Linux network analysis with traceroute

From Thomas-Krenn-Wiki
Jump to navigation Jump to search

The Linux tool traceroute provides a lot of possibilities to trace the path of network packets through a network or the Internet to a specific host. This article provides an overview of the function of traceroute. Furthermore, we present interesting option parameters for traceroute. In addition to traceroute, mtr is also interesting. It combines the functionality of traceroute and ping.

Function

Traceroute traces the path of network packets to a specific host. To do this, traceroute modifies the time-to-live (TTL) field of the IP protocol. By using small TTL values, traceroute attempts to elicit ICMP TIME_EXCEEDED responses from the individual routers. The only required parameter for traceroute is the host to which the path is to be traced.

To identify the individual hops (routers) along the path from the current computer to the desired host, traceroute proceeds as follows:

  1. First, it sends an IP packet with TTL=1. As a result, the first router (the default gateway) discards the packet and sends back an ICMP TIME_EXCEEDED response.
  2. Now traceroute sends additional packets, incrementing the TTL by 1 each time. With the second packet (TTL=2), the packet first passes through the default gateway to the next router on the path to the host. Since the default gateway decrements the TTL by 1 when forwarding the packet, the packet arrives at the second router with a TTL of 1. This router discards the packet and sends an ICMP TIME_EXCEEDED response back to the original computer. The process works similarly with TTL=3 at the third router, TTL=4 at the fourth router, and so on.
  3. If an IP packet with a sufficiently high TTL eventually reaches the destination host, the host responds with an ICMP "port unreachable" message.

Methods of testing packets

For the IP test packets sent, different protocols can be used. These options allow you to send test packets even with restrictive firewall configurations. In addition, this method lets you track the exact path used by a specific protocol (in case packets are routed differently depending on the protocol at some point along the path).

UDP (default)

In the default configuration, UDP datagrams are used as IP test packets. An 'unlikely' port is used for this purpose. The starting port is set to 33434 and is incremented by 1 for each subsequent test packet.

This method can be used by any user and does not require root rights.

Example (the first three hops were anonymized):

[root@tpw ~]# traceroute www.google.com
traceroute to www.google.com (209.85.129.147), 30 hops max, 60 byte packets
 1  XXX (XXX)  1.929 ms  1.982 ms  2.141 ms
 2  XXX (XXX)  3.795 ms  3.769 ms  3.751 ms
 3  XXX (XXX)  5.673 ms  5.650 ms  5.634 ms
 4  iix12-aux11.highway.telekom.at (195.3.70.206)  21.027 ms 195.3.118.50 (195.3.118.50)  21.025 ms  21.328 ms
 5  72.14.198.241 (72.14.198.241)  21.436 ms  21.406 ms  21.401 ms
 6  209.85.255.176 (209.85.255.176)  21.497 ms 209.85.255.178 (209.85.255.178)  23.380 ms  23.300 ms
 7  72.14.232.165 (72.14.232.165)  23.301 ms  21.613 ms 72.14.232.201 (72.14.232.201)  21.661 ms
 8  72.14.239.170 (72.14.239.170)  21.678 ms 72.14.233.210 (72.14.233.210)  34.381 ms  34.365 ms
 9  fk-in-f147.1e100.net (209.85.129.147)  19.659 ms  19.280 ms  19.291 ms
[root@tpw ~]# 

ICMP (-I)

This method uses ICMP echo requests ('Ping') for testing.

This method requires superuser-rights.

