From: Mohamed, Liban [NTK] (Liban.Mohamed@sprint.com)
Date: Sat Dec 29 2007 - 02:47:29 ART
The original question was to capture the source which originate the traceroute packet, so I was able to capture trace-route by creating the following ACL, since Cisco router uses UDP, although this can be changed, but UDP is the default, right?
"access-list 123 permit udp any range 33434 33464 any"
Liban Mohamed
NTAC-IP
Sprint/Nextel
www.sprint.net
liban.mohamed@sprint.com
(W) 678-291-3438
(PCS) 404-441-9701
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Scott Morris
Sent: Friday, December 28, 2007 11:37 PM
To: 'Brian Dennis'; 'PANDI MOORTHY'; 'Cisco certification'
Subject: RE: Need your help on traceroute
While I agree on the idea that there are multiple ways of doing traceroutes,
I think the original question was about an ACL with ICMP and the
"traceroute" option.
R1(config)#access-list 101 permit icmp any any ?
<0-255> ICMP message type
administratively-prohibited Administratively prohibited
alternate-address Alternate address
conversion-error Datagram conversion
dod-host-prohibited Host prohibited
dod-net-prohibited Net prohibited
dscp Match packets with given dscp value
echo Echo (ping)
echo-reply Echo reply
fragments Check non-initial fragments
general-parameter-problem Parameter problem
host-isolated Host isolated
host-precedence-unreachable Host unreachable for precedence
host-redirect Host redirect
host-tos-redirect Host redirect for TOS
host-tos-unreachable Host unreachable for TOS
host-unknown Host unknown
host-unreachable Host unreachable
information-reply Information replies
information-request Information requests
log Log matches against this entry
log-input Log matches against this entry, including
input
interface
mask-reply Mask replies
mask-request Mask requests
mobile-redirect Mobile host redirect
net-redirect Network redirect
net-tos-redirect Net redirect for TOS
net-tos-unreachable Network unreachable for TOS
net-unreachable Net unreachable
network-unknown Network unknown
no-room-for-option Parameter required but no room
option-missing Parameter required but not present
packet-too-big Fragmentation needed and DF set
parameter-problem All parameter problems
port-unreachable Port unreachable
precedence Match packets with given precedence value
precedence-unreachable Precedence cutoff
protocol-unreachable Protocol unreachable
reassembly-timeout Reassembly timeout
redirect All redirects
router-advertisement Router discovery advertisements
router-solicitation Router discovery solicitations
source-quench Source quenches
source-route-failed Source route failed
time-exceeded All time exceededs
time-range Specify a time-range
timestamp-reply Timestamp replies
timestamp-request Timestamp requests
tos Match packets with given TOS value
traceroute Traceroute
ttl-exceeded TTL exceeded
unreachable All unreachables
<cr>
R1(config)#
There are lots of things listed, and most have to do with the specific
types/codes laid out in RFC792. However, I believe (and no, I haven't
tested this) that the traceroute option here is specifically looking for
option 7 of the header (RFC791) allowing the record route feature of ICMP.
Just my thoughts, but since everything else really is specific to ICMP here,
it would seem strange to either not filter based on that or simply ignore
it.
HTH,
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE-M
#153, JNCIS-ER, CISSP, et al.
CCSI/JNCI-M/JNCI-ER
VP - Technical Training - IPexpert, Inc.
IPexpert Sr. Technical Instructor
A Cisco Learning Partner - We Accept Learning Credits!
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
http://www.ipexpert.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Brian Dennis
Sent: Friday, December 28, 2007 10:16 PM
To: PANDI MOORTHY; Cisco certification
Subject: Re: Need your help on traceroute
Here is a reply that I've made on this list in the past in regards to
traceroute:
Note that traceroute is a technique to have the routers between the source
and destination reveal themselves and finally have the destination reveal
itself by replying to a "packet". Traceroute can be implemented using ICMP,
UDP, and even TCP so as a CCIE when someone asks you to filter "traceroute"
you should get a little background as to the traceroute application/OS's
being used to trigger the reply from the destination.
