How to use Traceroute Command In Linux
Hi welcome back today I will be explaining a little about Traceroute and how we can use Traceroute to diagnose network connectivity problems. By using Traceroure we can also revel revel what route packets have taken to reach there destination. Traceroute is a Networking diagnostic utility for displaying and also measuring the path traffic takes when it’s distributed across a internet protocol network. When your traffic is distributed it must first go through several intermediaries before reaching the destination this destination can also be known as an end point this is the last point that the traffic reaches let say for example we done a TraceRoute on a website. Traffic will go through your local router then to your internet service providers routers and then on to larger sets of networks and so forth. Each time the traffic takes a hop delays will occur at each stop the network route takes. Traceroute then sends sequences of ICMP/UDP packets this is the protocol that is also used by the ping command. The first ICMP/UDP packet has a TTL (time-to-live) this can also be known as a hop limit so for example let’s say the first packet has a TTL of 1, the second ICMP/UDP packet has a TTL of 2, and so forth . TTL is often set to 32 or 64 when packets are held by intermediate routers. Every time a packet is then passed along the network to a new router the TTL will decrease by 1 when TTL reaches 0 the packet will then be discarded by the network and an error will would be returned by the router such as ICMP port unreachable or TCP reset. When we send packets this way it ensures that Traceroute will discard packets and send back a response.
The payload can also vary as well as the source and its destination ports Traceroute does this to avoid firewalls or discover sizes of packets being dropped along the network path. The Internet Control Message Protocol (ICMP) has many messages that can be identified by a type. All versions of traceroute rely on ICMP type 11 (Time exceeded) responses from each hop along the route. If ICMP type 11 responses are being blocked by a firewall or IDS , will not be able to function as they are inbound not outbound. ICMP type 30 is used for traceroute and is as an “Information Request”. Traditional traceroute uses UDP to increment ports for every hop packets take. Traceroute is not limited to ICMP/UDP it can also provide support for protocols such as TCP, SYN etc. Default UDP port on unix-like implementation are from 33434 to 33534. ICMP implementations use an “echo request” (type 8).
ICMP type 0 “echo response” may come back as the very last packet this happens when the TTL equals exactly with the number of hops. Traceroute will know it has finished when it receives a ICMP type 0 response ICMP type 0 are inbound packets.
TCP SYN packets will cause either a
RST reset packet or a
SYN ACK packet in response when they reach their destination a SYN ACK, SYN Packets handle 3-way Handshake also called TCP-handshake. TCP (Transmission Control Protocol) three way handshaking technique is often referred to as “SYN-SYN-ACK” or to be a little more accurate SYN, SYN-ACK, ACK. These handshakes are implemented so that both ends can use separate TCP socket connections at the same time in a orderly fashion without colliding with each other. For example if you were to receive a SYNC ACK packet its good procedure to send back a RST (Reset Packet) this helps stop half open connections being left on the server.
It is also possible to receive ICMP type 3 code 4 responses back instead of ICMP type 11 responses when sending a larger packets with the “Do not fragment” flag. However Traceroute will often go with the smallest MTU (maximum transmission unit) to find the hop. MTU is the size of the largest network layer protocol that can be communicated with using only one single transaction.
If you’re running a traceroute on a website let’s say one hosted in a different part of the world or a region further away you will be able to see how the hops the network will take to the paths will differ. When packets are sent to a router this can be known as a hop these are basically like check in points for your traffic as it makes it journey to its end destination. The first line represents home router if you connecting with a router. The next lines in the sequence then represent ISP and then each line further below represents a router or gateway that is further away.
The sequence and displayed Traceroute takes will go as follows.
Hop RTT1 RTT2 RTT3 Domain Name [IP Address]
Whenever a packet is passed along the network between a router, this can also be referred to as a hop. Screen shot below shows that packets takes 13 hops to reach HackingVision web server.
Round Trip Time also known in short as RTT this is the time it takes for a packet to receive a hop and back to your computer or personal Internet device. Round Trip Time is recorded in milliseconds RTT can also be referred to as latency RTT1, RTT2, RTT3 represent the time is takes to complete hops back to your computer. Three packets are sent by Traceroute each hop taken will display each time a hop has been made, This will then give you an understanding if the latency is consistent or inconsistent. If you receive back a * this indicates that there is packet loss somewhere along its journey.
When using Traceroute on various domain names or ip addresses it can help find a location of the router. If location can’t be found then Traceroute will display only the IP address of the router. If we use another Linux tool called My Trace Route also known as in short as MTR we can display packet loss at every hop the the packets are traveling to. The default probe datagram length is 40 bytes in TraceRoute but it can be increased by specifying a packet size in bytes after the destination host name when setting Traceroute command from terminal.
Traceroute traffic can be blocked by certain gateways or firewall IDS software or by the TTL of the reply packet as it could get mismatched to the probes remaining TTL this would cause the packet response to never be returned to the sender.
When routers first connect with networks they use a Protocol called IP the Internet Protocol (IP) and OSPF (Open Shortest Path First) OSPF is a routing protocol that is implemented to find the best path for packets as they pass through a set of connected networks and intermediates.
Bare in mind a traceroute will show you how many layer 3 hops you are getting to from A to B. But in reality it could possibly be going through hundreds of switches in between. When traffic is traveling it could also be going through 10 of the ISP routers running on a VPN or behind transparent firewalls however this can be deceiving as it will often only be displayed as a single hop. Traditional VPNs are characterized by a point-to-point topology this is one of the simplest topology methods they are a permanent link between two endpoints they often do not tend to support or connect broadcast domains, so services such as Microsoft Windows NetBIOS may not be fully supported or work as they would on a local area network (LAN). Designers have developed VPN variants, such as Virtual Private LAN Service (VPLS), and layer-2 tunneling protocols, to overcome this limitation. Multiprotocol Label Switching (MPLS) is a type of data-carrying technique for high-performance telecommunications networks this protocol could hide its internals or show its internals back to you also bare in mind that there could also be transparent firewalls along the traffic’s path. You can never truly guarantee that every single response in the path will count as a hop it can be very deceiving at times because you could be going through any number of devices but it could show in Traceroute results lower than it actually for example it could show in results 10 hops when really it could have taken even more for sure it’s a problem that will arrive at some point but also bare in mind if Traceroute give a displayed results of 10 hops it could indeed be 10 hops.
In Traceroute you can also configure the number of queries per hop.
Command: traceroute hackingvision.com -q 10 (This command would set number of queries per hop to 10 change this number for lower and higher hop queries).
traceroute hackingvision.com -q 10
Traceroute on Switches and Layer 2 devices
Cisco has a utility that works on Layer 2. But this utility is dependent on CDP protocol which :
Cisco Discovery Protocol (CDP) must be enabled on all the devices in the network. For the Layer 2 traceroute utility to function properly, do not disable CDP. If any devices in the Layer 2 path are transparent to CDP, the Layer 2 traceroute utility cannot identify these devices on the path.
How to use Traceroute
To use Traceroute in Linux open up a new command terminal and enter the following commands replacing hackingvision.com with domain or ip address you will be using.
traceroute hackingvision.com traceroute 192.168.1.1
traceroute [options] host [packetsize] [Options: -d -f n -F -g addr -i interface -I -m max_ttl -n -p port -q n -r -s src_addr -t tos -v -w wait -x -z msecs]
Using -n option will disregard resolving host names and can yield much faster results in some cases.
traceroute -n host [packetsize]
If you enjoyed this article please consider sharing it on social media and with your friends thanks for supporting HackingVision.
Subscribe to our news letter by leaving your mail in the form below.