Example (the first three hops were anonymized):

[root@tpw ~]# traceroute -I www.google.com
traceroute to www.google.com (209.85.129.147), 30 hops max, 60 byte packets
 1  XXX (XXX)  1.948 ms  2.022 ms  2.202 ms
 2  XXX (XXX)  3.915 ms  3.918 ms  3.929 ms
 3  XXX (XXX)  5.870 ms  5.876 ms  5.889 ms
 4  iix12-aux11.highway.telekom.at (195.3.70.206)  17.967 ms  19.781 ms  19.784 ms
 5  72.14.198.241 (72.14.198.241)  19.869 ms  19.867 ms  19.915 ms
 6  209.85.255.178 (209.85.255.178)  20.044 ms  19.502 ms  19.470 ms
 7  72.14.232.201 (72.14.232.201)  19.529 ms  19.523 ms 72.14.232.203 (72.14.232.203)  19.532 ms
 8  72.14.233.210 (72.14.233.210)  27.065 ms  34.198 ms  34.165 ms
 9  fk-in-f147.1e100.net (209.85.129.147)  18.249 ms  19.352 ms  17.936 ms
[root@tpw ~]# 

TCP (-T)

This method uses a fix TCP port (port 80 is default). With the option -p, another destination port can be also selected (for example -p 25 to check the path to a mail server). This also allows you to get past firewalls that do not let through UDP datagrams or ICMP messages, for example.

This method uses the "half-open technique". This means that the target applications (for example a web server if the test packets are sent to port 80) do not see the test packets. Normally, a TCP SYN packet is simply sent. If no application is listening on that port on the target host, a TCP RESET is simply returned. However, if an application is listening on that port on the destination host, the destination host sends back a TCP SYN+ACK. Traceroute then responds with a TCP RESET (instead of accepting the connection with a TCP ACK). In this way, the TCP session is discarded without the application on the destination host noticing anything.

This method requires superuser-rights.

Example (the first three hops were anonymized):

[root@tpw ~]# traceroute -T -p 80 www.google.com
traceroute to www.google.com (209.85.129.147), 30 hops max, 60 byte packets
 1  XXX (XXX)  3.187 ms  3.165 ms  3.142 ms
 2  XXX (XXX)  4.502 ms  4.486 ms  4.478 ms
 3  XXX (XXX)  6.409 ms  6.394 ms  6.365 ms
 4  195.3.118.50 (195.3.118.50)  22.834 ms  22.828 ms iix12-aux11.highway.telekom.at (195.3.70.206)  22.822 ms
 5  72.14.198.241 (72.14.198.241)  22.848 ms  22.827 ms  22.803 ms
 6  209.85.255.178 (209.85.255.178)  22.822 ms 209.85.255.176 (209.85.255.176)  20.884 ms 209.85.255.178 (209.85.255.178)  20.880 ms
 7  72.14.232.165 (72.14.232.165)  20.916 ms  19.753 ms 72.14.232.203 (72.14.232.203)  19.744 ms
 8  72.14.233.210 (72.14.233.210)  33.508 ms 72.14.233.206 (72.14.233.206)  21.713 ms  21.655 ms
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  fk-in-f147.1e100.net (209.85.129.147)  19.678 ms  19.715 ms  19.728 ms
[root@tpw ~]#

UDP (-U)

This method uses a fix UDP port (port 53 is default). It is also used to bypass firewalls.

Unlike the TCP method, an application on the destination host receives these UDP datagrams if it is listening on the corresponding port. This can confuse the application in question. In most cases, the application will not send a response (so traceroute does not see a final hop in the trace).

This method can be used by any user and does not require root rights).

More information

  • Manpage of traceroute


Author: Werner Fischer

Werner Fischer, working in the Knowledge Transfer team at Thomas-Krenn, completed his studies of Computer and Media Security at FH Hagenberg in Austria. He is a regular speaker at many conferences like LinuxTag, OSMC, OSDC, LinuxCon, and author for various IT magazines. In his spare time he enjoys playing the piano and training for a good result at the annual Linz marathon relay.


Translator: Alina Ranzinger

Alina has been working at Thomas-Krenn.AG since 2024. After her training as multilingual business assistant, she got her job as assistant of the Product Management and is responsible for the translation of texts and for the organisation of the department.


Related articles

Analyse Linux Network with netstat
Linux ip command
Measuring TCP and UDP Network Performance with iperf