From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Sat Dec 29 2007 - 02:57:24 ART
Yes the Cisco IOS uses UDP as the "trigger". Just remember that with each
probe the UDP port increments. This means if your destination is 10 hops
away, you are starting with a TTL of 1, and sending 3 probes per TTL that
the 10th router in the path will see the UDP ports as 33462, 33463, and
33464.
Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
>----- Original Message -----
Subject: RE: Need your help on traceroute
Date: Fri, December 28, 2007 21:47
From: "Mohamed, Liban [NTK]" <Liban.Mohamed@sprint.com>
> The original question was to capture the source which originate the
traceroute
> packet, so I was able to capture trace-route by creating the following
ACL, since
> Cisco router uses UDP, although this can be changed, but UDP is the
default, right?
>
> "access-list 123 permit udp any range 33434 33464 any"
>
>
> Liban Mohamed
> NTAC-IP
> Sprint/Nextel
> www.sprint.net
> liban.mohamed@sprint.com
> (W) 678-291-3438
> (PCS) 404-441-9701
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Scott Morris
> Sent: Friday, December 28, 2007 11:37 PM
> To: 'Brian Dennis'; 'PANDI MOORTHY'; 'Cisco certification'
> Subject: RE: Need your help on traceroute
>
> While I agree on the idea that there are multiple ways of doing
traceroutes,
> I think the original question was about an ACL with ICMP and the
> "traceroute" option.
>
> R1(config)#access-list 101 permit icmp any any ?
> <0-255> ICMP message type
> administratively-prohibited Administratively prohibited
> alternate-address Alternate address
> conversion-error Datagram conversion
> dod-host-prohibited Host prohibited
> dod-net-prohibited Net prohibited
> dscp Match packets with given dscp value
> echo Echo (ping)
> echo-reply Echo reply
> fragments Check non-initial fragments
> general-parameter-problem Parameter problem
> host-isolated Host isolated
> host-precedence-unreachable Host unreachable for precedence
> host-redirect Host redirect
> host-tos-redirect Host redirect for TOS
> host-tos-unreachable Host unreachable for TOS
> host-unknown Host unknown
> host-unreachable Host unreachable
> information-reply Information replies
> information-request Information requests
> log Log matches against this entry
> log-input Log matches against this entry, including
> input
> interface
> mask-reply Mask replies
> mask-request Mask requests
> mobile-redirect Mobile host redirect
> net-redirect Network redirect
> net-tos-redirect Net redirect for TOS
> net-tos-unreachable Network unreachable for TOS
> net-unreachable Net unreachable
> network-unknown Network unknown
> no-room-for-option Parameter required but no room
> option-missing Parameter required but not present
> packet-too-big Fragmentation needed and DF set
> parameter-problem All parameter problems
> port-unreachable Port unreachable
> precedence Match packets with given precedence value
> precedence-unreachable Precedence cutoff
> protocol-unreachable Protocol unreachable
> reassembly-timeout Reassembly timeout
> redirect All redirects
> router-advertisement Router discovery advertisements
> router-solicitation Router discovery solicitations
> source-quench Source quenches
> source-route-failed Source route failed
> time-exceeded All time exceededs
> time-range Specify a time-range
> timestamp-reply Timestamp replies
> timestamp-request Timestamp requests
> tos Match packets with given TOS value
> traceroute Traceroute
> ttl-exceeded TTL exceeded
> unreachable All unreachables
> <cr>
>
> R1(config)#
>
> There are lots of things listed, and most have to do with the specific
> types/codes laid out in RFC792. However, I believe (and no, I haven't
> tested this) that the traceroute option here is specifically looking for
> option 7 of the header (RFC791) allowing the record route feature of ICMP.
>
> Just my thoughts, but since everything else really is specific to ICMP
here,
> it would seem strange to either not filter based on that or simply ignore
> it.
>
> HTH,
>
>
> Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
JNCIE-M
> #153, JNCIS-ER, CISSP, et al.
> CCSI/JNCI-M/JNCI-ER
> VP - Technical Training - IPexpert, Inc.
> IPexpert Sr. Technical Instructor
>
> A Cisco Learning Partner - We Accept Learning Credits!
