traceroute
traceroute is likely only second to the ping command as the most often used network troubleshooting tool. traceroute shows the path between the source (the Linux node where the command is executed) and the destination.
traceroute, unlike ping, does not rely on the routers in the path responding to a particular path but rather assembles a UDP packet with the destination address—but with the time-to-live bits set to 1 for the first packet that is sent. traceroute then sends the packet, and the first router on the way to the destination accepts the packet and decrements the time-to-live. Because the time-to-live was 1, the time-to-live is now zero, which triggers the first router in the path to send back an ICMP time exceeded message and drop the packet. traceroute prints the source address of the ICMP message for the user, increments its internal counter that is setting the time- to-live, and sends out the second packet.
The first router decrements the time-to-live from 2 to 1, and the second router decrements the time-to-live from 1 to zero and returns the ICMP message timer exceeded. traceroute then prints the second router’s IP address based on the source address of the ICMP message and continues to the final destination. The final destination does not have a service listening to that port, so it returns an ICMP port unreachable. When traceroute receives this message, it prints the final address and exits.
Now that traceroute has been explained, a closer look at traceroute’s options will show some of the more advanced uses of traceroute.
–d
To turn on additional debugging with traceroute, use the -d parameter. The additional information, especially if it applies to networks under internal administration control, might help in determining network problems. For example, the following output with the -d option implies that there is possibly a routing problem (network unreachable) or an interface problem through which the network should be reachable:
[root@lefty /root]# traceroute -d host.anydomain.com traceroute to host.anydomain.com (192.168.100.100), 30 hops max, 38 byte packets traceroute: sendto: Network is unreachable 1 traceroute: wrote host.anydomain.com 38 chars, ret=-1
–f ttl
The -f parameter followed by the time-to-live tells traceroute to start the time to counter at ttl, effectively not reporting ttl–1 hops. This is useful when tracerouting through a firewall that will not respond to a traceroute but will allow the request through. It is also useful when the first few hops are known.
–F
The do not fragment (-F) option tells traceroute to set the do not fragment bit so that any routers along the path should not forward the UDP packet if it will be forwarded out an interface that has an MTU larger than the UDP packet sent by the traceroute. This can be useful to troubleshoot problems related to MTU or MTU discovery.
–i Interface
On multi-homed systems, there is sometimes the need to specify which interface to use for the traceroute command. By using the -i parameter, traceroute will use the specified interface—and therefore the IP address of the specified interface—as the source address for the traceroute.
–I
As described earlier, traceroute uses UDP packets targeted at high ports; however, the -I tells UDP to use ICMP echo request packets as opposed to UDP. This might be useful should a firewall not allow UDP but allow ICMP echo requests. This also makes the traceroute function more like the Microsoft version of tracert, which is the tool that serves the same purpose as traceroute on Microsoft Windows.
Except for using ICMP packets, traceroute functions the same—the ttl is still set appropriately to ensure the same behavior from the transit routers. A key difference is the final destination—it might actually reply to the echo request with an echo reply.
–n
The -n parameter turns off name resolution with traceroute. Generally this is used to speed up the operation of traceroute—especially if the name server is not reachable due to the network problem being analyzed. By using -n, each hop along the way does not have to be looked up, so the user need not wait on the traceroute’s resolution to time out before continuing.
–m Maximum Hops
The -m option tells traceroute to stop after maximum hops are reached:
[root@lefty /root]# traceroute -m 3 host.somedomain.com traceroute to host.somedomain.com (192.168.50.50), 3 hops max, 38 byte packets 1 gw4.isp1.net (192.168.14.2) 39.331 ms 33.990 ms 51.079 ms 2 router3.isp2.net(10.1.1.254) 25.888 ms 31.675 ms 25.988 ms router5.isp2.net(10.5.5.254) 25.296 ms 26.012 ms 26.335 ms
The -m can be combined with the -f to further limit the output and routers reported:
[root@lefty /root]# traceroute -f 2 -m 3 host.somedomain.com traceroute to host.somedomain.com (192.168.50.50), 3 hops max, 38 byte packets 2 router3.isp2.net(10.1.1.254) 22.888 ms 32.675 ms 27.887 ms 3 router5.isp2.net(10.5.5.254) 25.186 ms 26.122 ms 26.322 ms
tcpdump, covered later, will give a complete breakdown of a traceroute during execution.
-t tos
The -t tos parameter allows the type of service bits to be specified in the IP packet. This parameter is growing in popularity as voice-over packet technologies are growing. Many voice-over deployments rely on the tos bits, or more specifically the DIFF-SERV implementation of the bits, to ensure bandwidth requirements are met. However, outside these next generation networks the -t parameter has very little use.
traceroute Gotchas
traceroute is a very useful tool and can be used to quickly locate network trouble spots; however, it should not be soley relied upon given that its behavior can be affected by network conditions. Following are a few items to be aware.
Asymmetrical Routes
Most complex networks include multiple routes to destinations; so some network conditions (peering policies, asymmetrical network outages, routes flapping, or plain old misconfiguration) will mean that the ICMP message returned to traceroute does not take the same path as the initial UDP packet and so the message might never be returned to traceroute.
Network Security
If traceroute is used through secure areas, the UDP traffic might possibly not be allowed through a firewall because UDP is often frowned upon (for good reason). And even if UDP is allowed through, the particular packet may not be allowed if the fire-wall is configured to allow only specific traffic through.