In-depth analysis of traceroute with tcpdump command

Yesterday was asked the principle of traceroute, a moment unexpectedly also said, some orders usually although often in use, but the actual principle does not understand, take advantage of this opportunity to comb. Traceroute: is a network diagnostic that is used to analyze the commands that IP packets pass through those routes. Preschool Knowledge:There is a field in the IP packet ttl, this is the maximum number of jump fields, each through a router, the value will be 1, 0, the packet will be discarded by the router, and return the icmp-timeout packet to the requesting host. Implementation principle:1, traceroute first issued three UDP packets (issued three is mainly for statistics, here can not be too concerned about), its TTL field is 1, destination is the destination host IP, the UDP packet through router-1, the TTL value will be set to 0 the package will be discarded, and returns the icmp-timeout to the request host, 2, the Router 1 sent to the "icmp-timeout" packet, Traceroute will continue to issue three UDP packets, its TTL field is set to 2, the UDP packet smoothly through the router-1, when reaching router-2, the TTL value is a value of 0 , which is discarded, returns the icmp-timeout packet to the requesting host; Continue to repeat, each received a return icmp-timeout packet, then continue to emit a TTL value of +1 UDP packet; 3, in this way, after 4 routers, ttl=5 UDP packets, after the mountains and rivers, finally came to the destination host, we may feel that the destination host will gladly accept this UDP packet, But actually not, the destination host has done the following processing:

• Discard (don't know you, dog band)

• Return icmp-Destination Unreachable packet to request host

People may find it strange, why would they be discarded? Simply put, the host is not listening to the UDP port process. 4, the request host's traceroute procedure, after receives the icmp-target not to reach the package, finally contented end work.

In order to deepen the impression, combined with the tcpdump command, the traceroute process to perform some validation

main observations [UDP packets emitted] [router returned icmp-timeout package] [destination host returned icmp-Target unreachable package]1, use the command, monitoring the destination host-related package

119.146. 184.98

2. Use the traceroute command to initiate a request to the destination host

[[Email protected] ~] #traceroute119.146.184.98traceroute to119.146.184.98(119.146.184.98), -Hops Max, - bytePackets1  192.168.0.1(192.168.0.1)2.217Ms1.741Ms1.509Ms2  116.24.132.1(116.24.132.1)11.348Ms11.117Ms11.287Ms3  113.106.47.93(113.106.47.93)7.111Ms6.848Ms7.123Ms4  5.107.38.59. broad.fs.gd.dynamic.163data.com.cn (59.38.107.5)6.921Ms6.712Ms6.434Ms5  183.59.12.153(183.59.12.153)8.635Ms7.664Ms7.593Ms6  183.61.222.102(183.61.222.102)11.923Ms10.220Ms9.423Ms7  119.146.184.198(119.146.184.198)15.779Ms119.146.184.94(119.146.184.94)47.902Ms119.146.184.62(119.146.184.62)16.571ms#################################### #返回结果解释: #列1: [1] After the router serial number; #列2: [192.168.0.1] Router IP (also called gateway); #列3: [(113.106.47.93)] That is, the contents of the brackets, the specific use of unclear, understand can explain ha; #列4: [7.111MS] Return time, here can also be found, a total of 3 time, still think of it? Traceroute each time the UDP packets are sent together 3; Note that you can see the last column, there are 3 addresses, in fact, it is not difficult to understand, the router will be based on the actual situation to find the appropriate path;

3, now look at the results of tcpdump collection, observe the UDP packets issued by the request host

 -: About:27.892318IP (TOS0x0,TTL 1 ,ID 10584, offset0, flags [None], Proto UDP ( -), length -)    192.168.0.200.39914>119.146.184.98.33434: [Bad UDP cksum0xf19e-0xfaae!] UDP, length + -: About:27.892798IP (TOS0x0,TTL 1 ,ID 10585, offset0, flags [None], Proto UDP ( -), length -)    192.168.0.200.38541>119.146.184.98.33435: [Bad UDP cksum0xf19e-0x000b!] UDP, length + -: About:27.893869IP (TOS0x0,TTL 1 ,ID 10586, offset0, flags [None], Proto UDP ( -), length -) #################################### #返回结果解释: #可以看到我们的主机, toward 119.146.184.98 Send ttl=1 UDP packet, and it is three; Here you can be surprised, not that the gateway passing through will return icmp-time-out package? Why didn't you see it? #为什么呢? #因为ICMP-Timeout This package, not 119.146.184. 98 returned, and who returned it? Recall the above! It's a router! So here we need to use Tcpdump to specify the IP of the router to grab the packet.

