Re: UDP ports used for traceroute

From: Elias Chari (elias.chari@gmail.com)
Date: Wed Jul 05 2006 - 16:09:24 ART

Thanks Petr and Brian for a really detailed explanation

On 7/5/06, Brian Dennis <bdennis@internetworkexpert.com> wrote:
>
> Note that traceroute is a technique to have the routers between the
> source and destination reveal themselves and finally have the
> destination reveal itself by replying to a "packet". Traceroute can be
> implemented using ICMP, UDP, and even TCP so as an "Internetwork Expert"
> when someone asks you to filter "traceroute" you should get a little
> background as to the traceroute application/OS's being used to trigger
> the reply from the destination. Example: Windows uses ICMP echoes by
> default, most Linux OS's use UDP by default but can use ICMP echoes (-I
> option), and the IOS uses UDP.
>
> The goal of traceroute is to have the routers between the source and
> destination reveal themselves and finally have the destination reply so
> that you know you have reached it. The routers reveal themselves by
> sending Time Exceeded (aka TTL-Exceeded) ICMP packets back to the source
> when the TTL is decremented to zero. The traceroute implementation can
> know its reached the destination by having it reply to an ICMP echo
> request, send an ICMP port unreachable to a packet sent to an unused UDP
> port, or completing the TCP three way handshake.
>
>
> ************************************************************************
> **************************
>
> ICMP based traceroute:
>
> In this example we are sending ICMP echo requests to www.cisco.com and
> looking for the ICMP echo reply to know that we have reached the
> destination.
>
> [root@CoachZ root]# traceroute -I www.cisco.com
> traceroute to www.cisco.com (198.133.219.25), 30 hops max, 38 byte
> packets
> 1 198.132.102.1 (198.132.102.1) 1.658 ms 1.975 ms 1.968 ms
> 2 foo.hostrack.net (202.101.143.254) 5.394 ms 22.382 ms 2.966 ms
> 3 ser4-0.core01.las.switchcommgroup.com (66.209.64.41) 20.132 ms
> 20.494 ms 20.195 ms
> 4 pos1-0.core02.las.oc48a.switchcommgroup.com (66.209.64.218) 19.749
> ms 25.827 ms 26.814 ms
> 5 500.POS4-0.GW1.VEG2.alter.net (157.130.238.193) 29.108 ms 19.864
> ms 20.066 ms
> 6 129.at-0-0-0.CL1.PHX2.ALTER.NET (152.63.115.26) 26.338 ms 26.232
> ms 26.821 ms
> 7 0.so-4-0-0.XL1.SJC2.ALTER.NET (152.63.55.101) 46.424 ms 45.996 ms
> 45.675 ms
> 8 POS1-0.XR1.SJC2.ALTER.NET (152.63.56.138) 48.653 ms 46.513 ms
> 46.803 ms
> 9 193.ATM7-0.GW5.SJC2.ALTER.NET (152.63.48.77) 46.693 ms 46.619 ms
> 46.446 ms
> 10 ciscosys-gw1.customer.alter.net (65.208.80.242) 46.556 ms 46.954
> ms 46.944 ms
> 11 sjce-dmzbb-gw1.cisco.com (128.107.239.89) 30.818 ms 31.769 ms
> 32.685 ms
> 12 sjck-dmzdc-gw1.cisco.com (128.107.224.69) 30.589 ms 30.626 ms
> 30.448 ms
> 13 * * *
> 14 www.cisco.com (198.133.219.25) 28.916 ms 28.994 ms 28.944 ms
>
> ************************************************************************
> **************************
>
> UDP based traceroute:
>
> In this example we are sending UDP packets with a starting port number
> of 33434 to www.cisco.com. Note that we don't ever get a reply from
> www.cisco.com because their firewall will not allow our UDP packets in.
>
> [root@CoachZ root]# man traceroute | grep "UDP port number"
> -p Set the base UDP port number used in probes (default is
> 33434).
> [root@CoachZ root]#
> [root@CoachZ root]# traceroute www.cisco.com
> traceroute to www.cisco.com (198.133.219.25), 30 hops max, 38 byte
> packets
> 1 198.132.102.1 (198.132.102.1) 1.725 ms 1.866 ms 1.841 ms
> 2 foo.hostrack.net (202.101.143.254) 4.887 ms 4.281 ms 4.482 ms
> 3 ser4-0.core01.las.switchcommgroup.com (66.209.64.41) 21.266 ms
> 21.152 ms 20.826 ms
> 4 pos1-0.core02.las.oc48a.switchcommgroup.com (66.209.64.218) 58.829
> ms 42.033 ms 24.007 ms
