ping and trace route

7/30/2019 Ping and Trace Route

1/28

ICMP: Ping and Trace


2/28

2

ICMP (Internet Control Message Protocol)

ICMP: A Layer 3 protocol

Used for sending messages

Encapsulated in a Layer 3, IP packet

Uses Type and Code fields for various messages

Ethernet Header

(Layer 2)

IP Header

(Layer 3)

ICMP Message

(Layer 3)

Ether.

Tr.Ethernet

DestinationAddress

(MAC)

Ethernet

SourceAddress

(MAC)

Frame

Type

Source IP Add.

Dest. IP Add.Protocol field

Type

0 or 8

Code

0

Check-

sum

ID Seq.

Num.

Data FCS

Partial list


3/28

3

ICMP

Unreachable Destination or Service

Used to notify a host that the destination or service is unreachable.

When a host or router receives a packet that it cannot deliver, it may send

an ICMP Destination Unreachable packet to the host originating thepacket.

The Destination Unreachable packet will contain codes that indicate whythe packet could not be delivered.

From a router:

0 = network unreachable Does not have a route in the routing table

1 = host unreachableHas a route but cant find host. (end router)From a host:

2 = protocol unreachable

3 = port unreachable

Service is not available because no daemon is running providing

the service or because security on the host is not allowing accessto the service.

Ethernet Header

(Layer 2)

IP Header

(Layer 3)

ICMP Message

(Layer 3)

Ether.

Tr.Ethernet

Destination

Address

(MAC)

Ethernet

Source

Address

(MAC)

Frame

Type

Source IP Add.

Dest. IP Add.

Protocol field

Type

0 or 8

Code

0

Check-

sum

ID Seq.

Num.

Data FCS


4/28

4

172.30.1.20 172.30.1.25


5/28

5

Ping

Uses ICMP message encapsulated within an IP Packet

Protocol field = 1

Does not use TCP or UDP

Format

pingip address(orping for extended ping)ping 172.30.1.25

Ethernet Header

(Layer 2)

IP Header

(Layer 3)

ICMP Message

(Layer 3)

Ether.

Tr.Ethernet

DestinationAddress

(MAC)

Ethernet

SourceAddress

(MAC)

Frame

Type

Source IP Add.

Dest. IP Add.Protocol field

Type

0 or 8

Code

0

Check-

sum

ID Seq.

Num.

Data FCS


6/28

6

Echo Request

The sender of the ping, transmits an ICMP message, Echo Request

Echo Request - Within ICMP Message

Type = 8

Code = 0

Ethernet Header

(Layer 2)

IP Header

(Layer 3)

ICMP Message - Echo Request

(Layer 3)

Ether.

Tr.Ethernet

Destination

Address

(MAC)

Ethernet

Source

Address

(MAC)

Frame

TypeSource IP

Add.172.30.1.20

Dest. IP Add.

172.30.1.25Protocol field

1

Type

8

Code

0

Check-

sum

ID Seq.

Num.

Data FCS


7/28

7

Echo Reply

The IP address (destination) of the ping, receives the ICMP message,Echo Request

The ip address (destination) of the ping, returns the ICMP message, EchoReply

Echo Reply - Within ICMP Message

Type = 0

Code = 0

Ethernet Header

(Layer 2)

IP Header

(Layer 3)

ICMP Message - Echo Reply

(Layer 3)

Ether.

Tr.Ethernet

Destination

Address

(MAC)

Ethernet

Source

Address

(MAC)

Frame

TypeSource IP

Add.

172.30.1.25

Dest. IP Add.

172.30.1.20Protocol field

1

Type

0

Code

0

Check-

sum

ID Seq.

Num.

Data FCS


8/28

8

Ping example


9/28

9

Q: Are pings forwarded by routers?

A: Yes! This is why you can ping devices all over the Internet.

Q: Do all devices forward or respond to pings?

A: No, this is up to the network administrator of the device. Devices,

including routers, can be configured not to reply to pings (ICMP echo

requests). This is why you may not always be able to ping a device. Also,

routers can be configured not to forward pings destined for other devices.

Pings

may fail


10/28

10

Traceroute

Traceroute is a utility that records the route (router IP addresses) betweentwo devices on different networks.


11/28

11

Tracroute

http://en.wikipedia.org/wiki/Traceroute On modern Unix and Linux-based operating systems, the traceroute utility

by default uses UDP datagrams with a destination port number starting at

33434.