4. Observe the icmp-timeout packet returned by the router

Tcpdump-i ENO33554984-VVNN Host116.24.132.1#温馨提示: After executing this command, you need to re-execute the traceroute119.146.184.98 command to further observe 116.24.132. 1 returns the package Oh +: Geneva:26.210530IP (TOS0xc0Ttl254,ID 52121, offset0, flags [None], Proto ICMP (1), length About)116.24.132.1>192.168.0.200:ICMP  Time Exceeded inch-transit, length $IP (TOS0x0Ttl1,ID 10619, offset0, flags [None], Proto UDP ( -), length -)192.168.0.200.43604>119.146.184.98.33437: UDP, length +#################################### #返回结果解释: #这里我们选择了采集第二跳的路由器地址116.24.132. 1 Packets (why not skip the first jump?) Because the first hop is often their own home router address, this address of the package will be very much, not easy to observe the experiment # Results) #从返回的结果中, we can see the second hop router does return ICMP TimeExceeded package, there will actually be 3, do not list each.

5, observation destination host return icmp-Target unreachable package

#在 [[email protected] ~/test_traceroute] #tcpdump-I ENO33554984-VVNN host119.146.184.98the command returns the results of the view -: About:27.972224IP (TOS0x0Ttl248,ID 20689, offset0, flags [None], Proto ICMP (1), length About)    119.146.184.98>192.168.0.200: ICMP119.146.184.98 UDP port 33455 Unreachable, length $IP (TOS0x0Ttl2,ID 10605, offset0, flags [None], Proto UDP ( -), length -)    192.168.0.200.56215>119.146.184.98.33455: UDP, length +#################################### #返回结果解释: #在返回结果中最后的地方可以看到ICMP119.146.184.98UDP port33455The words of unreachable.

Finally, we summarize the analysis of the common return results of traceroute: 1, everyone in the practice, may be the first thought is to take some well-known sites to test, below we take Baidu's an IP address to test

[[Email protected] ~] #traceroute-MTen 14.215.177.38traceroute to14.215.177.38(14.215.177.38),TenHops Max, - bytePackets1  192.168.0.1(192.168.0.1)2.395Ms2.063Ms1.583Ms2  116.24.132.1(116.24.132.1)36.296Ms36.939Ms36.706Ms3  183.56.71.225(183.56.71.225)6.550Ms6.304Ms6.396Ms4  183.56.66.93(183.56.66.93)5.716Ms5.491Ms5.713Ms5  183.56.64.50(183.56.64.50)8.059Ms7.733Ms7.513Ms6* * *7  14.29.121.194(14.29.121.194)9.082Ms14.29.121.198(14.29.121.198)8.977Ms14.29.121.206(14.29.121.206)9.700Ms8* * *9* * *Ten* * *################################### #返回结果解释:* Indicates that UDP sent out does not receive the corresponding icmp-timeout packet, this is mainly because of some router security reasons, refused to return icmp-Timeout package.

So you can see that the sixth hop record is the * number, stating that the sixth hop router did not return the icmp-timeout package.

At the same time, there are a few questions:
Why is the traceroute not over, constantly testing it? (We specify the parameters to detect 10-hop in the command), if you are patient, you can specify the-m 128 parameter, you will find that traceroute always can not automatically end, each time you need to exhaust all the number of detections.

2, then, why 8 9 10 Jump back is also *? Here's a reasonable guess:

• I am located in the network, visit Baidu This site, at least 7 hops to reach, after the seventh, ttl=8 UDP packet may have reached the host Baidu, then why traceroute not end it?

• A reasonable speculation is that Baidu 14.215.177.38 this host directly discarded our UDP packet, refused to return to the icmp-target is not up to the package;

• Since Traceroute has not received the icmp-target unreachable package, he will always generate a UDP packet and increase the value of the TTL to be emitted until we specify the detection hop count (in this case, we specify the hop count = 10).

• You can also use the following command

[[email protected] ~/test_traceroute] #tcpdump-i eno33554984-vvnn  14.215.  177.38

This command collects the relevant packets from the 14.215.177.38, and can see only the packets that are sent out, the packets that are not returned, and the basic proof of our speculation.

In-depth analysis of traceroute with tcpdump command