Thursday, May 10, 2012

How Traceroute Works

There are scenarios in which one would like to know the route which a connection follows. By route here we mean the IP addresses of all the forwarding entities (like routers in between).
Although there is no guarantee that the route will remain same for all the packets of a connection but usually it is same. This route related information can be very handy while debugging network related issues.

traceroute utility prints out complete route to a particular destination. In this article we will discuss how traceroute works and will see some practical examples.

How Traceroute Works?

Before beginning with examples, lets understand the concept on which traceroute works.
Traceroute utility uses the TTL field in the IP header to achieve its operation. For users who are new to TTL field, this field describes how much hops a particular packet will take while traveling on network.
So, this effectively outlines the lifetime of the packet on network. This field is usually set to 32 or 64. Each time the packet is held on an intermediate router, it decreases the TTL value by 1. When a router finds the TTL value of 1 in a received packet then that packet is not forwarded but instead discarded.
After discarding the packet, router sends an ICMP error message of “Time exceeded” back to the source from where packet generated. The ICMP packet that is sent back contains the IP address of the router.
So now it can be easily understood that traceroute operates by sending packets with TTL value starting from 1 and then incrementing by one each time. Each time a router receives the packet, it checks the TTL field, if TTL field is 1 then it discards the packet and sends the ICMP error packet containing its IP address and this is what traceroute requires. So traceroute incrementally fetches the IP of all the routers  between the source and the destination.
You should also understand the IP header fields that we discussed a while back.

Traceroute Examples

1. How to run traceroute?

$ traceroute <server-name>
The server-name above is the destination name or IP address.  For example, traceroute is used to find the network path from my machine to google.com :
$ traceroute google.com
traceroute to google.com (74.125.236.132), 30 hops max, 60 byte packets
1  220.224.141.129 (220.224.141.129)  89.174 ms  89.094 ms  89.054 ms
2  115.255.239.65 (115.255.239.65)  109.037 ms  108.994 ms  108.963 ms
3  124.124.251.245 (124.124.251.245)  108.937 ms  121.322 ms  121.300 ms
4  * 115.255.239.45 (115.255.239.45)  113.754 ms  113.692 ms
5  72.14.212.118 (72.14.212.118)  123.585 ms  123.558 ms  123.527 ms
6  72.14.232.202 (72.14.232.202)  123.499 ms  123.475 ms  143.523 ms
7  216.239.48.179 (216.239.48.179)  143.503 ms  95.106 ms  95.026 ms
8  bom03s02-in-f4.1e100.net (74.125.236.132)  94.980 ms  104.989 ms  104.954 ms
Each lines gives the details of interaction with each router encountered. So we see that traceroute not only gives the IP addresses of the intermediate routers but also three round trip times for that particular router as for each router the traceroute commands fires three packets.

The ‘*’ field in output

There are times when one could encounter an ‘*’ in the output rather than a value. This depicts that the required field could not be fetched. The reason can be anything from reverse DNS lookup failure to packets not hitting the target router to packets getting lost on their way back. So we see that the reason could be many but for all these type of cases the traceroute utility provides an * in the output.

2. Disable IP address and host name mapping

Traceroute provides and option through which the mapping of IP addresses with host name (that traceroute tries) is disabled. The option for doing this is ‘-n’ . Following example illustrates it :
$ traceroute google.com -n
traceroute to google.com (173.194.36.7), 30 hops max, 60 byte packets
1  220.224.141.129  109.352 ms  109.280 ms  109.248 ms
2  115.255.239.65  131.633 ms  131.598 ms  131.573 ms
3  124.124.251.245  131.554 ms  131.529 ms  131.502 ms
4  115.255.239.45  131.478 ms  131.464 ms  199.741 ms
5  72.14.212.118  199.674 ms  199.637 ms  199.603 ms
6  209.85.241.52  199.578 ms  199.549 ms  209.838 ms
7  209.85.241.187  199.488 ms  177.264 ms  177.196 ms
8  173.194.36.7  177.159 ms  187.463 ms  187.434 ms
So we see that no host name is displayed in the output.

