Traceroute: ripped open
Traceroute is a very useful debugging tool, which can be used to find a number of useful
things about the host and the client, router, and systems that data passes through on its way from the source to destination and a whole lot more related information.
Keep in mind while using traceroute. You see, there are simply no guarantees that to consecutive IP datagrams from the same source to the same destination have to take the exact same route.
Traceroute is a part of a protocol called 'Internet Control Message Protocol' or ICMP, which is used for debugging purposes or Network Diagnosis.
The ICMP communicates error messages and other malfunctions or problems that might have occured while the data transactions between two systems were taking place. All ICMP messages are transmitted as IP datagrams. A typical ICMP message encapsulated with a IP datagram below:
| IP HEADER | ICMP MESSAGE |
| | |
The first 4 bytes have the same format and specification for all the messages, however, the remaining part differs from message to message depending upon the kind of message etc. error message or the type of message carried by the datagram.
(For a more detailed description refer to RFC 792. )
The 'type' field can have any of 15 different values, which determines a particular ICMP error message. For example an ICMP error message of the 'Time Exceed' error has a 'type' value of 11.
Now, back to traceroute.
Traceroute uses ICMP protocol and the TTL(Time to Live) field which is a part of the IP protocol. If you remember the diagram above, you'll know that the first 20 bytes consisted of the IP Header. It is in this header that you will find a number of fields, which is a part of the IP protocol and is stored here.
What is the TTL field for? The TTL is an 8-bit field that sets the max limit of numbers of routers through which a datagram caan pass. It basically determines how long a datagram will be alive. It is set at the sender's end to a predefined value(normally 32 or 64) and this value is then decremented by one by every router that handles it. When it finally decremented to 0, then the datagram is thrown away and ICMP is called upon to report the error to the sender. This prevents datagrams from going infinitely in a loop through routers.
One thing to note here is that the IP datagram received by the destination system will have a TTL value of 1. Even then it will not discard it, as the destination system doesn't discard the IP datagram or in other words doesn't create a Time Exceeded ICMP error message. This means your system should have no method of deducing whether the destination system has been reached or not. To solve this problem, traceroute uses another mechanism.
Traceroute sends UDP(User Data Protocol)datagrams to destination system at extremely high UDP port numbers. It uses high ports that no application is likely to be running at that port this value is normally higher than 30000. These UDP datagrams received causes the udp module running on destination system to generate an ICMP error message of "Port Unreachable". All, traceroute has to do is differentiate between ICMP error messages of 'Time Exceed' and 'Port Unreachable' in order to deduce when destintation system has been reached.
Traceroute is summarized as: It Sends UDP datagrams to host starting with a TTL value of 1 and increasing the TTL by 1 to locate each router in the path. Each router returns an ICMP time exceeded. The host system instead returns a port unreachable. This is used to tell when the host system has been reched.
Lets's look at an example.
traceroute to abcd.com (205.xx.12.34), 30hops max, 40 byte packets
1 isp.net (205.xx.12.34) 20ms 10ms 10ms
2 abcd.com (205.xx.12.34) 130ms 130ms 130ms
The first unumber line gives hostname and IP address of destination system and tells the user that the TTL value will not increase beyond 30. It also indictates that the datagram size will be 40 bytes which allow for the 20 byte IP header, the 8-bit UDP header, and 12 bytes of user data.
The next two lines start with the TTL value, followed by router name(IP address), which returned the 'Time Exceeded' on that instance. For each value of TTL, 3 different datagrams are sent and for each returned ICMP message the round trip time is calculated & displayed. If no response is reveived within 5 seconds for and 3 datagrams, an asterisk is display instead and the next datagram is sent. The first 3 datagrams had a TTL value of 1 and were returned by host isp.net in 20, 10, &10ms. The next 3 datagrams had a TTL value of 2 and were returned by host abcd.com whose ip is (205.xx.12.34) this is the destination system with a gap of 130ms of each other. It also sent a 'Port Unreachable' ICMP error, therefore traceroute knew that the destination host has been reached.
[glowpurple]Peace until next Time[/glowpurple]
Hope U enjoyed tha tut;)
excellent tutorial phaza-7.....quite brief but upto the point
Hope to see more tutorials from u ;)
For further reading i reccomend this paper by Ankit Fadia:
lol egdoom, please grow up from Ankit Fadia.
You dont like fakers, do you ?
Well invader i am not an admirer of Ankit Fadia but the point is whether he is a faker or not the article i mentioned does contain some useful information......
Thanks egdoom, but I'd rather read some RFC'S.
It was brief because I hope people who read that what more info would refer to the RFC,
There U would have a wealth of Information.