Example: Windows uses ICMP echoes by default, most Linux OS's use UDP by
default but can use ICMP echoes (-I option), and the IOS uses UDP. There
are also implementations that use TCP.
The goal of traceroute is to have the routers between the source and
destination reveal themselves and finally have the destination reply so that
you know you have reached it. The routers reveal themselves by sending Time
Exceeded (aka TTL-Exceeded) ICMP packets back to the source when the TTL is
decremented to zero. The traceroute implementation can determine its
reached the destination by having it reply to an ICMP echo request, send an
ICMP port unreachable to a packet sent to an unused UDP port, or completing
the TCP three-way handshake.
************************************************************************
ICMP based traceroute:
In this example we are sending ICMP echo requests to www.cisco.com and
looking for the ICMP echo reply to know that we have reached the final
destination.
[root@xxxxxx root]# traceroute -I www.cisco.com traceroute to www.cisco.com
(198.133.219.25), 30 hops max, 38 byte packets
1 198.132.102.1 (198.132.102.1) 1.658 ms 1.975 ms 1.968 ms
2 foo.hostrack.net (202.101.143.254) 5.394 ms 22.382 ms 2.966 ms
3 ser4-0.core01.las.switchcommgroup.com (66.209.64.41) 20.132 ms
20.494 ms 20.195 ms
4 pos1-0.core02.las.oc48a.switchcommgroup.com (66.209.64.218) 19.749 ms
25.827 ms 26.814 ms
5 500.POS4-0.GW1.VEG2.alter.net (157.130.238.193) 29.108 ms 19.864 ms
20.066 ms
6 129.at-0-0-0.CL1.PHX2.ALTER.NET (152.63.115.26) 26.338 ms 26.232 ms
26.821 ms
7 0.so-4-0-0.XL1.SJC2.ALTER.NET (152.63.55.101) 46.424 ms 45.996 ms
45.675 ms
8 POS1-0.XR1.SJC2.ALTER.NET (152.63.56.138) 48.653 ms 46.513 ms
46.803 ms
9 193.ATM7-0.GW5.SJC2.ALTER.NET (152.63.48.77) 46.693 ms 46.619 ms
46.446 ms
10 ciscosys-gw1.customer.alter.net (65.208.80.242) 46.556 ms 46.954 ms
46.944 ms
11 sjce-dmzbb-gw1.cisco.com (128.107.239.89) 30.818 ms 31.769 ms
32.685 ms
12 sjck-dmzdc-gw1.cisco.com (128.107.224.69) 30.589 ms 30.626 ms
30.448 ms
13 * * *
14 www.cisco.com (198.133.219.25) 28.916 ms 28.994 ms 28.944 ms
************************************************************************
UDP based traceroute:
In this example we are sending UDP packets with a starting port number of
33434 to www.cisco.com. Note that we don't ever get a reply from
www.cisco.com because their firewall will not allow our UDP packets in.
[root@xxxxxx root]# man traceroute | grep "UDP port number"
-p Set the base UDP port number used in probes (default is
33434).