The traceroute utility usually has an option to specify use of ICMP echo

request (type 8) instead.

The Windows utility uses ICMP echo request, better known as ping

packets.

Some firewalls on the path being investigated may block UDP probes but

allow the ICMP echo request traffic to pass through.

There are also traceroute implementations sending out TCP packets, such

as tcptraceroute or Layer Four Trace. In Microsoft Windows, traceroute is named tracert.

A new utility, pathping, was introduced with Windows NT, combining ping

and traceroute functionality. All these traceroutes rely on ICMP (type 11)

packets coming back.


12/28

12

Trace ( Cisco = traceroute, tracert,) is used to trace theprobable path apacket takes between source and destination.

Probable, because IP is a connectionless protocol, and different packets maytake different paths between the same source and destination networks,although this is not usually the case.

Trace will show the path the packet takes to the destination, but the return pathmay be different.

This is more likely the case in the Internet, and less likely within your ownautonomous system.

Linux/Unix Systems

Uses ICMP message within an IP Packet

Both are layer 3 protocols.

Uses UDP as a the transport layer.

We will see why this is important in a moment.

Trace (Traceroute)


13/28

13

Format (trace, traceroute, tracert)

RTA# traceroute ip address

RTA# traceroute 192.168.10.2

10.0.0.0/8 172.16.0.0/16 192.168.10.0/24

.1 .1 .1.2 .2 .2

RTA RTB RTC RTD

Trace


14/28

14

How it works (using UDP) - Fooling the routers & host! Traceroute uses ping (echo requests)

Traceroute sets the TTL (Time To Live) field in the IP Header, initially to 1

When a router receives an IP Packet, it decrements the TTL by 1.

If the TTL is 0, it will not forward the IP Packet, and send back to the source

an ICMP time exceeded message.

10.0.0.0/8 172.16.0.0/16 192.168.10.0/24

.1 .1 .1.2 .2 .2

DA = 192.168.10.2, TTL = 1

RTA RTB RTC RTD

Data Link Header(Layer 2)

IP Header(Layer 3)

ICMP Message - Echo Request (trace) UDP(Layer 4)

DataLinkTr.

Data Link

DestinationAddress

Data Link

SourceAddress

Source IP

Add.10.0.0.1Dest. IP Add.192.168.10.2Protocol field1TTL1

Type

8

Code0

Chk

sum

ID Seq.

Num

Data DestPort

35,000

FCS

Trace


15/28

15

RTB - TTL:

When a router receives an IP Packet, it decrements the TTL by 1.

If the TTL is 0, it will not forward the IP Packet, and send back to the

source an ICMP time exceeded message.

ICMP Message: Type = 11, Code = 0

10.0.0.0/8 172.16.0.0/16 192.168.10.0/24

.1 .1 .1.2 .2 .2

DA = 192.168.10.2, TTL = 1

ICMP Time Exceeded, SA = 10.0.0.2

RTA RTB RTC RTD


IP Header(Layer 3)

ICMP Message - Time Exceeded DataLinkTr.

Data LinkDestinationAddress

Data LinkSourceAddress

.

Source IPAdd.10.0.0.2Dest. IP Add.10.0.0.1Protocol field1

Type11

Code0

Chksum

ID Seq.Num.

Data FCS

Trace


16/28

16

RTB

Sends back a ICMP Time Exceeded message back to the source, using its

IP address for the source IP address. Router Bs IP header includes its own IP address (source IP) and the sending

hosts IP address (dest. IP).

10.0.0.0/8 172.16.0.0/16 192.168.10.0/24

.1 .1 .1.2 .2 .2

DA = 192.168.10.2, TTL = 1


RTA RTB RTC RTD


IP Header(Layer 3)


Data LinkDestination

Address

Data LinkSource

Address

. Source IPAdd.10.0.0.2Dest. IP Add.10.0.0.1Protocol field1

Type11

Code0

Chksum

ID Seq.Num.

Data FCS


17/28

17

RTA, Sending Host

The traceroute program of the sending host (RTA) will use the source IPaddress of this ICMP Time Exceeded packet to display at the first hop.


Type escape sequence to abort.

