Understand the basic concepts traceroute
Understand the traceroute working principle and detailed process
Familiar with traceroute common commands
Some attention point
Second, basic concept traceroute
Traceroute (under Windows system is tracert) command using ICMP protocol to locate all of the routers between your computer and the target computer, TTL value can reflect the number of packets through a router or gateway, through the manipulation of the independent ICMP call the TTL value of a message and observe the abandoned return information, traceroute command to traverse all of the routers, packet transmission path traceroute command is a slow, because every through a router takes about 10 to 15 seconds,
Three, traceroute working principle and detailed process
Traceroute is used to detect the host to destination host via routing is an important tool, which is the most convenient tool, despite the ping tool can detect, however, because of the limitation of the IP header, ping can't completely recorded by the number of the router, so traceroute is right to fill the gap, the principle of traceroute is very, very interesting, it after receiving the destination host IP, first to the destination host sends a TTL=1 UDP packets, and after the first router receives the packet, it automatically TTL minus 1, and when TTL to 0, the router to abandon this package, and at the same time to create a host unreachable ICMP message to the host, the host receives this datagram later again hair a TTL=2 UDP datagram to the destination host, and stimulate a second router to host sends the ICMP datagram, so on until you reach the destination host, in this way, traceroute has got all the router IP, thus avoiding the IP header records only limited IP routing problem, someone will ask, how do I know the UDP to not reach its destination? This involves the problem of a skill, TCP and UDP protocol has a port number definition, and ordinary network program only a handful of monitoring number smaller ports, such as 80, for example, 23, and so on, and traceroute send port number greater than 30000 (true) abnormal condition of UDP, so get to the destination host, to host can only send one port unreachable ICMP data to the host, the host will know after receiving the report, the host, so said traceroute is a little too much:) a liar, under the Windows 7 tracert detailed process is as follows:
ICMP Echo message will be passed to the destination IP address of the TTL value is set to 1, the izvestia after the first router, the TTL value minus 1, this time new TTL value is 0,
Because the TTL value is set to 0, the router judgment at this time should not try to continue to forward the datagram, but abandoned the datagram directly, because the life cycle of the datagram (TTL value) has expired, the router will send a a ICMP timeout time, namely the TTL value expiration information back to the client computer,
At this point, the client computer issued a traceroute command will display the name of the router can then sends an ICMP Echo message and the TTL value is set to 2,
The first router on the TTL value still minus 1, and then, if possible, to forward the datagram to the next-hop on the transmission path, when datagrams arrive at the second router, TTL value will be minus 1, become a 0,
A second router will be like the first router, abandon the packet, and returns an ICMP message like the first router,
The process continues, the traceroute command constantly increasing TTL value, and the transmission path of router continuously decreasing the value, until the datagram eventually to the desired destination,
When purpose computer receives the ICMP Echo message is returned an ICMP Echo Reply message,
Note: Windows 7 default ICMP protocol, Ubuntu default with no parameters for the UDP protocol,
Four, traceroute commonly used command
Traceroute usage is: the traceroute [options]
[options] content:
[-n] : displays the address is numerically rather than symbolic
[v] : long output
[p] - : UDP port Settings (default is 33434)
[] - q: set the TTL test number (default is 3)
[-t] : set of package service type
Five, some attention points
Not all gateway can truthfully returned the ICMP message overtime, for security reasons, most of the firewall and enabled firewall function of the router does not return to the default configuration for all kinds of ICMP packet, the router or switch may also be the administrator does not return to take the initiative to modify configuration into ICMP packet, so traceroute program may not be able to get all along the gateway address, so that when a TTL value of packets can not get a response, and can't stop this tracking process, the program will still be increasing the TTL and send a packet, the process will continue to send the packet to the target host, or to the default or use the limit parameter specifies the track (maximum_hops) to the end of the track, on the basis of the above principle, the use of UDP packets traceroute program in a packet to reach the real purpose of the host, may be because the host does not provide a UDP service and simple to abandon the packet, did not return any information, in order to solve this problem, traceroute deliberately USES a port number greater than 30000, because of the UDP protocol port number must be less than 30000, so the target host only after receipt of the packet can do is to return a "port inaccessible" ICMP packet, so the caller will port unreachable message symbol of the end of the track,
Using UDP traceroute, failure is more common, this is often due to, on the operators of the router, UDP and ICMP treatment is very different, in favor of the troubleshooting, ICMP ECHO Request/Reply is not sealed, the UDP is different, the UDP network attack is often used to do, because UDP without connection, there is no any state constraints, it is more convenient attackers forge the source IP, forge the destination port to send any number of UDP packets, the length of the custom, so operators for safety, for the UDP port often adopt white list ACL, is only an ACL to allow port can pass, does not explicitly allows all discarded, such as allowing the DNS/DHCP/SNMP,
To summarize, traceroute main use of IP packets TTL field value + ICMP, sent it to detect network path above the packet's IP protocol can be a UDP, TCP or ICMP, different mode, the design in the process of detecting packet is as follows:
UDP mode: UDP detection packets (target port is greater than 30000) + middle gateway sends ICMP TTL packets + overtime target host sends ICMP Destination Unreachable packet
TCP mode: TCP/SYN probe packets (target port 80 for Web services) + middle gateway sends ICMP TTL packets + overtime target host send TCP/SYN ACK packet
ICMP mode: the ICMP Echo Request (ping) to detect the packet + gateway back to the middle ICMP TTL timeout + target host sends back an ICMP Echo reply packet (ping)
Traceroute * analysis: ICMP Request source, the first Request of TTL is 1, the second Request of TTL to 2, after increasing accordingly until 30; In the middle of the router back to ICMP TTL - expired (ICMP type 11) informed source, (packet drop for TTL timeout) at the same time, all the way from this source that knows after each router; The final destination to ICMP Echo Reply (the last jump, but not to go back to the ICMP TTL - expired), so any one among if sealing the ICMP Echo Request on the router, traceroute will not be able to work; If the seal type 11 (TTL - expired), in the middle of the router all could not see, but can see packet to reach the final destination; If the ICMP Echo Reply, in the middle of the almighty, the final destination can't see,