Re: Need your help on traceroute

From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Sat Dec 29 2007 - 00:15:51 ART

• Next message: PANDI MOORTHY: "Re: Need your help on traceroute"
• Previous message: Athaide, Dwayne: "RE: RIP v2 auto-summary"
• Maybe in reply to: PANDI MOORTHY: "Need your help on traceroute"
• Next in thread: PANDI MOORTHY: "Re: Need your help on traceroute"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Here is a reply that I've made on this list in the past in regards to
traceroute:

Note that traceroute is a technique to have the routers between the source
and destination reveal themselves and finally have the destination reveal
itself by replying to a "packet". Traceroute can be implemented using
ICMP, UDP, and even TCP so as a CCIE when someone asks you to filter
"traceroute" you should get a little background as to the traceroute
application/OS's being used to trigger the reply from the destination.
Example: Windows uses ICMP echoes by default, most Linux OS's use UDP by
default but can use ICMP echoes (-I option), and the IOS uses UDP. There
are also implementations that use TCP.

The goal of traceroute is to have the routers between the source and
destination reveal themselves and finally have the destination reply so
that you know you have reached it. The routers reveal themselves by
sending Time Exceeded (aka TTL-Exceeded) ICMP packets back to the source
when the TTL is decremented to zero. The traceroute implementation can
determine its reached the destination by having it reply to an ICMP echo
request, send an ICMP port unreachable to a packet sent to an unused UDP
port, or completing the TCP three-way handshake.

************************************************************************

ICMP based traceroute:

In this example we are sending ICMP echo requests to www.cisco.com and
looking for the ICMP echo reply to know that we have reached the final
destination.

[root@xxxxxx root]# traceroute -I www.cisco.com
traceroute to www.cisco.com (198.133.219.25), 30 hops max, 38 byte
packets
 1 198.132.102.1 (198.132.102.1) 1.658 ms 1.975 ms 1.968 ms
 2 foo.hostrack.net (202.101.143.254) 5.394 ms 22.382 ms 2.966 ms
 3 ser4-0.core01.las.switchcommgroup.com (66.209.64.41) 20.132 ms
20.494 ms 20.195 ms
 4 pos1-0.core02.las.oc48a.switchcommgroup.com (66.209.64.218) 19.749
ms 25.827 ms 26.814 ms
 5 500.POS4-0.GW1.VEG2.alter.net (157.130.238.193) 29.108 ms 19.864
ms 20.066 ms
 6 129.at-0-0-0.CL1.PHX2.ALTER.NET (152.63.115.26) 26.338 ms 26.232
ms 26.821 ms
 7 0.so-4-0-0.XL1.SJC2.ALTER.NET (152.63.55.101) 46.424 ms 45.996 ms
45.675 ms
 8 POS1-0.XR1.SJC2.ALTER.NET (152.63.56.138) 48.653 ms 46.513 ms
46.803 ms
 9 193.ATM7-0.GW5.SJC2.ALTER.NET (152.63.48.77) 46.693 ms 46.619 ms
46.446 ms
10 ciscosys-gw1.customer.alter.net (65.208.80.242) 46.556 ms 46.954
ms 46.944 ms
11 sjce-dmzbb-gw1.cisco.com (128.107.239.89) 30.818 ms 31.769 ms
32.685 ms
12 sjck-dmzdc-gw1.cisco.com (128.107.224.69) 30.589 ms 30.626 ms
30.448 ms
13 * * *
14 www.cisco.com (198.133.219.25) 28.916 ms 28.994 ms 28.944 ms
************************************************************************

UDP based traceroute:
In this example we are sending UDP packets with a starting port number
of 33434 to www.cisco.com. Note that we don't ever get a reply from
www.cisco.com because their firewall will not allow our UDP packets in.

