– A traceroute implementation using TCP
tcptraceroute [-nNFSAE] [ -i interface ] [ -f first ttl ][ -l length ] [ -q number of queries ] [ -t tos ][ –m max ttl ] [ source port -p ] [ source address –s ][ -w timeout ] host [ destination port ] [ length ]
tcptraceroute is an implementation of traceroute that uses TCP packets.
The more traditional traceroute(8) sends UDP or ICMP ECHO packets with a TTL of one, and increments the TTL until the destination has been reached. By printing gateways that generate ICMP messages of time exceeded en route, it is able to determine the route that packets are taking to reach the destination.
The problem is that with the widespread use of firewalls on the modern Internet, many of the packets that traceroute(8) sends end up being filtered, making it impossible to fully trace the route back to the destination. However, in many cases, these firewalls will allow incoming TCP packets to specific ports on which the hosts behind the firewall are listening for connections. By sending TCP SYN packets instead of UDP or ICMP ECHO packets, tcptraceroute can bypass the most common firewall filters.
It is worth noting that tcptraceroute never fully establishes a TCP connection with the destination host. If the host is not listening for incoming connections, it will respond with an RST indicating that the port is closed. If, instead, the host responds with a SYN| ACK, the port is known to be open, and the kernel sends a tcptraceroute RST to knock down the connection without completing the three-way handshake. This is the same semi-open scanning technique that nmap(1) uses when passing the -sS indicator.
-n Show numeric output, instead of performing a reverse DNS lookup for each hop. By default, reverse lookups are never attempted in the RFC1918 address space, regardless of the -n flag. -N Perform a reverse DNS lookup for each hop, including RFC1918 addresses. -f Set the initial TTL used in the first outgoing packet. The default value is 1. -m Set the maximum TTL used on outgoing packets. The default value is 30. -p Use the local TCP port specified on outgoing packets. The default is to get a free kernel port using bind(2). Unlike the traditional traceroute(8), this number will not increase with each hop. -s Set the source address for outgoing packets. See also flag -i. -i Use the interface specified for outgoing packets. -q Set the number of probes to be sent to each hop. The default value is 3. -w Set the timeout, in seconds, to wait for a response for each probe. The default value is 3. -S Set the TCP SYN flag on outgoing packets. This is the default value, if neither -S nor -A is specified. -A Set the TCP ACK flag on outgoing packets. By doing so, it is possible to trace through stateless firewalls that allow outbound TCP connections. -E Send ECN SYN packets, as described in RFC2481. -t Set the IP TOS (service type) to be used in outgoing packets. The default is to set no TOS. -F Set the IP bit “don’t fragment” on the outgoing packets. -l Set the total length of the packet to be used in outgoing packets. If the length is greater than the minimum size required to assemble the required probe packet headers, this value automatically increases. -d Enable debugging, which may or may not be useful. -dnat Enable DNAT detection and display messages when DNAT transitions are observed. DNAT detection is based on the fact that some NAT devices, such as some Linux 2.4 kernels, do not correctly rewrite the IP address of IP packets cited in ICMP messages exceeded by the time that tcptraceroute requests, revealing the destination IP address to which an outgoing probe packet was made. NAT devices that correctly rewrite the IP address cited by ICMP messages, such as some Linux 2.6 kernels, will not be detected. For some target hosts, it may be necessary to use -dnat together with -track-port. See the examples.txt file for examples. -no-dnat Enable DNAT detection in order to correctly identify time-exceeded ICMP messages that match outgoing probe packets, but do not display messages when a DAT transition is observed. This is the default behavior. -no-dnat-strict Do not perform any DNAT detection at all. No attempt will be made to match time-exceeded ICMP messages to outgoing probe packets, and when crawling through a NAT device that does not rewrite the IP addresses of IP packets cited in time-exceeded ICMP messages, some hops along the path may appear unresponsive. This option should not be necessary in the vast majority of cases, but can be used if it is suspected that the DNAT detection code is misidentifying ICMP messages exceeded in time.
See the sample file .txt included in the tcptraceroute distribution for some real-world examples. To trace the route to a web server listening for connections on port 80: tcptraceroute web server
To trace the route to a mail server listening for connections
on port 25: tcptraceroute
No error checking is performed on the source address specified by
-s flag and, therefore,
might send TCP SYN packets for which you have no chance of seeing a response.
Michael C. Toren
For updates, see:
traceroute(8), ping(8), nmap(1)