xc0] 
20:13:36.907293 >  udp 10
20:13:36.907543 > icmp: udp port 33439 unreachable [tos 0xc0] 
20:13:36.907753 >  udp 10
20:13:36.907990 > icmp: udp port 33440 unreachable [tos 0xc0] 

13 packets received by filter
0 packets dropped by kernel

Note in Example G.10, “Simple usage of traceroute that tcpdump conveniently reports the low TTL on the first packets. Packets transmitted from a router with a TTL of 1 will expire at the next router they hit. This is the concept and mechanism by which traceroute is able to detect the path by which packets arrive at their destination.

Each of the first three packets transmitted in the above example receive ICMP time exceeded replies from the upstream router (masq-gw). The second set of packets have their TTL set to 2, which is not reported by tcpdump. This allows these packets to reach the intended destination, tristan.

There is a liability of using UDP traceroute on the Internet. Many screening routers, firewalls, and even hosts will silently drop UDP packets, effectively destroying the usability of traceroute. On internal networks, or networks known to have no firewalls, conventional traceroute can continue to provide diagnostic value. In the case that the network is known to have a firewall, traceroute can use ICMP, and mtr is a good example of a network diagnostic tool which uses ICMP only.

G.2.2. Telling traceroute to use ICMP echo request instead of UDP

G.2.3. Setting ToS with traceroute

G.2.4. Summary on the use of traceroute