Michael C. Toren on 3 Jan 2005 07:51:16 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[tcptra-dev] tcptraceroute-1.5beta6; DNAT detection

I'm pleased to report that tcptraceroute-1.5beta6 is now available at
Most notably this version includes preliminary support for Destination NAT
(DNAT) detection, based on information from an earlier thread [1] initiated
by Thomas Springer <tuevsec@gmx.net>.  For example, when tracing to ebay.com
using the new --dnat option, we can see that the 15th hop is NATing us to
the internal address

    # ./tcptraceroute -q1 -f11 --track-port --dnat ebay.com
    Selected device eth0, address for outgoing packets
    Tracing the path to ebay.com ( on TCP port 80 (www), 30 hops max
    11  p14-0.CHR1.LA-CA.us.xo.net (  69.420 ms
    12 (  79.152 ms
    13  79.162 ms
    14  76.823 ms
    15  76.765 ms
          Detected DNAT to
    16  77.328 ms
    17  pages.ebay.com ( [open]  78.124 ms

Another example can be seen on my home network.  As my cable provider only
gives me a single IP address, I use a Linux (2.4.27) router to SNAT outbound
connections, and DNAT to port-forward unused ports on the external IP
address to various internal machines on port 22 for remote ssh access.
tcptraceroute detects this DNAT, and reports the port-forwarding as well:

    # ./tcptraceroute -q1 -f11 --dnat home 222
    Selected device eth0, address, port 36006 for outgoing packets
    Tracing the path to home ( on TCP port 222, 30 hops max
    11  cr01-pos-0-0.torresdale.pa.core.comcast.net (  14.900 ms
    12  pos-9-1-ar01.norristown.pa.pa03.comcast.net (  15.557 ms
    13  *
          Detected DNAT to
    14  pcp05405229pcs.norstn01.pa.comcast.net (  134.175 ms
    15  pcp05405229pcs.norstn01.pa.comcast.net ( [open]  68.293 ms

(The timeout on the 13th hop is normal behavior on Comcast's network, and is
unrelated to tcptraceroute.)

If anyone is aware of any other DNAT examples and wouldn't mind if their
existence was made public, I would encourage you to post them to this list
with the IP addresses in question, and if "tcptraceroute --dnat" was able to
detect it or not.  For some addresses (such as ebay.com) it may be necessary
to force --track-port, even if your operating system (basically, anything
except Solaris) is capable of using --track-id.

I would also encourage beta testers to download and run the tcptraceroute
compatibility test suite from
<http://michael.toren.net/code/tcptraceroute/compatibility/>, and mail the
results privately to myself so that they can be included on the website.  At
the moment I have only tested 1.5beta6 on one architecture (Linux i686), and
for only one version of libnet (1.0.2a) and libpcap (0.6).

The completely changelog for 1.5beta6 reads as follows:

    New --dnat, --no-dnat (default), and --no-dnat-strict command line
    arguments.  --dnat enabled Destination NAT detection, which works by
    comparing the quoted IP address in an ICMP payload with the
    destination a probe packet was addressed to.

    Numeric IP address in parenthesis is now only displayed if the content
    in the parenthesis is different than the non-parenthesized content,
    making the output less busy.

    The SYN ISN (Initial Sequence Number) now set to a random 32bit value;
    previously had always been zero.

    Added missing htons() call around the arguments to getservbyport(),
    which resulted in the destination port service name not being correctly
    reported on some architectures, by Dmitry Karasik <dimakar@yahoo.com>

    Improved the configure.ac so that it is less likely to link against
    unnecessary libraries by "Dmitry V. Levin" <ldv@altlinux.org>

    --no-select is now the default under NetBSD, based on a report and data
    collected by Ed Ravin <eravin@panix.com>.

    Split the tcptraceroute.c file into main.c, datalink.c, probe.c,
    capture.c, util.c, and a number of include files, which should make
    things much more manageable.


[1] http://lists.netisland.net/archives/tcptraceroute/tcptraceroute-2004/msg00020.html

perl -e'$u="\4\5\6";sub H{8*($_[1]%79)+($_[0]%8)}sub G{vec$u,H(@_),1}sub S{vec
($n,H(@_),1)=$_[2]}$_=q^{P`clear`;for$iX){PG($iY)?"O":" "forX8);P"\n"}for$iX){
forX8){$c=scalar grep{G@$_}[$i-1Y-1Z-1YZ-1Y+1ZY-1ZY+1Z+1Y-1Z+1YZ+1Y+1];S$iY,G(
/,\$_/xg;s/X/(0..7/g;s/P/print+/g;eval' #     Michael C. Toren <mct@toren.net>

tcptraceroute-dev mailing list