Re: result of traceroute

From: John Murphy (jt.murphy@comcast.net)
Date: Fri Mar 04 2005 - 21:51:14 GMT-3

• Next message: Larry Letterman: "Re: AVVID Courses"
• Previous message: Rafael Trejo: "RE: Using Dialer Profile as OSPF Demand-circuit"
• Maybe in reply to: Dillon Yang: "result of traceroute"
• Next in thread: Kirk Graham: "Re: Re: result of traceroute"
• Maybe reply: Kirk Graham: "Re: Re: result of traceroute"
• Maybe reply: Dillon Yang: "Re: Re: result of traceroute"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Actually... NetBSD supports icmp unreachable rate limiting, as does
FreeBSD, and Foundry and Juniper and Extreme, Sun and HP use the 'source
quench' response when they rate limit and, quoting from 'man 7 icmp' on
a Linux boxen..."

Linux limits the rate of ICMP error packets to each destination. *ICMP_REDIRECT* and *
ICMP_DEST_UNREACH* are also limited by the destination route of the incoming packets."

.... not nearly an all-incluseive list, but I think adequate to
determine your fingerprinting method might not be quite so accurate. ;)

Also if you take a look at RFC2463 you'll see that when the world goes
to IPv6, nodes are *required* limit ICMP error messages, including
unreachables.

Best Regards,

john

Kirk Graham wrote:

>It means that the destination device is a Cisco. Pretty much.
>
>I've never found another device that does the same behaviour. Microsoft
>doesn't. Bay/Nortel doesn't. Cabletron/whatever. None of the *nix varieties
>I've tested.
>
>I can't remember *which* RFC, but there's one that says something like if
>you receive two successive UDP packets from the same source IP within some
>timeframe, that you do not have to reply to the second packet.
>
>If you get no response to a traceroute packet, the IOS displays an '*' to
>indicate a timeout.
>
>So Cisco is following the RFC standards. ITs probably an option thing, so
>everyone else is as well.
>
>Someone else may be able to find the specific RFC reference. Or maybe it
>was in the traceroute spec. I really can't remember.
>
>But its a nice fingerprinting technique! <g>
>
>--kg
>
>
>
>
>>Hi, dear all:
>>
>>I found that there are some "*" in the last line of traceroute result,
>>
>>
>can somebody explain it?
>
>
>>Thanks in advance.
>>dillon
>>
>>
>>r1#traceroute ip
>>
>>Target IP address: 197.68.1.1
>>Source address: 200.200.200.3
>>Numeric display [n]:
>>Timeout in seconds [3]:
>>Probe count [3]: 6
>>Minimum Time to Live [1]:
>>Maximum Time to Live [30]:
>>Port Number [33434]:
>>Loose, Strict, Record, Timestamp, Verbose[none]:
>>Type escape sequence to abort.
>>Tracing the route to 197.68.1.1
>>
>> 1 3.3.13.3 20 msec 24 msec 20 msec 20 msec 24 msec 20 msec
>> 2 3.3.13.3 20 msec 24 msec 20 msec 20 msec 20 msec 20 msec
>> 3 3.3.36.6 28 msec 36 msec 24 msec 28 msec 32 msec 24 msec
>> 4 3.3.36.6 24 msec 32 msec 24 msec 24 msec 32 msec 28 msec
>> 5 3.3.46.4 44 msec 40 msec 40 msec 40 msec 40 msec 40 msec
>> 6 3.3.46.4 40 msec 40 msec 40 msec 40 msec 40 msec 40 msec
>> 7 150.100.2.254 40 msec * 40 msec * 40 msec *
>>r1#
>>
>>_______________________________________________________________________
>>Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>>
>>
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: Larry Letterman: "Re: AVVID Courses"
• Previous message: Rafael Trejo: "RE: Using Dialer Profile as OSPF Demand-circuit"
• Maybe in reply to: Dillon Yang: "result of traceroute"
• Next in thread: Kirk Graham: "Re: Re: result of traceroute"
• Maybe reply: Kirk Graham: "Re: Re: result of traceroute"
• Maybe reply: Dillon Yang: "Re: Re: result of traceroute"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:41 GMT-3