Know Your Network! (Cont.)
Traceroute/Tracert – More "Know your Network"
What is ‘Tracert’? (Trace Route or Traceroute)
If you are trying to send or receive information to a particular host on the internet, and it is not connecting, it is possible that one of the servers or computers that is in the route to that host is having a problem. Tracert is a great way to find out where in the routing to the host, the problem is occurring by identifying the problem server or computer.
When communicating with a host on the Internet, it seems that because the communication is instantaneous, there is a direct connection between your device and the host, but that isn’t true, there can be many intermediate connections between your device and the host device.
The Tracert diagnostic utility determines the route to a destination by sending Internet Control Message Protocol (ICMP) echo packets to the destination. In these packets, Tracert uses varying IP Time-To-Live (TTL) values.
Because each router along the path is required to decrement the packet's TTL by at least 1 before forwarding the packet, the TTL is effectively a hop counter. When the TTL on a packet reaches zero (0), the router sends an ICMP "Time Exceeded" message back to the source computer.
Tracert sends the first echo packet with a TTL of 1 and increments the TTL by 1 on each subsequent transmission, until the destination responds or until the maximum TTL is reached. The ICMP "Time Exceeded" messages that intermediate routers send back show the route. Note however that some routers silently drop packets that have expired TTLs, and these packets are invisible to Tracert.
What is a Tracert Test?
The Tracert Test service attempts to trace the route to an internet host by launching probe packets with a small "TTL" (Time To Live) then listening for an ICMP "time exceeded" reply from a gateway.
The first probes starts with a "time-to-live" value of one, the next probe has a "TTL" value of 2 and continue to increase by one until we get an ICMP "port unreachable" (indicating the "host" has been reached) or the max has been reached, which defaults to 30 hops. Three probes are sent at each "TTL" value setting and a line is displayed showing the address of the gateway and round trip time of each probe. If the probe answers come from different gateways, the address of each responding system will be displayed. If there is no response within a 3 sec. timeout interval, a "*" is displayed for that probe.
A trace route procedure allows you to find the path from your device to the host device identifying the device of each hop and the time it took to access each device.
Essentially, the traceroute compiles a list of the computers on the network that are involved with a specific Internet activity.
The trace route identifies each computer/server on that list and the amount of time it took the data to get from one computer to the next. If there was a hiccup or interruption in the transfer of data, the traceroute will show where along the route the problem occurred.
Aside from being somewhat interesting, performing a traceroute also has a very practical use: If someone is having difficulty accessing a particular website or computer, performing a traceroute can help find out where the problem is occurring along the network.
How data travels.
Each computer on the trace route is identified by its IP address, which is the nine-digit number separated by periods that identifies that computer's unique network connection. The trip to one computer or server is called a HOP. The time it takes to make a HOP is measured in milliseconds and the information that travels on each HOP is called a packet
A trace route readout typically will display three separate columns for the hop time, as each traceroute sends out three separate packets of information to each computer. At the very top of the list, the traceroute will give the limit of how many lines of hops it will display—30 hops is often the default number of Hops.
When a traceroute has difficulty accessing a computer, it will display the message "Request timed out." Each of the hop columns will display an asterisk instead of a millisecond count.
How to run a traceroute.
On a PC using Windows, you can perform a traceroute using the traceroute utility on the Windows operating system (as long as you are not attempting to tap into heavily secured networks). You'll need to know the domain name, IP address or name of the specific computer you're trying to reach.
Using the traceroute utility, you would type "tracert x"—where "x" stands for the IP address, the domain name or the computer name.
If using Macintosh OS X or any subsequent versions, you may use either the Terminal program or the network utility to generate a traceroute. The utility will display the traceroute on your screen.
How to Use TRACERT Options
There are several command-line options that you can use with TRACERT, although the options are not usually necessary for standard troubleshooting.
The following example of command syntax shows all of the possible options:
tracert [-d] [-h] maximum_hops [-j] host-list [-w] timeout target_host [-R] [-S] srcaddr [-4] [-6].
What the options do:
-d - Specifies to not resolve addresses to host names.
-h maximum_hops - Specifies the maximum number of hops to search for the target. If the target is not found by 30 hops tracert will stop looking (default setting)
-j host-list - Specifies loose source route along the host- list.
-w timeout - Waits the number of milliseconds specified by timeout for each reply.
target_host - Specifies the name or IP address of the target host
-R - Trace round-trip path (IPv6-only)
-S srcaddr - Source address to use (IPv6-only)
-4 - Force using IPv4.
-6 - Force using IPv6.
The tracert command is a Command Prompt command that's used to show several details about the path that a packet takes from the computer or device you're on to whatever destination you specify.
You might also sometimes see the tracert command referred to as the trace route command or traceroute command.
To analyze tracert traffic: Tracert –d 220.127.116.11
1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMP listed as the protocol. To view only ICMP traffic, type icmp (lower case) in the Filter box and press Enter.
2. Select the first ICMP packet, labeled Echo (ping) request.
3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
4. Expand Internet Protocol Version 4 to view IPv4 details.
5. Observe the Time to live. Notice that the time to live is set to 1.
6. Expand Internet Control Message Protocol to view ICMP details.
7. Observe the Type. Notice that the type is 8 (Echo (ping) request). Tracert is performed through a series of ICMP Echo requests, varying the Time-To-Live (TTL) until the destination is found.
8. In the top Wireshark packet list pane, select the second ICMP packet, labeled Time-to-live exceeded.
9. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II /Internet Protocol Version 4 / Internet Control Message Protocol frame.
10. Expand Internet Protocol Version 4 to view IPv4 details.
11. Observe the Source. This is the IP address of the router where the time was exceeded.
12. Expand Internet Control Message Protocol to view ICMP details.
13. Observe the Type. Notice that the type is 11 (Time-to-live exceeded).
14. Observe the Code. Notice that the code is 0 (Time to live exceeded in transit).
15. Observe the fields that follow. Notice that the contents of the request packet are returned with the time exceeded error.
16. Continue selecting alternate ICMP Echo Request and ICMP Time-To-Live Exceeded packets. Notice that the request is repeated three times for each time-to-live count, and each reply indicates the IP address of the router where the time to live was exceeded.
Wireshark Trace with filtering -
Author - George Bouchard - George is a Technology Writer and Evangelist for ProfiTAP, a worldwide leader in providing unique and the highest quality visibility and access solutions for Network Visibility and Testing.“It All Starts with Visibility!”
George has been in associated with many network analysis and testing companies in his many years in the networking industry, Network General makers of the original network “Sniffer”, Netcom (now Spirent), NetIQ (now part of Micro Focus) and ClearSight.
The technology industry has always amazed me because the technology of my youth was the Monroe Calculator and the IBM Electric Typewriter (before Selectric) I am always in awe on how far the industry has advanced in my lifetime.
**Note from the Editor - I have known George for many decades and not only is he a super friend but an awesome and very experienced technologist and that is why he is writing the "Know Your Network" series with others for ProfiTAP!.