But How Does Traceroute Work?

By Tabish Khan on

What is Traceroute?

So if you want to determine the HOP count (total number of HOPs that packets travel through.) from source to destination or in other words if you want to trace the path that packets take from source to destination you will use Traceroute.   

Is It Traceroute Or Tracert ? 
Though both Traceroute and Tracert do the same job, they work a bit differently. I will explain it later in detail. For the time being keep in mind that the Traceroute utility is available on Unix-like systems such as Linux and macOS, It is also available on Cisco IOS. Whereas Tracert utility is available on Microsoft Windows.

How does Traceroute work?
To help you really understand this I would like to explain it in three different ways. Traceroute can be implemented using ICMP, UDP, and TCP.
  1. Traceroute over ICMP
  2. Traceroute over UDP
  3. Traceroute over TCP
Before discussing all these, let us understand ICMP which will really help us understand this blog.
ICMP stands for Intenet control message protocol. Well IP protocol has no error reporting mechanism. What will happen? if the router has to discard a packet, maybe the router can not find the route to the final destination, or the TTL value in the packet has become 0, or due to any other reason. IP protocol has no built-in mechanism to notify the original source that the packet has been discarded.
There must be a way to compensate for the above deficiencies, That is where ICMP comes into play. 
So if the router discards packets, it is the job of the ICMP to notify the original host that the packet has been discarded.
Note: ICMP has other functionalities. We will only focus on those that are needed here.
This is the ICMP message format


There are many ICMP messages, I will explain only three of the
 ICMP destination unreachable messages
They are type 3 messages. When Type=3 and code=3 it is port unreachable. When the source sends a UDP packet to the destination device with a distinction port that is closed, the destination will respond with a port unreachable (Type=3, code=3), indicating that the port is not active.

 ICMP time exceeded message
They are type 11 messages. When a router receives a packet, it will decapsulate it, and decrement the TTL value by 1, after decrementing when the TTL value becomes 0, the router will send an ICMP time exceeded message (Type 11) to the source. The other case is when all the fragments that make a message do not arrive at the destination host within the time lime, the host will send ICMP time exceeded to the source.

ICMP Echo request and reply message
ICMP echo requests (Type 8) can be sent by the host or router. ICMP echo replies (Type 0) are sent by the host or router that receives echo-request packets. This message can be used by the network manager to check the functionality of the IP protocol. They can also be used to check the reachability of the host.

Now that you have a clear understanding of ICMP messages let us understand traceroute.

1) Traceroute over ICMP
Consider the following topology


By default, Windows uses traceroute over ICMP. Let's say that PC1 wants to trace that path to Server1. In this type of traceroute ICMP echo request(type 8), ICMP echo reply (type 0), and ICMP time exceeded (type 11) messages are used.



Step1
  •  PC1 will send ICMP echo request(type 8) packet, setting TTL value to 1 (TTL=1)
  • R1 will receive this packet -->  decapsulate the packet --> as TTL=1, upon decrementing by 1, TTL value will become 0 --> R1 will send ICMP time exceeded message to PC1.
  • This is how PC1 gets to know about R1 as R1 will use its IP address as the source IP address in the packet.

Note:  Step1 is repeated three times. This is the reason you see three columns shown in yellow.


Whereas these values represent Round Trip Time (RTT). For instance, during the ist attempt, it took 5 ms for a packet to reach 192.168.100.1 and arrives back at PC1. Similarly 3 ms during the second attempt, and 2 ms during the third attempt.