> 5 500.POS4-0.GW1.VEG2.alter.net (157.130.238.193) 21.448 ms 23.277
> ms 21.446 ms
> 6 129.at-0-0-0.CL1.PHX2.ALTER.NET (152.63.115.26) 27.816 ms 27.259
> ms 27.210 ms
> 7 0.so-4-0-0.XL1.SJC2.ALTER.NET (152.63.55.101) 47.540 ms 46.954 ms
> 47.198 ms
> 8 POS1-0.XR1.SJC2.ALTER.NET (152.63.56.138) 48.072 ms 47.247 ms
> 46.667 ms
> 9 193.ATM7-0.GW5.SJC2.ALTER.NET (152.63.48.77) 51.728 ms 51.437 ms
> 48.304 ms
> 10 ciscosys-gw1.customer.alter.net (65.208.80.242) 48.563 ms 48.878
> ms 47.807 ms
> 11 sjce-dmzbb-gw1.cisco.com (128.107.239.89) 31.562 ms 32.653 ms
> 31.318 ms
> 12 sjck-dmzdc-gw1.cisco.com (128.107.224.69) 32.327 ms 31.831 ms
> 31.516 ms
> 13 * * *
> 14 * * *
>
> ************************************************************************
> **************************
> TCP based traceroute:
>
> In this example we are sending TCP SYN packets to port 80 looking for
> the destination to complete the three-way-handshake. Once the handshake
> is complete we know that we have reached the destination. Obviously
> Cisco's firewall is going to allow packets to TCP port 80 into its web
> server.
>
> [root@CoachZ root]# tcptraceroute www.cisco.com
> tcptraceroute: Symbol `pcap_version' has different size in shared
> object, consider re-linking
> Selected device eth3, address 198.132.102.93, port 41440 for outgoing
> packets
> Tracing the path to www.cisco.com (198.133.219.25) on TCP port 80, 30
> hops max
> 1 198.132.102.1 (198.132.102.1) 1.575 ms 1.507 ms 1.469 ms
> 2 foo.hostrack.net (202.101.143.254) 4.840 ms 5.090 ms 4.596 ms
> 3 ser4-0.core01.las.switchcommgroup.com (66.209.64.41) 21.205 ms
> 20.895 ms 21.430 ms
> 4 pos1-0.core02.las.oc48a.switchcommgroup.com (66.209.64.218) 21.682
> ms 21.012 ms 21.059 ms
> 5 500.POS4-0.GW1.VEG2.alter.net (157.130.238.193) 21.185 ms 21.304
> ms 20.939 ms
> 6 129.at-0-0-0.CL1.PHX2.ALTER.NET (152.63.115.26) 27.176 ms 28.615
> ms 27.644 ms
> 7 0.so-4-0-0.XL1.SJC2.ALTER.NET (152.63.55.101) 47.659 ms 48.220 ms
> 47.667 ms
> 8 POS1-0.XR1.SJC2.ALTER.NET (152.63.56.138) 47.534 ms 48.483 ms
> 47.183 ms
> 9 193.ATM7-0.GW5.SJC2.ALTER.NET (152.63.48.77) 64.413 ms 51.058 ms
> 49.007 ms
> 10 ciscosys-gw1.customer.alter.net (65.208.80.242) 48.156 ms 49.197
> ms 47.534 ms
> 11 sjce-dmzbb-gw1.cisco.com (128.107.239.89) 31.685 ms 32.633 ms
> 32.895 ms
> 12 sjck-dmzdc-gw1.cisco.com (128.107.224.69) 32.291 ms 33.900 ms
> 35.461 ms
> 13 www.cisco.com (198.133.219.25) [open] 31.041 ms 31.667 ms 32.775
> ms
> [root@CoachZ root]#
>
>
> HTH,
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> bdennis@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> elias.chari@gmail.com
> Sent: Wednesday, July 05, 2006 6:46 AM
> To: ccielab@groupstudy.com
> Subject: UDP ports used for traceroute
>
> Hi Guys,
>
> Does anybody know them?
>
> I think they are 30000 and above but not sure...
>
> Also if you want to match them in an access-list how do you do it since
> the only option is gt, i.e
>
> Rack1R1(config)#ip access-list extended UDP
> Rack1R1(config-ext-nacl)#perm udp any any ?
> dscp Match packets with given dscp value
> eq Match only packets on a given port number
> fragments Check non-initial fragments
> gt Match only packets with a greater port number
> log Log matches against this entry
> log-input Log matches against this entry, including input interface
> lt Match only packets with a lower port number
> neq Match only packets not on a given port number
> option Match packets with given IP Options value
> precedence Match packets with given precedence value
> range Match only packets in the range of port numbers
> reflect Create reflexive access list entry
> time-range Specify a time-range
> tos Match packets with given TOS value
>
> would you do gt 29999 ?
>
> Thanks
> Elias
> <cr>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Tue Aug 01 2006 - 07:13:46 ART