I always thought that traceroute uses a time-exceeded icmp packet to find routes, but my ipchains logs shows that it is actually trying to connect on various udp ports around 33440 (above and below)
linux starts at 33438 solaris starts at 33435
any ideas
Philip
On Thu, 5 Jul 2001, Philip S Tellis wrote:
I always thought that traceroute uses a time-exceeded icmp packet to find routes, but my ipchains logs shows that it is actually trying to connect on various udp ports around 33440 (above and below)
traceroute does uses time-excedded icmp packets. ttl (time to live which is actually number of hops) field in IP header is increased each time you receive an icmp time-exceeded error. traceroute uses udp which is transport layer protocol. so you need to specify the port number also. now consider a situation where your packet has reached the destination and there is a proceess which has bind to this port number. then no icmp error will be generated. and our program wont be intimated by a port unreachable icmp packet which actually means that we found the intended machine. to avoid this situation traceroute always sends more than one packets for each ttl with different port numbers. these port numbers are chosen such that it is assumed that no proccess will accept packets send to these port numbers.
linux starts at 33438 solaris starts at 33435
so these port numbers are implementation specific.
hope i am clear enough
bye aseem
On Thu, 5 Jul 2001, Aseem wrote:
traceroute does uses time-excedded icmp packets. ttl (time to live which is actually number of hops) field in IP header is increased each time you receive an icmp
The problem is that I haven't detected any icmp traffic when using traceroute.
Philip
On Thu, 5 Jul 2001, Philip S Tellis wrote:
On Thu, 5 Jul 2001, Aseem wrote:
traceroute does uses time-excedded icmp packets. ttl (time to live which is actually number of hops) field in IP header is increased each time you receive an icmp
The problem is that I haven't detected any icmp traffic when using traceroute.
i dont know whats happening at your side. but every router which drops a packet (in this case reason = time-exceeded) generates an icmp error packet and puts its own ip address as the source ip addr in the icmp packet. Thus we know in between hops till the destination. i haven't used ipchain logs so can not comment on it but if you can see traceroute output properly then you are receiving icmp packets. try using some other packet recording utility.
btw from where should i start reading about ipchains?
bye aseem
On Thu, 05 Jul 2001, Philip S Tellis spewed into the ether:
I always thought that traceroute uses a time-exceeded icmp packet to find routes, but my ipchains logs shows that it is actually trying to connect on various udp ports around 33440 (above and below)
Unix traceroute by default sends UDP packets. On windows, the default is ICMP. The principle of traceroute is that UDP packets are sent out with different TTLs. When a router meets a packet with an expired TTL, it sends an ICMP error message back to the sender host. You will get incoming ICMP traffic when doing a traceroute. Use the -i option on Linux to get traceroute to use ICMP.
linux starts at 33438 solaris starts at 33435
The ports are defined in the man page for traceroute.
Devdas Bhagat
-
Aseem -
Devdas Bhagat -
Philip S Tellis