My understading has always been that it sends out 3 udp packets with a TTL of 1, that returned, it sends out another set with a TTL of 2 and so on until it reaches the intended destination. Is this the Unix version? Are there other versions of Traceroute that use ICMP instead of UDP packets? Can someone who has a master grasp of the matter explain? Thanks.
Yes - this is a very tricky application to master since there are so many different implementations. For example, Windows uses ICMP echoes by default, while most Linux operating systems use UDP by default, with the option to use ICMP. The Cisco IOS uses UDP, and there are even some implementations in the field that rely on TCP.
While there are many, many different implemenations, the goal of traceroute is always the same. Traceroute seeks to have the routers between the source and destination identify themselves, and then have the destintaion repond to the source management station to confirm its reachability.
In the case of ICMP, the routers identify themselves using Time Exceeded ICMP packets back to the source when the TTL is decremented to zero. The destination can respond to traceroute using an ICMP echo request.
For more information on Cisco's implementation of both ping and traceroute - check out:
Anthony, thank you very much for the clarification. A friend of mine and I were having a deep discussion about this and I guess we were both correct. I had no idea there were different implementations of this. Thanks again.
I put together a blog post about permitting Traceroute through the ASA. I know your question is not specific to the ASA, but if you read through this it will probably make a lot of sense to you. The reply methods are a bit different based on whether the UDP or ICMP method is used. Anyway, I think it is worth a read--
I've just been tasked with doing this exact thing so you saved me a lot of trouble.
I have done this once before a long time ago with a PIX but I could never get the FW to show up in the trace as you document here. Thanks!
When you issue the traceroute command, the utility starts sending of a packet (Internet Control Message Protocol), including in the packet a "time to live" (TTL) time limit value. It is designed to be exceeded by the first router that receives it, which will send back a "time exceeded" message.
This enables traceroute to calculate the time needed for the hop to the first router. It then resends the packet increasing the time limit value so that it will reach the second router in the path to the destination point, which returns another "time exceeded" message, and so on.
Traceroute finds out when the packet has reached the destination point by including a port number that is outside of the normal range. When it is received, a "port unreachable" message is returned, enabling traceroute to determine the time length of the final hop. Each hop is measured three times by the most of the trace-route programs (* indicates a hop that exceeded some limit). Traceroute may take up to a few minutes to complete.
port unreachable is what the destination returns when using the udp method. When using the icmp method, the final hop will 1) return an echo reply 2) return administratively prohibited, or 3) return nothing at all.