3. Configure Response Wait Time

The time for which traceroute utility waits after issuing a probe can also be configured. This can be done through ‘-w’ option that it provides. The -w option expects a value which the utility will take as the response time to wait for. In this example, the wait time is 0.1 seconds and the traceroute utility was unable to wait for any response and it printed all the *’s.
$ traceroute google.com -w 0.1
traceroute to google.com (74.125.236.101), 30 hops max, 60 byte packets
1  * * *
2  * * *
3  * * *
..
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
So we see that traceroute tried 30 attempts (the max hop attempts) and then gave up as no ICMP packet was received in 0.1 seconds.

4. Configure Number of Queries per Hop

As already explained earlier, the traceroute utility sends 3 packets per hop to provide 3 round trip times. This default value of 3 is configurable using the option ‘-q’. This option expects an integer which it sets as new value of number of probes per hop.
$ traceroute google.com -q 5
traceroute to google.com (173.194.36.46), 30 hops max, 60 byte packets
1  220.224.141.129 (220.224.141.129)  91.579 ms  91.497 ms  91.458 ms  91.422 ms  91.385 ms
2  115.255.239.65 (115.255.239.65)  91.356 ms  91.325 ms  98.868 ms  98.848 ms  98.829 ms
3  124.124.251.245 (124.124.251.245)  94.581 ms  107.083 ms  107.044 ms  107.017 ms  106.981 ms
4  115.255.239.45 (115.255.239.45)  106.948 ms  106.918 ms  144.432 ms  144.412 ms  144.392 ms
5  72.14.212.118 (72.14.212.118)  115.565 ms  115.485 ms  115.446 ms  115.408 ms  115.381 ms
6  72.14.232.202 (72.14.232.202)  115.351 ms  87.232 ms  117.157 ms  117.123 ms  117.049 ms
7  209.85.241.189 (209.85.241.189)  126.998 ms  126.973 ms  126.950 ms  126.929 ms  126.912 ms
8  bom04s02-in-f14.1e100.net (173.194.36.46)  126.889 ms  95.526 ms  95.450 ms  95.418 ms  105.392 ms
So we see that after configuring the number of probes to 5, the output started showing five round trip times per hop.

5. Configure the TTL value to start with

Traceroute utility is flexible enough to accept the TTL value that the user wants to start the utility with. By default its value is 1 which means it starts off with the first router in the path but using the ‘-f’ option (which expects the new value of TTL) a new value of the TTL field can be set. For example, I tried a normal traceroute operation and then tried a traceroute with a different TTL value.
$ traceroute google.com
traceroute to google.com (74.125.236.132), 30 hops max, 60 byte packets
1  220.224.141.129 (220.224.141.129)  89.181 ms  101.540 ms  101.503 ms
2  115.255.239.65 (115.255.239.65)  101.468 ms  101.431 ms  101.324 ms
3  124.124.251.245 (124.124.251.245)  121.373 ms  121.350 ms  158.694 ms
4  115.255.239.45 (115.255.239.45)  101.223 ms  141.135 ms  123.932 ms
5  72.14.212.118 (72.14.212.118)  123.867 ms  123.832 ms  123.802 ms
6  72.14.232.202 (72.14.232.202)  123.773 ms  123.742 ms  587.812 ms
7  216.239.48.179 (216.239.48.179)  587.723 ms  587.681 ms  587.642 ms
8  bom03s02-in-f4.1e100.net (74.125.236.132)  577.548 ms  577.524 ms  587.512 ms

$ traceroute google.com -f 8
traceroute to google.com (74.125.236.129), 30 hops max, 60 byte packets
8  bom03s02-in-f1.1e100.net (74.125.236.129)  96.961 ms  96.886 ms  96.849 ms
So we see that after using the -f option with value 8, only the last (8th) line from the previous output was shown.

No comments:

Post a Comment