[root@xxxxxx root]#
[root@xxxxxx root]# traceroute www.cisco.com traceroute to www.cisco.com
(198.133.219.25), 30 hops max, 38 byte packets
1 198.132.102.1 (198.132.102.1) 1.725 ms 1.866 ms 1.841 ms
2 foo.hostrack.net (202.101.143.254) 4.887 ms 4.281 ms 4.482 ms
3 ser4-0.core01.las.switchcommgroup.com (66.209.64.41) 21.266 ms
21.152 ms 20.826 ms
4 pos1-0.core02.las.oc48a.switchcommgroup.com (66.209.64.218) 58.829 ms
42.033 ms 24.007 ms
5 500.POS4-0.GW1.VEG2.alter.net (157.130.238.193) 21.448 ms 23.277 ms
21.446 ms
6 129.at-0-0-0.CL1.PHX2.ALTER.NET (152.63.115.26) 27.816 ms 27.259 ms
27.210 ms
7 0.so-4-0-0.XL1.SJC2.ALTER.NET (152.63.55.101) 47.540 ms 46.954 ms
47.198 ms
8 POS1-0.XR1.SJC2.ALTER.NET (152.63.56.138) 48.072 ms 47.247 ms
46.667 ms
9 193.ATM7-0.GW5.SJC2.ALTER.NET (152.63.48.77) 51.728 ms 51.437 ms
48.304 ms
10 ciscosys-gw1.customer.alter.net (65.208.80.242) 48.563 ms 48.878 ms
47.807 ms
11 sjce-dmzbb-gw1.cisco.com (128.107.239.89) 31.562 ms 32.653 ms
31.318 ms
12 sjck-dmzdc-gw1.cisco.com (128.107.224.69) 32.327 ms 31.831 ms
31.516 ms
13 * * *
14 * * *
************************************************************************
TCP based traceroute:
In this example we are sending TCP SYN packets to port 80 looking for the
destination to complete the three-way-handshake. Once the handshake is
complete we know that we have reached the destination. Obviously Cisco's
firewall is going to allow packets to TCP port 80 destined for it's web
server.
[root@xxxxxx root]# tcptraceroute www.cisco.com
tcptraceroute: Symbol `pcap_version' has different size in shared object,
consider re-linking Selected device eth3, address 198.132.102.93, port 41440
for outgoing packets Tracing the path to www.cisco.com (198.133.219.25) on
TCP port 80, 30 hops max
1 198.132.102.1 (198.132.102.1) 1.575 ms 1.507 ms 1.469 ms
2 foo.hostrack.net (202.101.143.254) 4.840 ms 5.090 ms 4.596 ms
3 ser4-0.core01.las.switchcommgroup.com (66.209.64.41) 21.205 ms
20.895 ms 21.430 ms
4 pos1-0.core02.las.oc48a.switchcommgroup.com (66.209.64.218) 21.682 ms
21.012 ms 21.059 ms
5 500.POS4-0.GW1.VEG2.alter.net (157.130.238.193) 21.185 ms 21.304 ms
20.939 ms
6 129.at-0-0-0.CL1.PHX2.ALTER.NET (152.63.115.26) 27.176 ms 28.615 ms
27.644 ms
7 0.so-4-0-0.XL1.SJC2.ALTER.NET (152.63.55.101) 47.659 ms 48.220 ms
47.667 ms
8 POS1-0.XR1.SJC2.ALTER.NET (152.63.56.138) 47.534 ms 48.483 ms
47.183 ms
9 193.ATM7-0.GW5.SJC2.ALTER.NET (152.63.48.77) 64.413 ms 51.058 ms
49.007 ms
10 ciscosys-gw1.customer.alter.net (65.208.80.242) 48.156 ms 49.197 ms
47.534 ms
11 sjce-dmzbb-gw1.cisco.com (128.107.239.89) 31.685 ms 32.633 ms32.895 ms
12 sjck-dmzdc-gw1.cisco.com (128.107.224.69) 32.291 ms 33.900 ms35.461 ms
13 www.cisco.com (198.133.219.25) [open] 31.041 ms 31.667 ms 32.775 ms
[root@xxxxxx root]#
HTH,
Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
>----- Original Message -----
Subject: Need your help on traceroute
Date: Fri, December 28, 2007 17:41
From: "PANDI MOORTHY" <moorthypandi@gmail.com>
> Hi
>
>
>
>
>
> Is there Cisco documentation to explain the real usage of this command
> "permit
> icmp any any traceroute"
>
>
>
> I am trying to capture the source which originate the traceroute
> packet,
>
>
>
> I understand we can use the below ACL to capture the traceroute return
> traffic (to the originator)
>
>
>
> permit icmp any any time-exceeded log-input
>
> permit icmp any any port-unreachable log-input
>
>
>
>
> How about on incoming side? is there a way to log
>
> Regards
> Pandi
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:32 ARST