Step2
  •  PC1 will send ICMP echo request(type 8) packet, setting this time TTL value to 2 (TTL=2)
  • R1 will receive this packet -->  decapsulate the packet --> as TTL=2, upon decrementing by 1, TTL value will become 1 --> R1 will re-encapsulate the packet and will forward it to R2.
  •  R2 will receive this packet -->  decapsulate the packet --> as TTL=1, upon decrementing by 1, TTL value will become 0 --> R2 will send ICMP time exceeded message to PC1.
  • This is how PC1 gets to know about R2 as R1 will use its IP address as the source IP address in the packet.
Note:  Step2 is repeated three times

Step3
  • PC1 will send ICMP echo request(type 8) packet, setting this time TTL value to 3 (TTL=3)
  • R1 will receive this packet -->  decapsulate the packet --> as TTL=3, upon decrementing by 1, TTL value will become 2 --> R1 will re-encapsulate the packet and will forward it to R2.
  • R2 will receive this packet -->  decapsulate the packet --> as TTL=2, upon decrementing by 1, TTL value will become 1 --> R2 will re-encapsulate the packet and will forward it to R3.
  • R3 will receive this packet -->  decapsulate the packet --> as TTL=1, upon decrementing by 1, TTL value will become 0 --> R3 will send ICMP time exceeded message to PC1.
  • This is how PC1 gets to know about R3 as R3 will use its IP address as the source IP address in the packet.
Note:  Step2 is repeated three times

Step4
  • PC1 will send ICMP echo request (type 8) packet, setting this time TTL value to 3 (TTL=3)
  • R1 will receive this packet -->  decapsulate the packet --> as TTL=3, upon decrementing by 1, TTL value will become 2 --> R1 will re-encapsulate the packet and will forward it to R2.
  • R2 will receive this packet -->  decapsulate the packet --> as TTL=2, upon decrementing by 1, TTL value will become 1 --> R2 will re-encapsulate the packet and will forward it to R3.
  • R3 will receive this packet -->  decapsulate the packet --> as TTL=1, upon decrementing by 1, TTL value will become 1 --> R3 will forward the packet to Server1.
  • Server1 will receive the packet, 192.168.100.5 is Server1 and the packet is destined for this server itself. Now that packet has arrived original destination, Server1 will respond with an ICMP echo reply (type 0). This is how we have learned about all routers in our path.
Note:  Step4 is repeated three times

Question1
If  R2 along the path was configured to block ICMP, Will the traceroute continue?
Well, yes. Because during step 2 when R2 receives a packet with TTL=1 and it decrements it by 1, TTL will become 0 but as ICMP is blocked it will not respond. We only will not know about this hop but Traceroute will continue as during the next attempt, PC1 will make TTL=3, when TTL is 3 and the packet arrives at R2, now TTL=1 means R2 will not have sent an ICMP message rather it will be forwarded to R3.

Question2
How or when does PC1 stop sending ICMP echo request packets?
When PC1 receives an ICMP echo reply from the destination which is Server1 in our case, it will come to know that it has successfully reached the destination so it will stop sending ICMP echo request packets.

Let's see the working of Traceroute in action.
let us trace the path to 8.8.8.8.
 
Figure 1

I have captured all this conversation with the help of Wireshark. Looking at the first packet notice that TTL=1, source =192.168.100.102, destination = 8.8.8.8, and Packet = ICMP echo request ( Type 8)

Figure 2

Let us examine the second packet.
source =192.168.100.100, destination = 192.168.100.102, and Packet = ICMP Time-to-leave exceeded message ( Type 11).

Figure 3

Notice in Figure 3 shown below, that the process is repeated and this time TTL=2 and so on.

Figure 4

Scrolling down all the way to the bottom down, notice  source=8.8.8.8, destination=192.168.100.102, packet =ICMP echo reply (Type 0). This means that the path to destination 8.8.8.8 has been successfully traced.

Figure 5

2) Traceroute over UDP

In this type of traceroute UDP packets, ICMP time exceeded message (Type 11),  and port unreachable(type 3, code 0) messages are used.
Ths first difference between Traceroute over ICMP and Traceroute over UDP is that unlike Traceroute over ICMP, Traceroute over UDP does not use ICMP(ICMP echo request and reply messages)  but it uses UDP.
Time-to-leave succeeded message is also used here and serves the same function as it does in Traceroute over ICMP.
The second difference is that in Traceroute over ICMP when the final destination is reached, the source expects an ICMP echo reply but in Traceroute over UDP when the final destination is reached source expects a destination unreachable (Type 3) message. Don't worry if you are unclear, I will show you later how it really works.