Tracing the route to 192.168.10.2

1 10.0.0.2 4 msec 4 msec 4 msec

10.0.0.0/8 172.16.0.0/16 192.168.10.0/24

.1 .1 .1.2 .2 .2

DA = 192.168.10.2, TTL = 1


RTA RTB RTC RTD


IP Header(Layer 3)



Address

Data LinkSource

Address


Type11

Code0

Chksum

ID Seq.Num.

Data FCS


18/28

18

RTA

The traceroute program increments the TTL by 1 (now 2 ) and resends the

ICMP Echo Request packet.


IP Header(Layer 3)


DataLinkTr.


Address

Data LinkSource

Address

Source IPAdd.

10.0.0.1Dest. IP Add.192.168.10.2Protocol field1TTL2

Type8

Code0

Chksum

ID Seq.Num

Data DestPort35,000

FCS

10.0.0.0/8 172.16.0.0/16 192.168.10.0/24

.1 .1 .1.2 .2 .2

DA = 192.168.10.2, TTL = 1

DA = 192.168.10.2, TTL = 2


RTA RTB RTC RTD


19/28

19

RTB

This time RTB decrements the TTL by 1 and it is NOT 0. (It is 1.) So it looks up the destination ip address in its routing table and forwards it on to

the next router.

RTC

RTC however decrements the TTL by 1 and it is 0.

RTC notices the TTL is 0 and sends back the ICMP Time Exceeded messageback to the source.

RTCs IP header includes its own IP address (source IP) and the sending hostsIP address (destination IP address of RTA).

The sending host, RTA, will use the source IP address of this ICMP TimeExceeded message to display at the second hop.

10.0.0.0/8 172.16.0.0/16 192.168.10.0/24

.1 .1 .1.2 .2 .2

DA = 192.168.10.2, TTL = 1

DA = 192.168.10.2, TTL = 2



RTA RTB RTC RTD

10.0.0.0/8 172.16.0.0/16 192.168.10.0/24


20/28

20

.

.1 .1 .1.2 .2 .2

DA = 192.168.10.2, TTL = 1

DA = 192.168.10.2, TTL = 2



RTA RTB RTC RTD


IP Header(Layer 3)


DataLinkTr.



Source IPAdd.10.0.0.1Dest. IP Add.192.168.10.2

Protocol field1TTL2

Type8

Code0

Chksum

ID Seq.Num

Data DestPort35,000

FCS


IP Header(Layer 3)


DataLinkTr.



Source IPAdd.10.0.0.1Dest. IP Add.192.168.10.2

Protocol field1TTL1

Type8

Code0

Chksum

ID Seq.Num

Data DestPort35,000

FCS


IP Header(Layer 3)





Type11

Code0

Chksum

ID Seq.Num.

Data FCS

RTA to RTB

RTB to RTC

RTC to RTA

10.0.0.0/8 172.16.0.0/16 192.168.10.0/24


21/28

21

The sending host, RTA:

The traceroute program uses this information (Source IP Address) anddisplays the second hop.




1 10.0.0.2 4 msec 4 msec 4 msec

2 172.16.0.2 20 msec 16 msec 16 msec

.1 .1 .1.2 .2 .2

DA = 192.168.10.2, TTL = 1

DA = 192.168.10.2, TTL = 2



RTA RTB RTC RTD


IP Header(Layer 3)




. Source IPAdd.172.16.0.2Dest. IP Add.10.0.0.1

Protocol field1

Type11

Code0

Chksum

ID Seq.Num.

Data FCS

10 0 0 0/8 172 16 0 0/16 192 168 10 0/24


22/28

22

The sending host, RTA:

The traceroute program increments the TTL by 1 (now 3 ) and resends the

Packet.

Data Link Header

(Layer 2)

IP Header

(Layer 3)

ICMP Message - Echo Request (trace) UDP

(Layer 4)

DataLink

Tr.Data LinkDestination

Address

Data LinkSource

Address

Source IPAdd.10.0.0.1Dest. IP Add.192.168.10.2Protocol field1TTL3

Type8

Code0

Chksum

ID Seq.Num

Data DestPort35,000

FCS

10.0.0.0/8 172.16.0.0/16 192.168.10.0/24

.1 .1 .1.2 .2 .2

DA = 192.168.10.2, TTL = 1

DA = 192.168.10.2, TTL = 2

DA = 192.168.10.2, TTL = 3



RTA RTB RTC RTD

10.0.0.0/8 172.16.0.0/16 192.168.10.0/24


23/28

23

.