>
> smorris@ipexpert.com
>
>
>
> Telephone: +1.810.326.1444
> Fax: +1.810.454.0130
> http://www.ipexpert.com
>
>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Brian Dennis
> Sent: Friday, December 28, 2007 10:16 PM
> To: PANDI MOORTHY; Cisco certification
> Subject: Re: Need your help on traceroute
>
> Here is a reply that I've made on this list in the past in regards to
> traceroute:
>
> Note that traceroute is a technique to have the routers between the source
> and destination reveal themselves and finally have the destination reveal
> itself by replying to a "packet". Traceroute can be implemented using
ICMP,
> UDP, and even TCP so as a CCIE when someone asks you to filter "traceroute"
> you should get a little background as to the traceroute application/OS's
> being used to trigger the reply from the destination.
> Example: Windows uses ICMP echoes by default, most Linux OS's use UDP by
> default but can use ICMP echoes (-I option), and the IOS uses UDP. There
> are also implementations that use TCP.
>
> The goal of traceroute is to have the routers between the source and
> destination reveal themselves and finally have the destination reply so
that
> you know you have reached it. The routers reveal themselves by sending
Time
> Exceeded (aka TTL-Exceeded) ICMP packets back to the source when the TTL is
> decremented to zero. The traceroute implementation can determine its
> reached the destination by having it reply to an ICMP echo request, send an
> ICMP port unreachable to a packet sent to an unused UDP port, or completing
> the TCP three-way handshake.
>
>
> ************************************************************************
>
> ICMP based traceroute:
>
> In this example we are sending ICMP echo requests to www.cisco.com and
> looking for the ICMP echo reply to know that we have reached the final
> destination.
>
> [root@xxxxxx root]# traceroute -I www.cisco.com traceroute to www.cisco.com
> (198.133.219.25), 30 hops max, 38 byte packets
> 1 198.132.102.1 (198.132.102.1) 1.658 ms 1.975 ms 1.968 ms
> 2 foo.hostrack.net (202.101.143.254) 5.394 ms 22.382 ms 2.966 ms
> 3 ser4-0.core01.las.switchcommgroup.com (66.209.64.41) 20.132 ms
> 20.494 ms 20.195 ms
> 4 pos1-0.core02.las.oc48a.switchcommgroup.com (66.209.64.218) 19.749 ms
> 25.827 ms 26.814 ms
> 5 500.POS4-0.GW1.VEG2.alter.net (157.130.238.193) 29.108 ms 19.864 ms
> 20.066 ms
> 6 129.at-0-0-0.CL1.PHX2.ALTER.NET (152.63.115.26) 26.338 ms 26.232 ms
> 26.821 ms
> 7 0.so-4-0-0.XL1.SJC2.ALTER.NET (152.63.55.101) 46.424 ms 45.996 ms
> 45.675 ms
> 8 POS1-0.XR1.SJC2.ALTER.NET (152.63.56.138) 48.653 ms 46.513 ms
> 46.803 ms
> 9 193.ATM7-0.GW5.SJC2.ALTER.NET (152.63.48.77) 46.693 ms 46.619 ms
> 46.446 ms
> 10 ciscosys-gw1.customer.alter.net (65.208.80.242) 46.556 ms 46.954 ms
> 46.944 ms
> 11 sjce-dmzbb-gw1.cisco.com (128.107.239.89) 30.818 ms 31.769 ms
> 32.685 ms
> 12 sjck-dmzdc-gw1.cisco.com (128.107.224.69) 30.589 ms 30.626 ms
> 30.448 ms
> 13 * * *
> 14 www.cisco.com (198.133.219.25) 28.916 ms 28.994 ms 28.944 ms
> ************************************************************************
>
> UDP based traceroute:
> In this example we are sending UDP packets with a starting port number of
> 33434 to www.cisco.com. Note that we don't ever get a reply from
> www.cisco.com because their firewall will not allow our UDP packets in.
>
> [root@xxxxxx root]# man traceroute | grep "UDP port number"
> -p Set the base UDP port number used in probes (default is
> 33434).
