Traceroute traceroute is a Unix utility designed by Van Jacobson in 1987 The Windows equivalent is called tracert The Linux equivalent is called tracepath It allows users to view the route (IP addresses, hostnames of routers and RTTs) from their own machine to any host on the Internet Traceroute servers will allow routes to traced from other locations as well 23/11/10 07-Traceroute

Traceroute To understand how traceroute works, we need to understand how IP uses its Time-to-Live (TTL) field The IP designers wanted a facility in IP to avoid packets circulating for ever if a routing loop occurred Routing loops can occur when routing protocols allow routing tables to become inconsistent 23/11/10 07-Traceroute

Routing Loops Routing protocols which allow routers to update each other with optimal routes to networks sometimes get into a state where a routing loop occurs E.g. Router A thinks the best route to Network C is via Router B and Router B thinks that the best route to Network C is via Router A. Any packets arriving at Router A with the destination address of Network C will be forwarded to Router B which will then forward it to Router A which will forward it to Router B …… If more packets with the destination address of Network C arrive at either router they will join the other packets in the loop and the links in the loop will eventually become unusable due to congestion 23/11/10 07-Traceroute

Time to Live (TTL) The IP designers wanted a way for packets in a routing loop to be discovered and discarded They originally designed a Time to Live field based on actual time, but this proved to be too difficult to manage, so they simplified it TTL is now used to count the number of routers a packet has been routed through In IPv6 the field has been more sensibly names as hopcount Examining changes in TTL may also be useful in your time-of-day experiment as any change in route will probably also cause a change in TTL which may happen at the same time as a step change in RTT 23/11/10 07-Traceroute

Time to Live Different IP implementations set the initial value of TTL to different values TTL is usually initially set to a value between 30 and 128, although some implementations (including ICMP) set it to its maximum value of 255 When a packet is launched onto the Internet, it has its TTL field set to the initial value At every subsequent router it is decremented by one When a router decrements the TTL to 0 it must discard the packet If it does this it should also issue an ICMP Time Expired message to the originator 23/11/10 07-Traceroute

Traceroute Traceroute sends out three packets out with an initial TTL of 1 These packets arrives at the first router. The TTL is decremented to 0 and are the packet discarded. ICMP Time Expired messages are sent back to the originator by the first router and thus the IP address of the first router is discovered Traceroute then sends out three packets with an initial TTL of 2 These packets arrive at the first router which decrements the TTL to 1 and forwards the packets to the second router which decrements the TTL to 0, discards the packet and issues ICMP Time expired messages back to the originator thus revealing the IP address of the second router Similarly for the third router and all the other routers on the path to the host until the whole route to the host has been discovered 23/11/10 07-Traceroute

Traceroute Traceroute also does a reverse DNS look-up to find any hostnames registered for router IP addresses It reports on each line: the IP address, hostname (if found) and the three measured RTTs to the router It will (by default list) up to 30 routers on the path and if the host has not been reached before this limit is reached, it will give up 23/11/10 07-Traceroute

Traceroute Sometimes hostnames have not been registered for routers, in which case traceroute only provides IP addresses Routers sometimes do not issue the ICMP Time Exceeded messages or they get lost or discarded, in which case a * appears instead of the RTT Some versions of traceroute use ICMP echo request packets (Windows), others use UDP (Unix) with special port numbers 23/11/10 07-Traceroute

Traceroute Tips Sometimes ICMP packets get through when UDP packets do not and vice versa, so it may be occasionally worth trying more than one version of traceroute If there is no hostname or the hostname does not indicate a location try looking up the IP address or hostname or parts of the hostname in Google Try using IP address location tools, but beware these are not always accurate Use a whois server (E.g. the one on www.DNSstuff.com) to look up the organisation which owns the IP address. This will sometimes indicate the country in which the router is located If the RTT makes a big jump (50 - 150 ms) the route is probably going over a long fibre cable (possibly submarine) If the RTT jumps by more than 230 ms, the route is almosy going over a satellite circuit 23/11/10 07-Traceroute