Scott Fenton on Thu, 16 Aug 2001 10:01:33 -0400 |
Hello all. I had a fit of documenting last night, and the result is a rewritten manpage, updated to reflect all the changes from 1.1 to 1.3-beta1. I attached it to this email. If people could comment and patch, and if Mike would kindly add it to the distribution, I'd appreciate it. -Scott -- -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS d>- s: a14 C++>++++ UL++++>$ P++(++++) L+++>++++ E>++ W++(--) N !o K w--- !O M+(--) !V PS++(+++) PE Y+>++ PGP+@ t- 5- !X R- tv+>! b>+++ DI++++ !D G e->++++ h! r y- ------END GEEK CODE BLOCK------ .TH TCPTRACEROUTE 8 "2001 Aug 16" .SH NAME tcptraceroute \- A traceroute implementation using TCP packets .SH SYNOPSIS .B tcptraceroute [ .B \-ADEFhNnSv ] [ .BI \-f " minttl" ] [ .BI \-i " interface" ] [ .BI \-l " pktlen" ] [ .BI \-m " maxttl" ] [ .BI \-P " source port" ] [ .BI \-p " source port" ] [ .BI \-q " queries" ] [ .BI \-s " source address" ] [ .BI \-t " tos" ] [ .BI \-w " timeout" ] host [ .I "destination port" ] [ .I length ] .SH DESCRIPTION .B tcptraceroute is a version of traceroute that uses TCP packets. .PP The more traditional versions of .BR traceroute (8) that are descended from the Van Jacobson version send out UDP or ICMP ECHO packets with a TTL that is incremented each time, so as to extract an ICMP TIME EXCEEDED message from each router along the route to the host. Using these packets, it is possible to see the "path" to the host, and, by timing the response time, discover bottlenecks in the Internet. .PP The problem is that with the widespread use of firewalls on the Internet, to filter out script kiddi3z and DDos attacks, the packets sent out by .I traceroute, tracepath and the family of similar programs tend to get filtered out, thus making the final part of the path invisible. .PP Enter .BR tcptraceroute . This program sends out TCP SYN (connection initialization) packets. Since the default port (port 80) is very rarely filtered out, the default mode can bypass the most common form of firewalls. Using the .B -A and .B -S packets, it is possible to bypass even more types of firewalls. These arguments set the ACK and SYN packets, respectively. This makes it appear that the incoming packets are part of an already established TCP connection, thus bypassing firewalls that only allow "outgoing" connections. .PP It is worth noting that .B tcptraceroute never actually establishes a complete TCP connection. If the host is not listening on the target port, it will respond to the SYN with an RST packet, indicating the port is closed. On the other hand, if the host responds with a SYN|ACK packet, the port is known to be open. In this case, .B tcptraceroute sends an RST packet to the host rather than completing the three-way TCP handshake. This is the same half-open technique used by .BR nmap (1) with the .B -sS flag set. As a result you may get some emails from vigilant sysadmins asking why you are portmapping one port on a lot of machines. .SH OPTIONS .TP .B \-A Set the ACK flag in outgoing packets. .TP .B \-d Enable debugging, which may or may not be useful. .TP .B \-E Send ECN packets, as described in RFC 2481. .TP .B \-F Set the "don't fragment" bit in outgoing packets. .TP .BI \-f " minttl" Set the inital TTL to .IR minttl . This can be used to bypass several opening routers that are already known. .TP .B \-h Print a help banner and exit. .TP .BI \-i " interface" On a multi- (or even single-) honed host, send packets out through .IR interface . .TP .BI \-l " pktlen" Set the size of outgoing packets to .IR pktlen . The default is to send a packet with just the current time in it. .TP .BI \-m " maxttl" Set the maximum TTL to .IR maxttl . The default is 30, the maximum is 255, the minimum is 1. .TP .B \-N Do not attempt to resolve addresses in the RFC 1918 private spaces. .TP .B \-n Do not resolve any addresses, instead printing IP addresses. .TP .BI \-p " port" Set the source port to .IR port . The default is to obtain a random port from the kernel. .TP .BI \-P " port" Same as above, but force the port, so system ports can be used. .TP .BI \-q " queries" Make .I queries queries at each hop. Default is three. .TP .B \-S Set the SYN flag in outgoing packets. .TP .BI \-s " address" Set the source address to .IR address . Useful on multi-honed hosts. .TP .BI \-t " tos" Set the tos bit to .IR tos . .TP .BI \-v Print a version banner and exit. .TP .BI \-w " timeout" Wait .I timeout seconds before giving up on reciving a response to a given packet. .SH EXAMPLES Please see the .I examples.txt file in the .B tcptraceroute distribution for a few real world examples. .PP To trace the path to a webserver waiting for connections on port 80, do: .PP .RS .BI tcptraceroute " webserver" .RE .PP To trace to a mailserver waiting on SMTP port 25, use: .PP .RS .BI tcptraceroute " mailserver" 25 .RE .SH BUGS No checking is done on the source address set by .BR \-s . It is therefore possible to send out packets which .B tcptraceroute has no chance of reciving a response to. .PP Complete portability to all Unix systems has not been tested. Specifically, .B tcptraceroute will not function on systems which alter the IP ID field on packets sent to raw sockets or without a port of .BR libpcap . Currently .B tcptraceroute is known to build successfully on Linux, FreeBSD, OpenBSD, and HPUX. .SH AUTHOR Michael C. Toren <mct@toren.net> is the primary developer. He has recived bug reports and/or patches from Kevin McAllister <kevin@mcallister.net>, Scott Gifford <sgifford@tir.com>, Christophe Barb <christophe.barb@lineo.fr>, Jim Penny <jpenny@debian.org>, and Zordan Dezelajlija <jelly@srk.fer.hr>. This manual page was written by Scott Fenton <scott@fenton.batlimore.md.us>. .SH AVAILABILITY For updates, please see: .RS http://michael.toren.net/code/tcptraceroute/ .RE .SH SEE ALSO RFCs 768, 791, 792, 793, 1337, 1918, and 2481. These are available for download from .BR <ftp://ftp.isi.edu/in-notes/> . .PP .BR traceroute (8), .BR tracepath (8), .BR ping (8), .BR nmap (1). Attachment:
pgp7r0gIz2dFW.pgp
|
|