Let's see this in action.

Figure 5

Notice the first packet , it is UDP not ICMP, Source port=47717, destination port=33446,source ip=192.168.100.101, and destination ip=10.180.26.66. Why do these ports number? I will talk about it later. Notice that I have applied the filter IP.addr==10.180.26.66 to keep irrelevant packets from displaying here.

Figure 6

Look at the packet enclosed in rectangle, source ip= 192.168.100.1 ,destination IP = 192.68.100.101, it is ICMP time  exceeded message (Type 11). It is the same as in Traceroute over ICMP, as TTL will become 0 and the router has to inform the source about it by sending an ICMP time-to-live exceeded message.

Figure 7

Scroll down all the way to the bottom, and look at the packet enclosed in a rectangle. This is something different. Unlink traceroute over ICMP, when packets arrive at the original destination, the destination does not send an ICMP echo reply but sends a destination unreachable(port unreachable) message.
Notice that source IP = 10.180.26.66 (original destination) , destination IP = 192.168.100.101 (original source) , it is ICMP destination unreachable(port unreachable) (Type3, code 3) message. When the source receives this message, it will stop forwarding UDP packets as it has traced the path to the destination.

Figure 8

Question1
Remember while observing the first UDP packets you saw destination port=33446, why are these port numbers?
This is the reason Traceroute over UDP is possible. Traceroute sends, by default, a sequence of User Datagram Protocol (UDP) packets, with destination port numbers ranging from 33434 to 33534. These ports are more likely to be closed on the destination device which will result in making the device send a destination unreachable(port unreachable) message.

Question2
How or when does PC1 stop sending UDP packets?
When the destination device receives a UDP packet with destination ports (raging from 33434-33535), as these ports are more likely to be closed, the device will send a destination unreachable (type 3) with ( port unreachable) code 3 message. Because when a device receives a UDP packet with a destination port that is closed on the device, the device will send destination unreachable(Type3) with code 3(port reachable) informing the source that the port is closed.
What does this mean is that when the source receives destination unreachable (Type 3) with code 3(port unreachable), it is an indication that the original destination has been reached and the whole path has been traced so it will stop sending UDP packets.

3) Traceroute over TCP

In this type of traceroute, TCP SYN packets, TCP SYN-ACK packets, TCP RST packets, and ICMP time exceeded message(Type 11) are used. 

The first difference between Tcraeroute over ICMP and Traceroute over TCP is that unlike Traceroute over ICMP, Traceroute over TCP does not use ICMP(ICMP echo request and reply messages)  but uses TCP.

Time-to-leave succeeded message is also used here and serves the same function as it does in Traceroute over ICMP.
The second difference is that in Traceroute over ICMP when the final destination is reached, the source expects ICMP echo reply But in Traceroute over TCP when the final destination is reached source expects TCP SYN+ACK segment, and RST segment.
Basically in traceroute over TCP we are making use of a TCP three-way handshake. In a three-way handshake, the client sends a TCP SYN packet, upon receiving server sends a SYN+ACK packet, and the client then sends ACK segment. This is how the connection is established. As shown below



But an important thing to note is that in traceroute over TCP, the connection is never established with the destination, we will just trace the path.
 Don't worry if you are unclear I will show you later how it really works.
Notice that ith traceroute we used switches -T and -p. -T means use TCP, and -p means to use 443 as the destination port. By default port 80 is used

Figure 9

So look at the ist TCP packet, Source has sent an SYN segment with destination port 443.

Figure 10

Notice the ICMP time exceeded message in the red rectangle. source IP = 192.168.100.1 and destination ip= 192.168.100.101, and it is ICMP time exceeded message(Type 11).

Figure 11
Scrolling down all the way to the bottom, notice that destination = 8.8.8.8 responded with SYN, ACK segment. This is how we trace the path to the destination.

Figure 12

Here you can see that when the source receives the SYN-ACK packet that is sent by the destination, it sends an RST packet instead of an ACK packet because it will never establish a connection with the destination. We got what we wanted which is tracing the path.

