From: David Mitchell (dmitchell@centientnetworks.com)
Date: Fri Jul 07 2006 - 10:33:31 ART
Thanks for the great information on traceroute!
________________________________
From: nobody@groupstudy.com on behalf of Brian Dennis
Sent: Wed 7/5/2006 2:03 PM
To: elias.chari@gmail.com; ccielab@groupstudy.com
Subject: RE: UDP ports used for traceroute
Note that traceroute is a technique to have the routers between the
source and destination reveal themselves and finally have the
destination reveal itself by replying to a "packet". Traceroute can be
implemented using ICMP, UDP, and even TCP so as an "Internetwork Expert"
when someone asks you to filter "traceroute" you should get a little
background as to the traceroute application/OS's being used to trigger
the reply from the destination. Example: Windows uses ICMP echoes by
default, most Linux OS's use UDP by default but can use ICMP echoes (-I
option), and the IOS uses UDP.
The goal of traceroute is to have the routers between the source and
destination reveal themselves and finally have the destination reply so
that you know you have reached it. The routers reveal themselves by
sending Time Exceeded (aka TTL-Exceeded) ICMP packets back to the source
when the TTL is decremented to zero. The traceroute implementation can
know its reached the destination by having it reply to an ICMP echo
request, send an ICMP port unreachable to a packet sent to an unused UDP
port, or completing the TCP three way handshake.
************************************************************************
**************************
ICMP based traceroute:
In this example we are sending ICMP echo requests to www.cisco.com and
looking for the ICMP echo reply to know that we have reached the
destination.
[root@CoachZ root]# traceroute -I www.cisco.com
traceroute to www.cisco.com (198.133.219.25), 30 hops max, 38 byte
packets
1 198.132.102.1 (198.132.102.1) 1.658 ms 1.975 ms 1.968 ms
2 foo.hostrack.net (202.101.143.254) 5.394 ms 22.382 ms 2.966 ms
3 ser4-0.core01.las.switchcommgroup.com (66.209.64.41) 20.132 ms
20.494 ms 20.195 ms
4 pos1-0.core02.las.oc48a.switchcommgroup.com (66.209.64.218) 19.749
ms 25.827 ms 26.814 ms
5 500.POS4-0.GW1.VEG2.alter.net (157.130.238.193) 29.108 ms 19.864
ms 20.066 ms
6 129.at-0-0-0.CL1.PHX2.ALTER.NET (152.63.115.26) 26.338 ms 26.232
ms 26.821 ms
7 0.so-4-0-0.XL1.SJC2.ALTER.NET (152.63.55.101) 46.424 ms 45.996 ms
45.675 ms
8 POS1-0.XR1.SJC2.ALTER.NET (152.63.56.138) 48.653 ms 46.513 ms
46.803 ms
9 193.ATM7-0.GW5.SJC2.ALTER.NET (152.63.48.77) 46.693 ms 46.619 ms
46.446 ms
10 ciscosys-gw1.customer.alter.net (65.208.80.242) 46.556 ms 46.954
ms 46.944 ms
11 sjce-dmzbb-gw1.cisco.com (128.107.239.89) 30.818 ms 31.769 ms
32.685 ms
12 sjck-dmzdc-gw1.cisco.com (128.107.224.69) 30.589 ms 30.626 ms
30.448 ms
13 * * *
14 www.cisco.com (198.133.219.25) 28.916 ms 28.994 ms 28.944 ms
************************************************************************
**************************
UDP based traceroute:
In this example we are sending UDP packets with a starting port number
of 33434 to www.cisco.com. Note that we don't ever get a reply from
www.cisco.com because their firewall will not allow our UDP packets in.
[root@CoachZ root]# man traceroute | grep "UDP port number"
-p Set the base UDP port number used in probes (default is
33434).