IP Header(Layer 3)


DataLinkTr.



Source IPAdd.10.0.0.1Dest. IP Add.192.168.10.2Protocol field

1TTL2

Type8

Code0

Chksum

ID Seq.Num

Data DestPort35,000

FCS


IP Header(Layer 3)


DataLinkTr.




Type8

Code0

Chksum

ID Seq.Num

Data DestPort35,000

FCS

.1 .1 .1.2 .2 .2

DA = 192.168.10.2, TTL = 1

DA = 192.168.10.2, TTL = 2

DA = 192.168.10.2, TTL = 3



RTA RTB RTC RTD


IP Header(Layer 3)


DataLinkTr.




Type8

Code0

Chksum

ID Seq.Num

Data DestPort35,000

FCS

RTA to RTB

RTB to RTC

RTC to RTD

10.0.0.0/8 172.16.0.0/16 192.168.10.0/24


24/28

24

RTB

This time RTB decrements the TTL by 1 and it is NOT 0. (It is 2.) So it looks up the destination ip address in its routing table and forwards it on to the next

router.

RTC

This time RTC decrements the TTL by 1 and it is NOT 0. (It is 1.)

So it looks up the destination ip address in its routing table and forwards it on to the next

router.RTD

RTD however decrements the TTL by 1 and it is 0.

However, RTD notices that the Destination IP Address of 192.168.0.2 is its own interface.

Since it does not need to forward the packet, the TTL of 0 has no affect.

.1 .1 .1.2 .2 .2

DA = 192.168.10.2, TTL = 1

DA = 192.168.10.2, TTL = 2

DA = 192.168.10.2, TTL = 3



RTA RTB RTC RTD


25/28

25

RTD RTD sends the packet to the UDP process.

UDP examines the unrecognizable port number of 35,000 and sends back an

ICMP Port Unreachable message to the sender, RTA, using Type 3 and

Code 3.


IP Header(Layer 3)

ICMP Message Port Unreachable DataLinkTr.


Address

Data LinkSource

Address


Type3

Code3

Chksum

ID Seq.Num.

Data FCS


IP Header(Layer 3)


DataLinkTr.




Type8

Code0

Chksum

ID Seq.Num

Data DestPort35,000

FCS

10.0.0.0/8 172.16.0.0/16 192.168.10.0/24


26/28

26

Sending host, RTA

RTA receives the ICMP Port Unreachable message.

The traceroute program uses this information (Source IP Address) anddisplays the third hop.

The traceroute program also recognizes this Port Unreachable message asmeaning this is the destination it was tracing.

.1 .1 .1.2 .2 .2

DA = 192.168.10.2, TTL = 1

DA = 192.168.10.2, TTL = 2

DA = 192.168.10.2, TTL = 3



ICMP Port Unreachable, SA = 192.168.10.2

RTA RTB RTC RTD

Data Link Header

(Layer 2)

IP Header

(Layer 3)

ICMP Message Port Unreachable DataLink

Tr.Data LinkDestination

Address

Data LinkSource

Address

. Source IPAdd.

192.168.10.2Dest. IP Add.

10.0.0.1Protocol field1

Type3

Code3

Chksum

ID Seq.Num.

Data FCS

10.0.0.0/8 172.16.0.0/16 192.168.10.0/24


27/28

27

10.0.0.0/8 172.16.0.0/16 192.168.10.0/24

.1 .1 .1.2 .2 .2

DA = 192.168.10.2, TTL = 1

DA = 192.168.10.2, TTL = 2

DA = 192.168.10.2, TTL = 3



ICMP Port Unreachable, SA = 192.168.10.2

RTA RTB RTC RTD

Sending host, RTA

RTA, the sending host, now displays the third hop.

Getting the ICMP Port Unreachable message, it knows this is the final hopand does not send any more traces (echo requests).




1 10.0.0.2 4 msec 4 msec 4 msec

2 172.16.0.2 20 msec 16 msec 16 msec

3 192.168.10.2 16 msec 16 msec 16 msec


28/28

28

For more information on ICMP and other TCP/IP topics, I recommend:

TCP/IP Illustrated, Volume I R.W. Stevens

Recommended Reading
http://www.amazon.com/exec/obidos/tg/stores/detail/-/books/0201633469/reader/2/102-1499200-2096936

ping and trace route

Documents