-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=- -= TraceRoute =- -= By Grifter =- -= grifter@staticdischarge.org =- -= http://www.2600slc.org =- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= § Intro Well, before you go getting your panties in a bunch, let me explain why this talk is about traceroute. Let's face it, everyone has seen it, most of us use it often, and if you don't, you will. TraceRoute is a great tool in the Network Technicians proverbial ToolBelt. But I would have to say that in my experience it is used most to find the "route" that your IP packets take on their way to and from a host machine. If you can't seem to connect to a machine/host, you can run traceroute to see where the problem lies. If you're trying to connect to 2600slc.org but your packet dies on a router in Denver, you know that the problem is not on your network, but on a network in Denver. I just figured that since many people use it and probably don't know what it's really doing, explaining traceroute would be a good topic. § TraceRoute and ICMP TraceRoute is part of the ICMP(Internet Control Message Protocol). ICMP is mostly used in error handling of network traffic between two systems. There were originally 11 types of ICMP messages in RFC 792, but it has been through a few revisions and there are currently 37 types of ICMP messages flying around out there. All ICMP messages are transmitted as IP datagrams. Prepare to fear my ASCII skills... 1 7 8 15 16 31 +---------------------------------------------------------------+ | Type (8-bits) | Code (8-bits) | Checksum (16-bits) | |---------------------------------------------------------------| | Unused | |---------------------------------------------------------------| | Data (Internet Header + 64 bits of Original Datagram) | +---------------------------------------------------------------+ OK, let me break this down... The "type" field holds the different values that determine which particular message is being sent. The "code" field holds the different sub-types of the message. The "checksum" is a count of the number of bits in a message so the receiver can check to see whether the same number of bits arrived. If the counts match, it's assumed that the complete transmission was received. The "data" should be self-explanatory, but the IP Header is important. The IP Header contains the source and destination IP addresses as well as a few other values, but the one we'll be focusing on is the TTL(Time to Live) value. Let's compare the ICMP datagram to a journal of one of the ever so exciting events that may be part of your life if you're 14-17 years old. Let's say you tried to go over to your girlfriends to give her a sappy love letter(Data) you just wrote, that you know will score big points, but you only have a half hour(30 Minute TTL) to sneak out of your house and give it to her before your parents notice you're gone. You run a few blocks over and throw rocks at her window trying to wake her up, but after about 20 minutes she never comes to the window. You call it a loss and you jog back home. What you just experienced was an ICMP "Time Exceeded" or Type 11 error. And this is what makes traceroute work. § How TraceRoute Works When a packet leaves a host, it is given an initial Time To Live (TTL) count, that is supposed to be large enough to allow it to arrive at it's destination. Each gateway that it encounters along the way will decrease the TTL by 1. If a gateway receives a message with a TTL of 0, the packet is dropped and an ICMP Time Exceeded message is sent back to the source host. This keeps packets that go astray from just bouncing around the network and wasting the precious bandwidth you abuse to download porn. Traceroute sends an IP Datagram with a TTL value of 1 to the destination system. The first router to handle the datagram decreases the TTL value by one and drops the packet. After this happens the router sends an ICMP Time Exceeded message back to your system with it's IP address as the source address. That is how you get the IP of the first router on the way to the destination system. Then traceroute sends another datagram to the destination system with a TTL value of 2. As it passes through the first router the value is decreased to 1, and is then dropped by the second router it encounters. Which in turn sends it's own ICMP error, giving you the IP address of the second router on the way to the destination system. Traceroute will continue to increase the TTL value by 1 until the destination system is reached. Now, when the destination is reached, the final TTL value of 1 will not be discarded and the packet would not be dropped. Traceroute works around this problem by sending UDP packets to the destination system on very high ports that services are not likely to be running on. When the packet can't be received on the designated port, the destination machine will return a ICMP "Port Unreachable" error message. TraceRoute sees that it has received "Port Unreachable" instead of "Time Exceeded" and knows that the destination system has been reached, and the packets stop. So to sum it all up... TraceRoute send UDP packets to a destination host with a TTL value of 1 and increases that value upon receiving an ICMP Time Exceeded error message from routers along the way. Each routers error message contains it's IP address, which is recorded by TraceRoute. The destination system returns a Port Unreachable error which lets TraceRoute know that its destination has been reached. § Conclusion Well, I hope that wasn't too mind numbingly boring for you. Sometimes it's nice to know what's going on behind the curtain. If you thought it sucked, why the hell did you continue to read this far along? Shouldn't you have stopped a long time ago? Anyway, I just hope that maybe someone got something out of this. TraceRoute is pretty kool to use, but it's even better when you know what it's doing. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- © 2600SLC.ORG 2002 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-