On Wed, 30 Jun 2004, at 8:21pm, [EMAIL PROTECTED] wrote: > This isn't really a Linux question but with all the networking experts on > the list, I figured this is as good a place to ask as any.
To understand what you are seeing, one will have to know how IP and traceroute work. Every IP packet has a TTL (Time To Live) field. The TTL normally starts out at some reasonably high value, and gets decreased as it travels the network. In theory, TTL is decreased on a "cost" or "time" basis. In practice, most routers just decrement TTL by one no matter what. If TTL hits zero, the packet is assumed to have been "in transit" for too long, and dropped. Among other things, this keeps a routing loop from spinning packets forever. When a router encounters a packet with a TTL of zero, it normally sends a "Time Exceeded" ICMP Message to the system listed in the source address of the packet. The "traceroute" utility (TR for short) works by crafting special packets with artificially low TTL values. TR starts out by sending packets with a TTL of one. Thus, the first router that gets the packet expires it. TR gets the "Time Exceeded" Message, and reports that as the first hop. TR then sends a packet with a TTL of two. It makes it past the first router, which decreases TTL to one. The next router then expires the packet, and sends back the ICMP Message, which TR reports as the second hop. And so on. Eventually, the packet hits the destination system with a non-zero TTL. Traceroute needs some way to know that, too. Traditional traceroute sends UDP packets to port 33434, on the assumption that that port will be unused. When the destination host gets a packet for an idle port, it should send an ICMP "Port Unreachable" Message back to the sender, which TR uses to know it has found the destination. Some implementations (notably Microsoft's TRACERT.EXE) use ICMP "Echo Request" packets instead of UDP, and watch for the ICMP "Echo Response" packet. Now, back to your problems. > I'm wondering why a machine at work shows up twice on the traceroute > output (see below) when I do the trace route from home. Well, in your output, 134.241.121.88 shows up as the final destination, as well as the "gateway" before the last hop. That would indicate that TR received a "Time Exceeded" when it sent packets with a a TTL of 11, and a "Port Unreachable" with a TTL of 12. As for why *that* is happening, there are multiple possibilities. One possibility is a buggy IP stack on the destination host, that checks for TTL = 1 rather then TTL = 0. I would expect to see the same behavior for LAN traffic, then, though. Another is that the last-hop router has a bug which forwards TTL = 0 packets, causing them to reach the destination host with TTL = 0. I could also imagine some brain-damaged NAT implementation or firewall somewhere causing trouble. If you really want to know, put a sniffer between the host you are running traceroute on and its router. (Be warned that this could be considered a "security attack" in some organizations.) > Could it be that 134.241.121.88 is set up as to route packets and is > routing to itself? All IP hosts route packets to themselves. Some just also forward packets that are not to themselves. So that should not matter. (I do say "should". There are a great many subtle bugs in a great many IP stacks.) > On a side note, two routers that I might expect to be there, don't show up > at all. One is the external interface for my 10.* network at home and the > other is the main router for my site at work. As you can see, I don't even > get a * * * for either of them. When a router has to send an ICMP Message in response to a packet that cannot be forwarded (such as for "Time Exceeded"), it has to pick an IP interface (address) to originate the ICMP message from. This will typically be the interface that is closest to the destination (the host which sent the original packet). So you will not see your router's *external* interface; you will see the internal one (which is closer, and thus the router will originate the ICMP from there). I imagine your router at work falls into this category, too. In the general case, this means that running traceroute from A to B and then from B to A will generally yield different IP addresses for each hop. For that matter, there is nothing that says the path a packet travels will be the same each time, or each way. IP routing is a stateless operation. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | _______________________________________________ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