[root@xxxxxx root]# man traceroute | grep "UDP port number"
       -p Set the base UDP port number used in probes (default is 33434).
[root@xxxxxx root]#
[root@xxxxxx root]# traceroute www.cisco.com
traceroute to www.cisco.com (198.133.219.25), 30 hops max, 38 byte
packets
 1 198.132.102.1 (198.132.102.1) 1.725 ms 1.866 ms 1.841 ms
 2 foo.hostrack.net (202.101.143.254) 4.887 ms 4.281 ms 4.482 ms
 3 ser4-0.core01.las.switchcommgroup.com (66.209.64.41) 21.266 ms
21.152 ms 20.826 ms
 4 pos1-0.core02.las.oc48a.switchcommgroup.com (66.209.64.218) 58.829
ms 42.033 ms 24.007 ms
 5 500.POS4-0.GW1.VEG2.alter.net (157.130.238.193) 21.448 ms 23.277
ms 21.446 ms
 6 129.at-0-0-0.CL1.PHX2.ALTER.NET (152.63.115.26) 27.816 ms 27.259
ms 27.210 ms
 7 0.so-4-0-0.XL1.SJC2.ALTER.NET (152.63.55.101) 47.540 ms 46.954 ms
47.198 ms
 8 POS1-0.XR1.SJC2.ALTER.NET (152.63.56.138) 48.072 ms 47.247 ms
46.667 ms
 9 193.ATM7-0.GW5.SJC2.ALTER.NET (152.63.48.77) 51.728 ms 51.437 ms
48.304 ms
10 ciscosys-gw1.customer.alter.net (65.208.80.242) 48.563 ms 48.878
ms 47.807 ms
11 sjce-dmzbb-gw1.cisco.com (128.107.239.89) 31.562 ms 32.653 ms
31.318 ms
12 sjck-dmzdc-gw1.cisco.com (128.107.224.69) 32.327 ms 31.831 ms
31.516 ms
13 * * *
14 * * *

************************************************************************
TCP based traceroute:

In this example we are sending TCP SYN packets to port 80 looking for
the destination to complete the three-way-handshake. Once the handshake
is complete we know that we have reached the destination. Obviously
Cisco's firewall is going to allow packets to TCP port 80 destined for it's
web server.

[root@xxxxxx root]# tcptraceroute www.cisco.com
tcptraceroute: Symbol `pcap_version' has different size in shared
object, consider re-linking
Selected device eth3, address 198.132.102.93, port 41440 for outgoing
packets
Tracing the path to www.cisco.com (198.133.219.25) on TCP port 80, 30
hops max
 1 198.132.102.1 (198.132.102.1) 1.575 ms 1.507 ms 1.469 ms
 2 foo.hostrack.net (202.101.143.254) 4.840 ms 5.090 ms 4.596 ms
 3 ser4-0.core01.las.switchcommgroup.com (66.209.64.41) 21.205 ms
20.895 ms 21.430 ms
 4 pos1-0.core02.las.oc48a.switchcommgroup.com (66.209.64.218) 21.682
ms 21.012 ms 21.059 ms
 5 500.POS4-0.GW1.VEG2.alter.net (157.130.238.193) 21.185 ms 21.304
ms 20.939 ms
 6 129.at-0-0-0.CL1.PHX2.ALTER.NET (152.63.115.26) 27.176 ms 28.615
ms 27.644 ms
 7 0.so-4-0-0.XL1.SJC2.ALTER.NET (152.63.55.101) 47.659 ms 48.220 ms
47.667 ms
 8 POS1-0.XR1.SJC2.ALTER.NET (152.63.56.138) 47.534 ms 48.483 ms
47.183 ms
 9 193.ATM7-0.GW5.SJC2.ALTER.NET (152.63.48.77) 64.413 ms 51.058 ms
49.007 ms
10 ciscosys-gw1.customer.alter.net (65.208.80.242) 48.156 ms 49.197
ms 47.534 ms
11 sjce-dmzbb-gw1.cisco.com (128.107.239.89) 31.685 ms 32.633 ms32.895 ms
12 sjck-dmzdc-gw1.cisco.com (128.107.224.69) 32.291 ms 33.900 ms35.461 ms
13 www.cisco.com (198.133.219.25) [open] 31.041 ms 31.667 ms 32.775
ms
[root@xxxxxx root]#

HTH,

Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
bdennis@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)

>----- Original Message -----
Subject: Need your help on traceroute
Date: Fri, December 28, 2007 17:41
From: "PANDI MOORTHY" <moorthypandi@gmail.com>

> Hi
>
>
>
>
>
> Is there Cisco documentation to explain the real usage of this command
> "permit
> icmp any any traceroute"
>
>
>
> I am trying to capture the source which originate the traceroute packet,
>
>
>
> I understand we can use the below ACL to capture the traceroute return
> traffic (to the originator)
>
>
>
> permit icmp any any time-exceeded log-input
>
> permit icmp any any port-unreachable log-input
>
>
>
>
> How about on incoming side? is there a way to log
>
> Regards
> Pandi
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: PANDI MOORTHY: "Re: Need your help on traceroute"
• Previous message: Athaide, Dwayne: "RE: RIP v2 auto-summary"
• Maybe in reply to: PANDI MOORTHY: "Need your help on traceroute"
• Next in thread: PANDI MOORTHY: "Re: Need your help on traceroute"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:32 ARST