> [root@xxxxxx root]#
> [root@xxxxxx root]# traceroute www.cisco.com traceroute to www.cisco.com
> (198.133.219.25), 30 hops max, 38 byte packets
> 1 198.132.102.1 (198.132.102.1) 1.725 ms 1.866 ms 1.841 ms
> 2 foo.hostrack.net (202.101.143.254) 4.887 ms 4.281 ms 4.482 ms
> 3 ser4-0.core01.las.switchcommgroup.com (66.209.64.41) 21.266 ms
> 21.152 ms 20.826 ms
> 4 pos1-0.core02.las.oc48a.switchcommgroup.com (66.209.64.218) 58.829 ms
> 42.033 ms 24.007 ms
> 5 500.POS4-0.GW1.VEG2.alter.net (157.130.238.193) 21.448 ms 23.277 ms
> 21.446 ms
> 6 129.at-0-0-0.CL1.PHX2.ALTER.NET (152.63.115.26) 27.816 ms 27.259 ms
> 27.210 ms
> 7 0.so-4-0-0.XL1.SJC2.ALTER.NET (152.63.55.101) 47.540 ms 46.954 ms
> 47.198 ms
> 8 POS1-0.XR1.SJC2.ALTER.NET (152.63.56.138) 48.072 ms 47.247 ms
> 46.667 ms
> 9 193.ATM7-0.GW5.SJC2.ALTER.NET (152.63.48.77) 51.728 ms 51.437 ms
> 48.304 ms
> 10 ciscosys-gw1.customer.alter.net (65.208.80.242) 48.563 ms 48.878 ms
> 47.807 ms
> 11 sjce-dmzbb-gw1.cisco.com (128.107.239.89) 31.562 ms 32.653 ms
> 31.318 ms
> 12 sjck-dmzdc-gw1.cisco.com (128.107.224.69) 32.327 ms 31.831 ms
> 31.516 ms
> 13 * * *
> 14 * * *
>
> ************************************************************************
> TCP based traceroute:
>
> In this example we are sending TCP SYN packets to port 80 looking for the
> destination to complete the three-way-handshake. Once the handshake is
> complete we know that we have reached the destination. Obviously Cisco's
> firewall is going to allow packets to TCP port 80 destined for it's web
> server.
>
> [root@xxxxxx root]# tcptraceroute www.cisco.com
> tcptraceroute: Symbol `pcap_version' has different size in shared object,
> consider re-linking Selected device eth3, address 198.132.102.93, port
41440
> for outgoing packets Tracing the path to www.cisco.com (198.133.219.25) on
> TCP port 80, 30 hops max
> 1 198.132.102.1 (198.132.102.1) 1.575 ms 1.507 ms 1.469 ms
> 2 foo.hostrack.net (202.101.143.254) 4.840 ms 5.090 ms 4.596 ms
> 3 ser4-0.core01.las.switchcommgroup.com (66.209.64.41) 21.205 ms
> 20.895 ms 21.430 ms
> 4 pos1-0.core02.las.oc48a.switchcommgroup.com (66.209.64.218) 21.682 ms
> 21.012 ms 21.059 ms
> 5 500.POS4-0.GW1.VEG2.alter.net (157.130.238.193) 21.185 ms 21.304 ms
> 20.939 ms
> 6 129.at-0-0-0.CL1.PHX2.ALTER.NET (152.63.115.26) 27.176 ms 28.615 ms
> 27.644 ms
> 7 0.so-4-0-0.XL1.SJC2.ALTER.NET (152.63.55.101) 47.659 ms 48.220 ms
> 47.667 ms
> 8 POS1-0.XR1.SJC2.ALTER.NET (152.63.56.138) 47.534 ms 48.483 ms
> 47.183 ms
> 9 193.ATM7-0.GW5.SJC2.ALTER.NET (152.63.48.77) 64.413 ms 51.058 ms
> 49.007 ms
> 10 ciscosys-gw1.customer.alter.net (65.208.80.242) 48.156 ms 49.197 ms
> 47.534 ms
> 11 sjce-dmzbb-gw1.cisco.com (128.107.239.89) 31.685 ms 32.633
ms32.895 ms
> 12 sjck-dmzdc-gw1.cisco.com (128.107.224.69) 32.291 ms 33.900
ms35.461 ms
> 13 www.cisco.com (198.133.219.25) [open] 31.041 ms 31.667 ms 32.775 ms
> [root@xxxxxx root]#
>
>
> HTH,
>
> Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
> bdennis@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
>
> >----- Original Message -----
> Subject: Need your help on traceroute
> Date: Fri, December 28, 2007 17:41
> From: "PANDI MOORTHY" <moorthypandi@gmail.com>
>
> > Hi
> >
> >
> >
> >
> >
> > Is there Cisco documentation to explain the real usage of this command
> > "permit
> > icmp any any traceroute"
> >
> >
> >
> > I am trying to capture the source which originate the traceroute
> > packet,
> >
> >
> >
> > I understand we can use the below ACL to capture the traceroute return
> > traffic (to the originator)
> >
> >
> >
> > permit icmp any any time-exceeded log-input
> >
> > permit icmp any any port-unreachable log-input
> >
> >
> >
> >
> > How about on incoming side? is there a way to log
> >
> > Regards
> > Pandi
> >
> > ______________________________________________________________________
> > _ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:32 ARST