top of page

How Traceroute Works ?


Network Topology

This blog explains how traceroute keeps track of which UDP datagram corresponds to which ICMP error message. How does traceroute calculate the round trip time?

Consider the above network topology and follow the steps given below.

Purpose of the Lab:

The purpose of the lab is to observe the function of the traceroute program.

Lab Setup:

  1. Goto hostA1 and start tcpdump: sudo tcpdump -n -v udp and not port domain and not port router or icmp

  2. Goto hostA1 and start traceroute to hostE1: traceroute –n -q1 hostE1

  3. Observe the tcpdump output.

Results and Discussion:

Results:

traceroute output:

traceroute to hostE1.test.ca (10.1.5.1), 64 hops max, 40 byte packets

1 10.1.1.254 0.012 ms

2 10.1.6.2 39.686 ms

3 10.1.9.2 66.896 ms

4 10.1.5.1 41.431 ms

Tcpdump output:

14:24:10.908308 IP (tos 0x0, ttl 1, id 35702, offset 0, flags [none], proto UDP (17), length 40)

10.1.1.1.35701 > 10.1.5.1.33435: UDP, length 12

14:24:10.908316 IP (tos 0x0, ttl 64, id 56120, offset 0, flags [none], proto ICMP (1), length 56)

10.1.1.254 > 10.1.1.1: ICMP time exceeded in-transit, length 36

IP (tos 0x0, ttl 1, id 35702, offset 0, flags [none], proto UDP (17), length 40)

10.1.1.1.35701 > 10.1.5.1.33435: UDP, length 12

14:24:10.908322 IP (tos 0x0, ttl 2, id 35703, offset 0, flags [none], proto UDP (17), length 40)

10.1.1.1.35701 > 10.1.5.1.33436: UDP, length 12

14:24:10.947990 IP (tos 0x0, ttl 63, id 54679, offset 0, flags [none], proto ICMP (1), length 56)

10.1.6.2 > 10.1.1.1: ICMP time exceeded in-transit, length 36

IP (tos 0x0, ttl 1, id 35703, offset 0, flags [none], proto UDP (17), length 40)

10.1.1.1.35701 > 10.1.5.1.33436: UDP, length 12

14:24:10.948024 IP (tos 0x0, ttl 3, id 35704, offset 0, flags [none], proto UDP (17), length 40)

10.1.1.1.35701 > 10.1.5.1.33437: UDP, length 12

14:24:11.014897 IP (tos 0x0, ttl 62, id 54478, offset 0, flags [none], proto ICMP (1), length 56)

10.1.9.2 > 10.1.1.1: ICMP time exceeded in-transit, length 36

IP (tos 0x0, ttl 1, id 35704, offset 0, flags [none], proto UDP (17), length 40)

10.1.1.1.35701 > 10.1.5.1.33437: UDP, length 12

14:24:11.014938 IP (tos 0x0, ttl 4, id 35705, offset 0, flags [none], proto UDP (17), length 40)

10.1.1.1.35701 > 10.1.5.1.33438: UDP, length 12

14:24:11.056344 IP (tos 0x0, ttl 61, id 54274, offset 0, flags [none], proto ICMP (1), length 56)

10.1.5.1 > 10.1.1.1: ICMP 10.1.5.1 udp port 33438 unreachable, length 36

IP (tos 0x0, ttl 1, id 35705, offset 0, flags [none], proto UDP (17), length 40)

10.1.1.1.35701 > 10.1.5.1.33438: UDP, length 12

Discussion:

Frame 2 is the ICMP time exceeded message corresponding to frame 1 because the source and the destination port numbers match.

For TTL=2, the destination port number increases by one. Frame 4 corresponds to frame 3 as above.

For TTL=3, the process repeats.

For TTL=4, the ICMP port unreachable indicates that the process is finished.

We can’t see the tcpdump output but traceroute must keep a table of sending times for each ttl and destination port number to calculate the RTT.

Conclusion:

The traceroute program sends a series of UDP datagrams with increasing destination port and increasing TTL to a destination and then observes the resulting ICMP error messages returned. The “time exceeded” error messages give the incoming interfaces of the routers passed through. The “port unreachable” error message indicates that the destination has been reached.

bottom of page