Michael C. Toren on 26 Oct 2004 16:09:03 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [tcptra-dev] tcpdump showing more than tcptraceroute 

On Tue, Oct 26, 2004 at 05:37:31PM +0200, Thomas Springer wrote:
>  8  10.8.1.106 (10.8.1.106)  174.279 ms  174.141 ms  174.261 ms
>  9  * * *
> 10  pages.ebay.de (66.135.208.85) [open]  173.811 ms  174.205 ms 174.729 ms

[..]

>  22.459307   10.8.1.106 -> xxx.xx.192.133 ICMP Time-to-live exceeded
>  22.633670   10.8.1.106 -> xxx.xx.192.133 ICMP Time-to-live exceeded
>  22.808153   10.8.1.106 -> xxx.xx.192.133 ICMP Time-to-live exceeded
>  22.983260  10.8.105.14 -> xxx.xx.192.133 ICMP Time-to-live exceeded
>  25.987368  10.8.105.14 -> xxx.xx.192.133 ICMP Time-to-live exceeded
>  28.996546  10.8.105.14 -> xxx.xx.192.133 ICMP Time-to-live exceeded
>
> Why won't tcptrace display the last ip-adress (10.8.105.14), when it 
> shows up in the icmp-packets?

That's interesting.  Can you try the experiment again, but this time giving
tcptraceroute the "-d" (debug) option?  From my point of view, I can also
observe that the next to the last hop times out when tracing to ebay.com,
however with debugging enabled I see:

    [...]

    debug: Sent probe 1 of 3 for hop 15, IP ID 28159, source port 39618, SYN
    debug: received 56 byte IP packet from pcap_next()
    debug: Received icmp packet
    debug: Ignoring ICMP packet with incorrect quoted destination (10.8.35.77, not 66.135.208.85)
    debug: select() timeout
    debug: timeout
    debug: displayed hop
    15  *

    debug: Sent probe 2 of 3 for hop 15, IP ID 9643, source port 39618, SYN
    debug: received 56 byte IP packet from pcap_next()
    debug: Received icmp packet
    debug: Ignoring ICMP packet with incorrect quoted destination (10.8.35.77, not 66.135.208.85)
    debug: select() timeout
    debug: select() timeout
    debug: timeout
    debug: displayed hop
     *

    debug: Sent probe 3 of 3 for hop 15, IP ID 51980, source port 39618, SYN
    debug: received 56 byte IP packet from pcap_next()
    debug: Received icmp packet
    debug: Ignoring ICMP packet with incorrect quoted destination (10.8.35.77, not 66.135.208.85)
    debug: select() timeout
    debug: select() timeout
    debug: timeout
    debug: displayed hop
     *

If I run the same test again with "--track-port" (to send each probe with a
new TCP source port) and "-q 10" (to increase the number of probes for each
hop), the IP address the ICMP packet incorrectly quotes fluctuates between
10.8.35.73, 10.8.35.74, 10.8.35.75, 10.8.35.76, and 10.8.35.77.  My guess is
that this is revealing a layer of load-balancing that may be related to NAT
in some way, which does not appear to be correctly rewriting the addresses
in the IP packet quoted by the ICMP message.

-mct

-- 
perl -e'$u="\4\5\6";sub H{8*($_[1]%79)+($_[0]%8)}sub G{vec$u,H(@_),1}sub S{vec
($n,H(@_),1)=$_[2]}$_=q^{P`clear`;for$iX){PG($iY)?"O":" "forX8);P"\n"}for$iX){
forX8){$c=scalar grep{G@$_}[$i-1Y-1Z-1YZ-1Y+1ZY-1ZY+1Z+1Y-1Z+1YZ+1Y+1];S$iY,G(
$iY)?$c=~/[23]/?1:0:$c==3?1:0}}$u=$n;select$M,$C,$T,.2;redo}^;s/Z/],[\$i/g;s/Y
/,\$_/xg;s/X/(0..7/g;s/P/print+/g;eval' #     Michael C. Toren <mct@toren.net>

_______________________________________________
tcptraceroute-dev mailing list
tcptraceroute-dev@netisland.net
http://lists.netisland.net/mailman/listinfo/tcptraceroute-dev