From: Willy Schoots (w.schoots@xxxxxxxxx)
Date: Sat Jun 16 2001 - 13:27:02 GMT-3
Have a look below to see what I captured from my LAN using the Cisco trace
command. Cisco uses high UDP ports together with incrementing TTL values.
The MS tool (trace not included) uses ECHO ICMP requests. So it works as
stated in the previous e-mail.
So I guess Jeff Doyle made a little mistake (he confused the two) :-(
Let me know if you need more proof. Use an access-list with log argument to
see if for yourself if you have access to a couple of routers.
Cheers,
Willy
------------------------------------------------------------
Trace 1(Cisco Trace tool): It only shows a 1 hop trace but it shows the
principle.
IP: ----- IP Header -----
IP:
IP: Version = 4, header length = 20 bytes
IP: Type of service = 00
IP: 000. .... = routine
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: .... ..0. = ECT bit - transport protocol will ignore the CE
bit
IP: .... ...0 = CE bit - no congestion
IP: Total length = 28 bytes
IP: Identification = 12650
IP: Flags = 0X
IP: .0.. .... = may fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 1 seconds/hops
IP: Protocol = 17 (UDP)
IP: Header checksum = 65AE (correct)
IP: Source address = [192.168.1.22]
IP: Destination address = [62.163.34.88]
IP: No options
IP:
UDP: ----- UDP Header -----
UDP:
UDP: Source port = 38207
UDP: Destination port = 33434
UDP: Length = 8
UDP: Checksum = C54A (correct)
UDP: [0 byte(s) of data]
UDP:
IP: ----- IP Header -----
IP:
IP: Version = 4, header length = 20 bytes
IP: Type of service = 00
IP: 000. .... = routine
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: .... ..0. = ECT bit - transport protocol will ignore the CE
bit
IP: .... ...0 = CE bit - no congestion
IP: Total length = 56 bytes
IP: Identification = 4452
IP: Flags = 0X
IP: .0.. .... = may fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 128 seconds/hops
IP: Protocol = 1 (ICMP)
IP: Header checksum = 06A8 (correct)
IP: Source address = [62.163.34.88]
IP: Destination address = [192.168.1.22]
IP: No options
IP:
ICMP: ----- ICMP header -----
ICMP:
ICMP: Type = 3 (Destination unreachable)
ICMP: Code = 3 (Port unreachable)
ICMP: Checksum = 1FD0 (correct)
ICMP:
ICMP: [Normal end of "ICMP header".]
ICMP:
ICMP: IP header of originating message (description follows)
ICMP:
ICMP: ----- IP Header -----
ICMP:
ICMP: Version = 4, header length = 20 bytes
ICMP: Type of service = 00
ICMP: 000. .... = routine
ICMP: ...0 .... = normal delay
ICMP: .... 0... = normal throughput
ICMP: .... .0.. = normal reliability
ICMP: .... ..0. = ECT bit - transport protocol will ignore the
CE bit
ICMP: .... ...0 = CE bit - no congestion
ICMP: Total length = 28 bytes
ICMP: Identification = 12650
ICMP: Flags = 0X
ICMP: .0.. .... = may fragment
ICMP: ..0. .... = last fragment
ICMP: Fragment offset = 0 bytes
ICMP: Time to live = 1 seconds/hops
ICMP: Protocol = 17 (UDP)
ICMP: Header checksum = 65AE (correct)
ICMP: Source address = [192.168.1.22]
ICMP: Destination address = [62.163.34.88]
ICMP: No options
ICMP:
ICMP: [First 8 byte(s) of data of originating message]
ICMP:
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
tom cheung
Sent: Saturday, June 16, 2001 4:47 PM
To: smorris@mentortech.com; Earl@dnssystems.com; ccielab@groupstudy.com
Subject: RE: Access-list - Deny TFTP
Scott,
According to Doyle's "Routing TCP/IP Volume II", page 354, "Cisco's trace
use ICMP packets and Microsoft Windows 95 uses UDP packets...".
So which one is correct?
Tom
>From: "Scott Morris" <smorris@mentortech.com>
>Reply-To: "Scott Morris" <smorris@mentortech.com>
>To: "'Earl Aboytes'" <Earl@dnssystems.com>, "'Dean, Justin'"
><Justin.Dean@nrtinc.com>, <ccielab@groupstudy.com>
>Subject: RE: Access-list - Deny TFTP
>Date: Fri, 15 Jun 2001 16:41:48 -0400
>
>It depends. :)
>
>On unix/Cisco, you send out udp packets to a high port (each probe packet
>is
>the same). The port number can be any high port, but usually is something
>above 50000 (REALLY high). The messages coming back in will be ICMP - TTL
>Exceeded (along the way) or ICMP - Port Unreachable (at the final
>destination).
>
>On Windows, you send out regular ICMP echos incrementing the TTL each time,
>so you'll get the ICMP - TTL Exceeded messages back or an ICMP - Echo Reply
>at the final destination.
>
>Enjoy!
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>Earl Aboytes
>Sent: Friday, June 15, 2001 4:31 PM
>To: 'Dean, Justin'; 'ccielab@groupstudy.com'
>Subject: RE: Access-list - Deny TFTP
>
>
>Justin,
>I think that you are thinking of the trickiness that is involved with
>blocking traceroute. Traceroute uses udp on a very high port first and
>then
>icmp for the rest. Allowing it in one direction but not the other is very
>tricky.
>Someone correct me if I am wrong but I believe it uses UDP 3000 or higher
>with a ttl that increases by one each time and then waits for the icmp
>error
>to come back.
>
>Packet 1 udp port 3001 ttl=1
>Packet 2 udp port 3002 ttl=2
>And so forth.
>
>
>
> -----Original Message-----
>From: Dean, Justin [mailto:Justin.Dean@nrtinc.com]
>Sent: Tuesday, June 12, 2001 9:34 AM
>To: 'ccielab@groupstudy.com'
>Subject: Access-list - Deny TFTP
>
>I am drawing a blank and I can't remember the proper way to block TFTP in
>an
>access list. Can someone help me out. Thanks,
>
>Justin
>**Please read:http://www.groupstudy.com/list/posting.html
>**Please read:http://www.groupstudy.com/list/posting.html
>**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:24 GMT-3