Charly's Column – traceroute

Practically every admin uses the classic traceroute tool at more or less regular intervals. This gets me all the more irritated when I find myself in a hotel with a WiFi network where the admin has completely disabled ICMP. Apart from the fact that this causes more trouble than benefits in what is by definition a public network, it can be easily circumvented.

The first version of traceroute was written in 1988 by a certain Van Jacobsen – Van is his first name, not an honorific. To be able to trace the path of packets through the web, Jacobsen came up with a clever method. He sent test packets through the Internet to a defined destination and increased the time to live (TTL) value for each packet.

The first packet is assigned a TTL of one. Each router that transports the packet further reduces the TTL by one. Once the TTL reaches a value of zero, the router sends it back with an ICMP TTL exceeded message. By successively increasing the TTL, Jacobsen got the packets back from routers that were further and further away and was able to follow the path of the packet until it finally reached its destination.

This does not work if the remote peer suppresses ICMP messages. However, traceroute has evolved over the years. It has been able to use an alternative TCP-based method that relies on TCP SYN packets for quite some time. Figure 1 shows two traceroutes to the same destination, the BBC web server (bbc.co.uk). The first call gets stuck at some point, probably due to an ICMP filter. The second one uses TCP SYN packets – it gets to its destination unhindered.

Figure 1: Where the classic traceroute fails, a simple -T (for TCP-SYN) often does the trick.

Alternative traceroute tools, such as MTR [1], which continuously repeats the trace and thus helps to detect occasional packet losses, take things one step further. Another very interesting tool is Layer Four Traceroute (LFT [2]). It can handle other transport methods and thus makes it through most firewalls. In addition, it can output whose network blocks the packet is passing through, including the number of the autonomous system responsible for it (Figure 2).

Figure 2: Knows where it's going: LFT makes it through most firewalls and returns the network blocks it has passed through.

It is therefore worthwhile to take a closer look at the different traceroute variations – if only to keep your blood pressure down during your next hotel stay.