January 24, 2015

Traceroute - Cisco, Linux, and Windows versions

In my today post I’d like analyze different version of traceroute on three platforms. You need to know exactly what protocols/types are used when you would like to permit them on your firewall.

1) Cisco version

I’m going now traceroute from R17 to R18:

This is what I captured on R17 interface:

Let me explain what we see:

R17 sends udp packet with ttl=1 to discover device in one hop distance. R16 decrements ttl by 1 and sees that ttl=0 and sends icmp packet ‘time exceeded):

-> udp - dst port: 33434, ttl=1
<- icmp - time exceeded (due to ttl=0) - type 11, code 0 - ttl=255

-> udp - dst port: 33435, ttl=1
<- icmp - time exceeded (due to ttl=0) - type 11, code 0 - ttl=255

-> udp - dst port: 33436, ttl=1
<- icmp - time exceeded (due to ttl=0) - type 11, code 0 - ttl=255

After three repeats R17 increases ttl by 1 and sends next three packets. R15 receives them, decreases ttl by 1 and due to ttl=0 R15 sends back icmp 'time exceeeded’:

-> udp - dst port: 33437, ttl=2
<- icmp - time exceeded - type 11, code 0 - ttl=254

-> udp - dst port: 33438, ttl=2
<- icmp - time exceeded - type 11, code 0 - ttl=254

-> udp - dst port: 33439, ttl=2
<- icmp - time exceeded - type 11, code 0 - ttl=254

After next three packets R17 increases ttl by 1 to ttl=3. These three packets reach R18 and due to invalid udp port (range 33434-33464) R18 sends icmp message: port unreachable (type:3, code:3):

-> udp - dst port: 33440, ttl=3
<- icmp - port unreachable - type 3, code 3 - ttl=253

-> udp - dst port: 33441, ttl=3
<- icmp - port unreachable - type 3, code 3 - ttl=253

-> udp - dst port: 33442, ttl=3
<- icmp - port unreachable - type 3, code 3 - ttl=253

On firewall we need to open following (returning) packets: icmp time-exceeded (type 11, code 0) and port unreachable (type 3, code 3).

2) Linux version

I added Linux machine to my network:

and I traceroute from Linux to r18:

Below you can see what I captured:

Let’s analyze what we see:

Linux sends udp packet with ttl=1 to discover device in one hop distance. R17 decrements ttl by 1 and sees that ttl=0 and sends icmp packet ‘time exceeded):

-> udp - dst port: 33434, ttl=1
<- icmp - time exceeded (due to ttl=0) - type 11, code 0 - ttl=255

-> udp - dst port: 33435, ttl=1
<- icmp - time exceeded (due to ttl=0) - type 11, code 0 - ttl=255

-> udp - dst port: 33436, ttl=1
<- icmp - time exceeded (due to ttl=0) - type 11, code 0 - ttl=255

After three repeats Linux increases ttl by 1 and sends next three packets. R16 receives them, decreases ttl by 1 and due to ttl=0 R16 sends back icmp 'time exceeeded’:

-> udp - dst port: 33437, ttl=2
<- icmp - time exceeded - type 11, code 0 - ttl=254

-> udp - dst port: 33438, ttl=2
<- icmp - time exceeded - type 11, code 0 - ttl=254

-> udp - dst port: 33439, ttl=2
<- icmp - time exceeded - type 11, code 0 - ttl=254

After three repeats Linux increases ttl by 1 (to 3) and sends next three packets. R15 receives them, decreases ttl by 1 and due to ttl=0 R15 sends back icmp ‘time exceeeded’:

-> udp - dst port: 33440, ttl=3
<- icmp - time exceeded - type 11, code 0 - ttl=253

-> udp - dst port: 33441, ttl=3
<- icmp - time exceeded - type 11, code 0 - ttl=253

-> udp - dst port: 33442, ttl=3
<- icmp - time exceeded - type 11, code 0 - ttl=253

In the last step Linux sends 7 udp packets with ttl=4 (3 packets), ttl=5 (3 packets) and ttl=6 (1 packet). Every packet generates responds: icmp port-unreachable.

-> udp - dst port: 33443, ttl=4
<- icmp - port unreachable - type 3, code 3 - ttl=252

-> udp - dst port: 33444, ttl=4
<- icmp - port unreachable - type 3, code 3 - ttl=252

-> udp - dst port: 33445, ttl=4
<- icmp - port unreachable - type 3, code 3 - ttl=252

-> udp - dst port: 33446, ttl=5
<- icmp - port unreachable - type 3, code 3 - ttl=252

-> udp - dst port: 33447, ttl=5
<- icmp - port unreachable - type 3, code 3 - ttl=252

-> udp - dst port: 33448, ttl=5
<- icmp - port unreachable - type 3, code 3 - ttl=252

-> udp - dst port: 33449, ttl=6
<- icmp - port unreachable - type 3, code 3 - ttl=252

As you see more or less the variation is similar to the Cisco one. I can’t find any information why Linux (2.6.32) needs to send last 7 packets instead of 3.

3) Windows version

For this version I use the same scenario as for linux.

The Windows version uses only icmp packets (no udp). Below you can see what I captured:

-> icmp - echo request, ttl=1
<- icmp - time exceeded (due to ttl=0) - type 11, code 0 - ttl=255

-> icmp - echo request, ttl=1
<- icmp - time exceeded (due to ttl=0) - type 11, code 0 - ttl=255

-> icmp - echo request, ttl=1
<- icmp - time exceeded (due to ttl=0) - type 11, code 0 - ttl=255

-> icmp - echo request, ttl=2
<- icmp - time exceeded (due to ttl=0) - type 11, code 0 - ttl=254

-> icmp - echo request, ttl=2
<- icmp - time exceeded (due to ttl=0) - type 11, code 0 - ttl=254

-> icmp - echo request, ttl=2
<- icmp - time exceeded (due to ttl=0) - type 11, code 0 - ttl=254

-> icmp - echo request, ttl=3
<- icmp - time exceeded (due to ttl=0) - type 11, code 0 - ttl=253

-> icmp - echo request, ttl=3
<- icmp - time exceeded (due to ttl=0) - type 11, code 0 - ttl=253

-> icmp - echo request, ttl=3
<- icmp - time exceeded (due to ttl=0) - type 11, code 0 - ttl=253

-> icmp - echo request, ttl=4
<- icmp - echo reply - type 11, code 0 - ttl=252

-> icmp - echo request, ttl=4
<- icmp - echo reply - type 11, code 0 - ttl=252

-> icmp - echo request, ttl=4
<- icmp - echo reply - type 11, code 0 - ttl=252

For Windows version, on a firewall we need to open: icmp time exceeded and echo-reply (in case we don’t inspect icmp traffic).

Kudos

Traceroute - Cisco, Linux, and Windows versions

Now read this

DMVPN - phase one - EIGRP