[root@CoachZ root]#
[root@CoachZ root]# traceroute www.cisco.com
traceroute to www.cisco.com (198.133.219.25), 30 hops max, 38 byte
packets
1 198.132.102.1 (198.132.102.1) 1.725 ms 1.866 ms 1.841 ms
2 foo.hostrack.net (202.101.143.254) 4.887 ms 4.281 ms 4.482 ms
3 ser4-0.core01.las.switchcommgroup.com (66.209.64.41) 21.266 ms
21.152 ms 20.826 ms
4 pos1-0.core02.las.oc48a.switchcommgroup.com (66.209.64.218) 58.829
ms 42.033 ms 24.007 ms
5 500.POS4-0.GW1.VEG2.alter.net (157.130.238.193) 21.448 ms 23.277
ms 21.446 ms
6 129.at-0-0-0.CL1.PHX2.ALTER.NET (152.63.115.26) 27.816 ms 27.259
ms 27.210 ms
7 0.so-4-0-0.XL1.SJC2.ALTER.NET (152.63.55.101) 47.540 ms 46.954 ms
47.198 ms
8 POS1-0.XR1.SJC2.ALTER.NET (152.63.56.138) 48.072 ms 47.247 ms
46.667 ms
9 193.ATM7-0.GW5.SJC2.ALTER.NET (152.63.48.77) 51.728 ms 51.437 ms
48.304 ms
10 ciscosys-gw1.customer.alter.net (65.208.80.242) 48.563 ms 48.878
ms 47.807 ms
11 sjce-dmzbb-gw1.cisco.com (128.107.239.89) 31.562 ms 32.653 ms
31.318 ms
12 sjck-dmzdc-gw1.cisco.com (128.107.224.69) 32.327 ms 31.831 ms
31.516 ms
13 * * *
14 * * *
************************************************************************
**************************
TCP based traceroute:
In this example we are sending TCP SYN packets to port 80 looking for
the destination to complete the three-way-handshake. Once the handshake
is complete we know that we have reached the destination. Obviously
Cisco's firewall is going to allow packets to TCP port 80 into its web
server.
[root@CoachZ root]# tcptraceroute www.cisco.com
tcptraceroute: Symbol `pcap_version' has different size in shared
object, consider re-linking
Selected device eth3, address 198.132.102.93, port 41440 for outgoing
packets
Tracing the path to www.cisco.com (198.133.219.25) on TCP port 80, 30
hops max
1 198.132.102.1 (198.132.102.1) 1.575 ms 1.507 ms 1.469 ms
2 foo.hostrack.net (202.101.143.254) 4.840 ms 5.090 ms 4.596 ms
3 ser4-0.core01.las.switchcommgroup.com (66.209.64.41) 21.205 ms
20.895 ms 21.430 ms
4 pos1-0.core02.las.oc48a.switchcommgroup.com (66.209.64.218) 21.682
ms 21.012 ms 21.059 ms
5 500.POS4-0.GW1.VEG2.alter.net (157.130.238.193) 21.185 ms 21.304
ms 20.939 ms
6 129.at-0-0-0.CL1.PHX2.ALTER.NET (152.63.115.26) 27.176 ms 28.615
ms 27.644 ms
7 0.so-4-0-0.XL1.SJC2.ALTER.NET (152.63.55.101) 47.659 ms 48.220 ms
47.667 ms
8 POS1-0.XR1.SJC2.ALTER.NET (152.63.56.138) 47.534 ms 48.483 ms
47.183 ms
9 193.ATM7-0.GW5.SJC2.ALTER.NET (152.63.48.77) 64.413 ms 51.058 ms
49.007 ms
10 ciscosys-gw1.customer.alter.net (65.208.80.242) 48.156 ms 49.197
ms 47.534 ms
11 sjce-dmzbb-gw1.cisco.com (128.107.239.89) 31.685 ms 32.633 ms
32.895 ms
12 sjck-dmzdc-gw1.cisco.com (128.107.224.69) 32.291 ms 33.900 ms
35.461 ms
13 www.cisco.com (198.133.219.25) [open] 31.041 ms 31.667 ms 32.775
ms
[root@CoachZ root]#
HTH,
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
elias.chari@gmail.com
Sent: Wednesday, July 05, 2006 6:46 AM
To: ccielab@groupstudy.com
Subject: UDP ports used for traceroute
Hi Guys,
Does anybody know them?
I think they are 30000 and above but not sure...
Also if you want to match them in an access-list how do you do it since
the only option is gt, i.e
Rack1R1(config)#ip access-list extended UDP
Rack1R1(config-ext-nacl)#perm udp any any ?
dscp Match packets with given dscp value
eq Match only packets on a given port number
fragments Check non-initial fragments
gt Match only packets with a greater port number
log Log matches against this entry
log-input Log matches against this entry, including input interface
lt Match only packets with a lower port number
neq Match only packets not on a given port number
option Match packets with given IP Options value
precedence Match packets with given precedence value
range Match only packets in the range of port numbers
reflect Create reflexive access list entry
time-range Specify a time-range
tos Match packets with given TOS value
would you do gt 29999 ?
Thanks
Elias
<cr>
This archive was generated by hypermail 2.1.4 : Tue Aug 01 2006 - 07:13:46 ART