Tuesday, January 15, 2013

Traceroute Tool Explained explains functional details of traceroute tool

Hello, dear reader. With this post,  we are starting set of publications related to explanations of technical details for some networking tools. From time to time,  we get e-mails from our visitors with the questions we would like to cover to let people better understand the tools, their principals and details.

So, we start our covering with a "traceroute" tool.

What does "traceroute" mean?

As we know, data exchange in the network is performed by implementations of generic protocols, most of which are based on the low-level Internet Protocol (IP). This protocol describes the base principals of communication between network devices and how this communication is possible from the technical point of implementation. Actually, as a tool, traceroute could be implemented on top of different protocols, such as ICMP, UDP and TCP. In this article,  we will focus on ICMP implementation of the tool. ICMP itself is very close to plain IP-packet data exchange so we could be close to IP itself.

So, here, we are talking about networking. IP-networking.

Data exchange in this type of networks is done by  IP-packets. Each packet consists of two parts - a header and a body. Body holds an exact data (or part of data if all data is fragmented into several packets), and header contains some extra-information which is required to make data transmission possible.

Now let's see how the transmission between computers in IP-networks works in general.

Usually two computers in the network do not connect to each-other directly. It means that when the Sender sends some data to the Receiver, the data passes through  different routers (or gateways) across the set of IP-networks (which are globally is the Internet). Those Routers (from 1 to N), through which the data is passed when transmitted are the points (routes) which are identify a path (route) by which the packets flow from the Sender to Receiver.

As is, the goal of traceroute tool is to find the path, by which the packets in the network flows from one network device to another. This gives an ability to analyze in which way the packets are delivered and how many time it takes in terms of accessing each routing point in the network. It also gives an ability to analyze and test network configurations on some side or to find some configuration problems.

To understand how traceroute tool works physically, it is first required to understand how the data packets are organized themselves.

Let's see what an IP-packet is. As far as for today there are two major versions of IP (v4 and v6) we introduce both of them.

IPv4 Packet Structure

Offsets Octet 0 1 2 3
Octet Bit 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 0 Version IHL DSCP ECN Total Length
4 32 Identification Flags Fragment Offset
8 64 Time To Live Protocol Header Checksum
12 96 Source IP Address
16 128 Destination IP Address
20 160 Options (if IHL > 5)
Packet Data

IPv6 Packet Structure

Offsets Octet 0 1 2 3
Octet Bit 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 0 Version Traffic Class Flow Label
4 32 Payload Length Next Header Hop Limit
8 64 Source IP Address
12 96
16 128
20 160
24 192 Destination IP Address
28 224
32 256
36 288
Packet Data

The most interesting for us fields within an IP headers from traceroute tool point of view are:

  • Source IP Address
    In this field is stored IP-address of the source network device (Sender PC)
  • Destination IP Address
    In this field is stored IP-address of the destination network device (Receiver PC)
  • Time To Live (IPv4), Hop Limit (IPv6)
    These fields are the different names in protocols v4 and v6 but both have the same meaning. We will use TTL/HL abbreviation for this field below and will give a detailed explanation what it is and why it's useful.

TTL/HL is a special field which stores  information how many routes should be passed by a packet before the Sender will receive a reply with an ICMP Time Exceeded error. By default, in different operating systems value of this field is different. Thus, on Windows it is usually 128, on Linux hosts - 64.

When the packet reaches a new router in the network, that router decrements by one value of TTL/HL field. Than the router checks the field value and if it is equal to zero, it sends back to the device with the Source IP Address an ICMP reply, and drop an incoming packet.

Traceroute tool work is based on this feature of Internet Protocol. Let's imagine that we will construct an IP-packet in our program by hands, set the value for TTL/HL field equal to one, and then in the loop will increment this value by +1 on each step and will catch an ICMP replies, which would be sent by the Routers. It means that the first router will send us an ICMP Time Excedded reply on the first loop step. The second router will do it on the second loop step, and such until we catch ICMP Echo Reply from a destination host or we reach the max hops limit. Those ICMP replies from routers or destination host are also an IP packets, which have a Source IP Address field value set to the corresponding router's network address. In addition,  we can measure the time passed between packets are sent and received.

Here are common steps for basic traceroute algorithm:
  1. Create listening raw socket to catch ICMP replies
  2. Create raw socket to the Destination IP Address to send an ICMP packets
  3. Define start TTL/HL and max TTL/HL variables
  4. Start the loop from start to max TTL/HL, inside the loop:
  5.     Create ICMP echo packet with TTL/HL = current loop step
  6.     Write execution time of send packet to variable
  7.     Send the packet
  8.     Read from listening socket for ICMP-reply
  9.     Wait for an ICMP reply packet
  10.     If reply read timeout excedded:
  11.          Print timeout error and continue the loop on the next step
  12.     Write receive time of ICMP reply
  13.     Read Source IP Address from an ICMP reply packet.
  14.     If required to back resolve an IP to host:
  15.          Resolve IP to Host
  16.     Print route's IP/Host/Reply-Time
  17.     If route's Source IP Address equal to our send packet Destination IP Address or
  18.     Current loop step number more than max TTL/HL:
  19.         Break the loop

Things to understand about traceroute

  • Traceroute is performed between two hosts
  • Web-technologies do not allow to implement traceroute in a browser, so each time you are making traceroute online, you tracing the route from a website's server to host you specify. It means that your host can be only a destination host, but not source.
  • Traceroute gives an ability to analyze network configuration problems. Traceroute made from different locations to the hosts in your network give a view about the packet flow from outside to your hosts. At the same time,  you can make the trace from your hosts to other locations by  local tools. So  online tools just add a value to such analysis but do not replace the value of local tools.

No comments:

Post a Comment