Ady Wicaksono Daily Activities

Traceroute – how it works?

leave a comment »

I was a network and system administrator, one of tools I used is traceroute or tracert (in Windows). See this example traceroute from my desktop:

Tracing route to www.yahoo-ht3.akadns.net [69.147.114.210]
over a maximum of 30 hops:
1     2 ms     1 ms     2 ms  192.168.1.1
2     9 ms    15 ms    12 ms  10.53.128.1
3    13 ms    11 ms    12 ms  172.20.53.65
4    12 ms    11 ms     8 ms  172.26.53.1
5    16 ms    12 ms    13 ms  172.20.8.245
6    12 ms    14 ms    13 ms  203.116.5.125
7    20 ms    16 ms    24 ms  203.118.3.229
8   232 ms   237 ms   230 ms  so-4-0-0.edge2.LosAngeles1.Level3.net [4.71.134.1]
9   233 ms   232 ms   230 ms  ae-2-54.bbr2.LosAngeles1.Level3.net [4.68.102.97]
10   237 ms   229 ms   232 ms  ae-0-0.bbr1.SanJose1.Level3.net [64.159.1.129]
11   316 ms   230 ms   426 ms  ae-13-69.car3.SanJose1.Level3.net [4.68.18.5]
12   386 ms   402 ms   400 ms  4.71.112.14
13   283 ms   294 ms   287 ms  so-0-0-0.pat2.dcp.yahoo.com [216.115.101.150]
14   292 ms   295 ms   289 ms  ge-3-1-0-p171.msr2.re1.yahoo.com [216.115.108.71]
15   288 ms   291 ms   293 ms  gi1-22.bas-a1.re3.yahoo.com [68.142.238.65]
16   285 ms   286 ms   286 ms  f1.www.vip.re3.yahoo.com [69.147.114.210]

Traceroute use TTL (time-to-live) feature of IP (Internet Protocol). TTL is an upper bound of the time that IP datagram packet can exist in an internet system. TTL field will be decrease by one value by every host on the route to its destination. If the TTL field reaches zero before the datagram arrives at its destination, then the datagram is discarded and an ICMP error datagram (11 – Time Exceeded) is sent back to the sender.

So for previous example, traceroute application will firstly set TTL to 1 to access http://www.yahoo.com, but because when pass 192.168.1.1 the value will reduced by one, become zero than, host 192.168.1.1 will send ICMP error datagram. The traceroute application will then know that next hop is 192.168.1.1. Again it’s now set TTL to 2, but after 10.53.128.1 TTL value become 0 but the IP is still not reach it’s final destination so 10.53.128.1 will send ICMP error datagram. Again and again traceroute application will increase TTL value and collect ICMP error datagram from each hop until the TTL value is big enough to reach final destination. The result is shown as traceroute log above.

Another issue, this traceroute application on UNIX platform need to access ICMP protocol which is only accessible by root (or any user with uid = 0). So, application traceroute mostly will run with setuid root active and can become a security hole. Don’t worry, normally current traceroute application is secure enough event with setuid flag root active.

For more information about ICMP please refer to RFC 792

Written by adywicaksono

October 5, 2007 at 4:10 pm

Posted in networking

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: