On Fri, Feb 24, 2012 at 12:53 PM, Richard McClary <[email protected]> wrote: > From Illinois, I do a tracert command to a node in an NYC location, I trace > it though my switch and out my router. I then get three rows of asterisks > with “Request timed out” at the end. Then, magically, there is the remote > IP.
Traceroute works by sending packets with an artificially low TTL. It starts at one and then increases it by one for each "hop". When a router forwards a packet (one "hop"), it generally decreases the TTL by one. As the TTL of each probe reaches zero, the intermediate router is supposed to respond with an ICMP "Time Exceeded" message. Traceroute prints the source IP address of each such message it gets back. If it doesn't hear back within a timeout period, traceroute prints an asterisk and moves on. The rows of asterisks indicate some of the intermediate routers are either not generating the ICMP "Time Exceeded" message, or some other device is not forwarding those messages back to you. Given that you get a response from the destination, you might think this has to be a "not generating the message" scenario, and not a "not forwarding" scenario. Not so. A lot of big ISPs use RFC-1918 private addresses internally. Their routers might actually emit the ICMP message with a source address in an RFC-1918 net. That packet then gets caught by their own egress filtering, and you never see it. > From NYC (either a person in NYC running the tracert, or me in an RDP > session), if I do a tracert back to a node in IL, I see the external IP of > each router (rather than the asterisks and the “timed out” returns). One scenario: It could be there is ICMP filtering happening at one end, but not the other. In other words, it could be that in both cases the routers are generating the ICMP messages, but they are getting blocked on their way to you. On the way to NYC, they are not blocked. Another scenario: It could be the routers are using different source addresses for the ICMP messages, and some of those are being filtered while others are not. Or that filtering is different in different directions. The source address used in an ICMP message generated by a multi-address node (like a router) is implementation dependent. Most commonly, the router will use the address of the interface which received the offending packet. So, going one way, the router uses the addresses of the interfaces "facing" in your direction. Going the other way, the router uses the addresses of the interfaces "facing" NYC. You might try a third-party traceroute implementation. Microsoft's can only use ICMP "Echo Request" (ping) packets. Most other implementations use UDP, or offer a choice. Sometimes routers will react differently depending on the type of traffic used for the traceroute probes. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
