How does traceroute work with UDP (on packet level)?

FrankGuthrie

I was always under the expression traceroute uses ICMP, but recently I learned that Only Windows uses ICMP for the request (Echo?) and the CIMP Reply. I've learned that Cisco and Linux/Unix uses UDP for the (echo??? or request, not sure how to call it).



So I have a few questions:
1. Why are linux and Cisco implementation using UPD/ICMP and not ICM/P/ICMP?
2. How does it work. When the ip stack receives the udp packet, how does it know to reply using the ICMP protocol
3. Why is it chosen to be implemented like this?
4. If a want to allow traceroute through a firewall, what UDP port do you need to open?


Thanks.

fredrikjj

FrankGuthrie wrote: »

So I have a few questions:
1. Why are linux and Cisco implementation using UPD/ICMP and not ICM/P/ICMP?

I don't know. I assume that someone at Microsoft thought it was better to use ICMP vs. the Unix/Linux/IOS implementation. The main difference is how the final destination is handled. In Windows, it uses the information in the ICMP reply that comes back. In IOS it uses the ICMP port unreachable message that comes back from the destination.

2. How does it work. When the ip stack receives the udp packet, how does it know to reply using the ICMP protocol

• A traceroute to destination X is initiated.
• Three UDP probes with TTL = 1 are sent.
• Because TTL is 1, they only reaches the first hop, and the first hop responds with an ICMP message, type "Time exeeded"
• Probe TTL is increased by 1 until it is big enough to reach the final destination.
• The final destination will examine the UDP payload and see that it's using a high port number that is not in use.
• Because the ports are not in use, an ICMP "port unreachable" message will be sent back to the source.
• The source now knows that it has reached the destination and doesn't send more probes.

3. Why is it chosen to be implemented like this?

I don't know.

4. If a want to allow traceroute through a firewall, what UDP port do you need to open?

This document suggests that the first probe gets destination port 33434, but that you can specify it manually is as well:
Using the traceroute Command on Operating Systems - Cisco

theodoxa

1. Why are linux and Cisco implementation using UPD/ICMP and not ICM/P/ICMP?

Microsoft being Microsoft. I guess they just had to be different.

2. How does it work. When the ip stack receives the udp packet, how does it know to reply using the ICMP protocol

Traceroute relies on creating a forced error so to speak. It sets the TTL on the first packet so that the first L3 hop will drop it due to the TTL expiring. When a device drops a packet for certain reasons (in this case TTL exceeded), it returns what is essentially an error message using ICMP. Traceroute sets the TTL so that each packet gets 1 hop farther than the last before it is dropped. Each time it is dropped, the sending device will receive an ICMP message (error message) back from the router that dropped it. Traceroute uses these error messages to determine the path being used.

ccnpninja

check this blog post and tell me what you think:
Understanding the Traceroute command - Keyboard Banger

Fitzi

I guess this is not directly related to your questions, but the following is a link is to a NANOG presentation on traceroute: A Practical Guide to (Correctly) Troubleshooting with Traceroute which I found very good.

It touches on how traceroute works in the real world along with a few facts on OS implementations:

https://www.nanog.org/meetings/nanog45/presentations/Sunday/RAS_traceroute_N45.pdf

Some sections might be a bit obvious but hopefully you find it useful, i did