Figure 13

Question
How or when does PC1 stop sending TCP packets?
When the original destination receives the TCP-SYN packet, there are two possibilities.
1) The destination replies to the source with a TCP SYN-ACK packet.
When the source receives the SYN-ACK packet, it is an indication that the destination is reached and the path is successfully traced. So source will reply with the RST segment to tear down the connection.

2) The destination replies to the source with the TCP RST segment.
 Remember that we defined the destination port to be 443 (traceroute -T  8.8.8.8 -p 443), if the port was closed it can not reply to a source with a TCP SYN_ACK packet but the destination will reply with an RST packet, tearing down the connection.
Even if it does not reply with TCP SYN-ACK, we still get to know about it because the source still receives the TCP RST packet sent by destination. Source receiving TCP RST packet indicates that the destination is reached and the path is successfully traced.

Conclusion
Using a traceroute is a great way to trace the path from source to destination. To really take full advantage of traceroute, one should understand different protocols that can be used by traceroute. Besides, Tracert and traceroute both do the same job. Linux by default uses UDP for traceroute whereas Windows uses ICMP. tcptraceroute ip address is equivalent to traceroute -T ip address.

Comments

Post a Comment

Popular posts from this blog

What are different SSH Authentication Methods?

By Tabish Khan on
Image
  Have you ever tried to set up an ssh connection to Linux machines? Have you ever wondered how many ssh authentication methods you can use to get remote access to a Linux machine?   At the end of the blog post, you will have a great understanding of what are some of the ssh authentication methods that you can use to get remote access to a Linux Machine. For the purpose of demonstration, I will use the following topology. I have three Linux machines. Ubuntu-Workstation having IP address = 10.0.0.249 Ubuntu-Server having IP address = 10.0.2.15 CentOS-Workstation having an IP address = 10.0.2.16 Our main objective will be to get ssh remote access to Ubuntu-Server and CentOS- workstation from Ubuntu -orkstation. I will discuss Three SSH Authentication Methods. Password-Based Authentication Key-Based Authentication  with Passphrase Key-Based Authentication  without Passphrase Before starting make sure that the OpenSSH server is installed on all of these machines. Ubun...
Read more

Ever wondered what is difference between SNMP and Syslog?

By Tabish Khan on
Image
SNMP is primarily a protocol for network management and monitoring. Using SNMP, admins can gather and manage information about network devices, track performance metrics, configure devices remotely, and receive notifications (traps) about specific events or conditions. There are two types of SNMP devices 1) SNMP Managed devices These are devices being managed using SNMP such as Routers, Switches, etc. 2) NMS (Network Management System/Status) These are devices/device managing the managed devices. This is an SNMP Server. For the purpose of demonstration, I will consider the following topology. Let's say, I want to get the system name, From the SNMP server, I am sending an SNMP GET message to the managed device to get its name. In the same you, you can send the SNMP SET message to change the system name. Notice that the Router name has been changed from R1 to R5 Syslog is primarily used for log management, troubleshooting, and security analysis. It enables admin...
Read more

Ping Fails But Traceroute works?

By Tabish Khan on
Image
Have you ever encountered a situation?  when you ping a device, it fails but when you traceroute to the same devices, it works. At the end of the blog post, you will have a great understanding of why this happens. In my previous blog post "But How Does Traceroute Works", I have explained in detail how does traceroute works. You can continue reading this blog post without reading my previous blog post but it will really help you out to read that blog post as well. Click  But How Does Traceroute Works?  to read my previous blog. For the purpose of demonstration, I will use the following topology. Figure 1 Throughout this blog post i will use the terms Source and Destination. Whereas  Source = Kali-Linux ( having ip address 192.168.10.105) Destination = Linux Server ( having ip address 192.168.30.105). Case 1 Linux Server  can receive ICMP echo request packets and can respond with ICMP echo replies when it receives ICMP echo request packets. ping -c 4 192.168.30.10...
Read more