Traceroute ain’t tracert

After ping, trace route is probably one of the most common network tools. Be it for fault finding, verification, discovery or testing. Between ping and trace route you can do a lot. Trace route, at it’s most basic sends a series of packets with an ever increasing Time to Live (TTL), starting at TTL=1. Every layer 3 device in the path will decrement this TTL and send a TTL Expired back towards the source if the TTL hits 0, until eventually the packet has a TTL that is long enough that it will reach the end device. The series of returned TTL Expired packets will tell you the path that the packet took.

Trace Route vs Tracert

What kind of packet trace route sends depends on the operating system of the device you are on. For a Linux/UNIX system (Cisco IOS) a UDP packet with a destination port starting at 33434 is sent towards the end target. On the other hand, on Windows the tracert command sends an ICMP packet towards the end target.

Why? Well, the original RFC791 for IP had a typo – it said you should never send an ICMP error in response to an ICMP packet. What it was supposed to say was you should never send an ICMP error in response to an ICMP error packet. By the time they fixed this in the RFC there were already devices out there configured so that they would never send an ICMP error (in this case ICMP TTL Expired) in response to an ICMP packet. So a new spec for traceroute was written using UDP. The final destination should respond to the UDP packet with a ICMP Port Unreachable packet which will indicate the trace has been completed.

Why is this important? Well, for the most part just tracing through routers it probably isn’t. But suppose you have a firewall or ACL rule to allow ICMP through for fault finding purposes. If you tracert from your windows box, it will work fine. But if have remoted to a Cisco router and traceroute from there – it may not. It’s just something to be aware of if suddenly your trace fails at a firewall edge.

Also don’t host anything on UDP port 33434 or above.

Traceroute…what r u doin…traceroute…stahp!

If you need to stop your trace, the usual break sequences apply. Windows is ctrl+c and on a Cisco box it’s ctrl+shift+6 (or ctrl+^ if you prefer).

Why so *y?

At some point you will probably notice most of your traces from a Cisco device will end with something along the lines of:

R1#traceroute 10.0.0.6
Type escape sequence to abort.
Tracing the route to 10.0.0.6
 1 10.0.0.2 28 msec 20 msec 20 msec
 2 10.0.0.6 40 msec * 40 msec

You’ll notice the last line is “* 40 msec”. The * is due to ICMP rate limiting, I recommend this blog post at packetlife for a good explanation.

 

 

This entry was posted in "Fault Finding", "Network Operations" by Tom. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *