Traceroute(8) – Linux man page – Die.net

Traceroute Name

: Print route packet trace to network host

Synopsis

traceroute [-46dFITUnreAV] [-f first_ttl] [-g gate,…

] [-i device] [-m max_ttl] [port -p] [-s src_addr] [-q nqueries] [-N queries] [-t tos] [-l flow_label] [-w timeout] [-z sendwait] [-UL] [-P proto] [-sport=port] [Method M] [ -O mod_options] [-mtu] [-back] host [packet_len] traceroute6 [options]

Description

traceroute traces route packets taken from an IP network on their way to a given host. It uses the IP protocol time-to-live (TTL) field and attempts to obtain a TIME_EXCEEDED ICMP response from each gateway along the path to the host.

traceroute6 is equivalent to traceroute -6

The only parameter required is the name or IP address of the destination host. The optional packet_len‘gth is the total size of the polling packet (60 bytes default for IPv4 and 80 for IPv6). The specified size can be omitted in some situations or increased to a minimum value.

This program attempts to trace the path an IP packet would follow to some host on the Internet by launching probe packets with a small ttl (time to live) and then listening for an ICMP “time exceeded” response from a gateway. We start our probes with a ttl of one and increase by one until we get an ICMP “unreachable port” (or TCP reboot), which means we reach the “host”, or reach a maximum (which by default is 30 hops). Three probes are sent (by default) in each ttl configuration and a line is printed showing the ttl, gateway address, and round-trip time for each probe. The address may be followed by additional information upon request. If the probe responses come from different gateways, the address of each response system will be printed. If there is no response within 5.0 seconds (default), a “*” (asterisk) is printed for that probe.

After the travel time, some additional annotation can be printed: ! H, ! N, or ! P (host, network or protocol unreachable), ! S (source path error), ! F (fragmentation required), ! X (administratively prohibited communication), ! V (host precedence violation), ! C (valid precedence limit), or !<num> (inaccessible ICMP code <num>). If almost all probes result in some kind of unreachable, traceroute will give up and leave.

We don’t want the destination host to

process UDP probe packets, so the destination port is set to an unlikely value (you can change it with the -p flag). There is no such problem for ICMP or TCP tracerouting (for TCP we use the semi-aperture technique, which prevents our probes from being seen by applications on the target host).

In the modern network environment, traditional traceroute methods may not always be applicable, due to the widespread use of firewalls. Such firewalls filter out “unlikely” UDP ports, or even ICMP echoes. To resolve this, some additional tracerouting methods (including tcp) are implemented, see the LIST OF AVAILABLE METHODS below. Such methods attempt to use a particular protocol and a source/destination port, to bypass firewalls (to be seen by firewalls only as a start of the allowed type of a network session).

Options

-help

Print help information and exit

. –

4, -6

Explicitly force IPv4 or IPv6 tracing. By default, the program will try to resolve the given name and choose the appropriate protocol automatically. If the resolution of a host name returns both IPv4 and IPv6 addresses, traceroute will use IPv4.

Use

ICMP ECHO

for probes –

T

Use TCP SYN for probes

d

Enable socket-level debugging (when supported by the Linux kernel

)

-F

Do not fragment probe packets. (For IPv4 it also sets a DF bit, which tells intermediate routers not to fragment remotely as well.)

By varying the size of the polling packet by the packet_len command-line parameter, you can manually obtain information about the MTU of individual network hops. The -mtu option (see below) tries to do this automatically.

Note that non-fragmented features (such as –F or -mtu) work correctly from Linux kernel 2.6.22 only. Before that version, IPv6 was always fragmented, IPv4 could use the final mtu once discovered only (from the route cache), which can be less than the actual mtu of a device.

-f first_ttl Specifies which TTL to start with. The default value is 1. -g gateway Instructs traceroute to add an IP source routing option to the outgoing packet that instructs the network to route the packet through the specified gateway (most routers have disabled source routing for security reasons). In general, multiple gateways (separated by commas) are allowed. For IPv6, the form of num, addr, addr is allowed, where num is a type of route header (default is type 2). Note that the route header of type 0 is now deprecated (rfc5095). -i interface Specifies the interface through which traceroute should send packets. By default, the interface is selected according to the routing table. -m max_ttl Specifies the maximum number of hops (maximum time-to-live value) to poll traceroute. The default value is 30. -N squeries Specifies the number of probe packets sent simultaneously. Sending several probes simultaneously can speed up the traceroute considerably. The default value is 16. Note that some routers and hosts may use ICMP rate throttling. In such a situation, specifying too large a number can lead to the loss of some answers. -n

Do not attempt to assign IP addresses to host names when displaying them.

Port -p For UDP tracing, specifies the destination port that will be used by the base traceroute (the destination port number will be incremented at each probe). For ICMP tracing, specifies the initial value of the icmp sequence (also incremented by each probe). For TCP specifies only the destination (constant) port to connect to. -t tos

For IPv4, set the Service Type (TOS) and Precedence values. Useful values are 16 (low delay) and 8 (high performance). Note that to use some TOS precendence values, you must be a super user.

For IPv6, set the Traffic Control value. -w timeout Set the time (in seconds) to wait for a response to a probe (default 5.0 seconds). -q nqueries Sets the number of polling packets per hop. The default value is 3. -r

Skip the normal routing tables and send them directly to a host on a connected network. If the host is not on a directly connected network, an error is returned. This option can be used to ping a local host through an interface that has no path through it.

-s source_addr Choose an alternate source address. Note that you must select the address of one of the interfaces. By default, the outgoing interface address is used. -z sendwait Minimum time interval between polls (default 0). If the value is greater than 10, then specify a number in milliseconds, otherwise it is a number of seconds (floating-point values are also allowed). Useful when some routers use rate limits for icmp messages. -e

Show ICMP extensions (rfc4884). The general shape is CLASS/TYPE: followed by a hexadecimal dump. The MPLS (rfc4950) is shown parsed, in a form: MPLS:L=label,E=exp_use,S=stack_bottom,T=TTL (more objects separated by / ).

-A

Perform AS route searches in routing logs and print results directly after the corresponding addresses

.

-V

Print the version and exit.

There are a couple of additional options, intended for advanced use (other tracking methods, etc.): -sport=port Choose the source port to use. It implies -N 1. Typically, source ports (if applicable) are chosen by the system. -M method Use the specified method for traceroute operations. The default traditional udp method has default name, icmp (-I) and tcp (-T) have icmp and tcp names respectively. Method-specific options can be passed by -O. Most methods have their simple shortcuts, (-I stands for -M icmp, etc.). -O option Specifies some method-specific option. Several options are separated by comma (or use multiple -O’s in cmdline). Each method may have its own specific options, or many don’t have them at all. To print information about the available options, use -O help. -U

Use UDP for a particular destination port for tracerouting (instead of increasing the port for each probe). The default port is 53 (dns).

-UL

Use

UDPLITE for tracerouting (default port is 53).

-Protocol P Use the raw packet of the specified protocol for trace routing. The default protocol is 253 (rfc3692). -mtu

Discover MTU along the path being traced. It implies –F -N 1. The new mtu is printed once in the form of F = NUM on the first probe of a hop that requires that mtu to be reached. (Actually, the corresponding icmp message “frag needed” is usually sent by the previous hop.)

Note that some routers may cache once you see the information about a fragmentation. Therefore, you can receive the final mtu of a closer jump. Try specifying an unusual cough by -t, this can help for an attempt (then it can also be cached there). See the -F option for more information. -back

Prints the number of backward jumps when it looks different with the forward direction. This number is guessed assuming that remote hops send response packets with initial ttl set to 64, 128, or 255 (which seems like common practice). It is printed as a denied value in the form of ‘-NUM’.

List

of available methods

In general, a particular traceroute method may have to be chosen by the name -M, but most methods have their simple cmdline modifiers (you can see them after the method name, if present).

default

The traditional and old method of tracerouting. Used by default.

Probe packets are udp datagrams with so-called “unlikely” destination ports. The “unlikely” port of the first probe is 33434, then for each next probe it is incremented by one. Because ports are expected to be unused, the destination host typically returns “icmp unreach port” as the final response. (However, no one knows what happens when an application listens for such ports.)

This method is allowed for unprivileged users

.

icmp -I

The most common method for now, which uses icmp echo packets for probes. If you can ping(8) the destination host, icmp tracerouting is also applied.

tcp-T

Well-known modern method, intended to bypass firewalls. Uses the constant destination port (default is 80, http).

If some filters are present in the network path, most likely “unlikely” udp ports (as for the default method) or even icmp echoes (as for icmp) will be filtered, and all tracerouting will stop at that firewall. To bypass a network filter, we have to use only allowed protocol/port combinations. If we crawl some, say, mailserver, then it’s more likely that –T-p 25 can reach it, even when -I can’t.

This method uses the well-known “semi-aperture technique”, which prevents applications on the target host from seeing our probes. Typically, a tcp syn is sent. For unheard ports, we get the tcp reset, and everything is done. For active listening ports we receive tcp syn + ack, but we respond by tcp reset (instead of the expected tcp ack), in this way the remote tcp session is eliminated even without the application noticing.

There are a couple of options for the tcp method: syn,ack,fin,rst,psh,urg,ece,cwr Sets

tcp flags specified for the

probe package, in any combination. flags=num Set the flags field in the tcp header exactly to num. ecn

Send syn packet with tcp ECE and CWR flags (for explicit congestion notification, rfc3168)

sack,timestamps,window_scaling Use the appropriate tcp header option on the outgoing probe packet. sysctl

Use the current sysctl configuration (/proc/sys/net/*) for the above tcp and ecn header options. Always set by default, if nothing else is specified.

mss=num Use the num value for the tcp maxseg (when syn) header option. The default options are syn,sysctl.

tcpconn

An initial implementation of the tcp method, simple using connect(2) call, which makes the full opening of the tcp session. It is not recommended for normal use, because a target application is always affected (and can be confused).

udp -U

Use udp datagrams with constant destination port (default 53, dns). Intended to bypass the firewall as well.

Note that, unlike the tcp method, the corresponding application on the target host always receives our probes (with random data), and most can easily be confused with them. However, in most cases it will not respond to our packages, so we will never see the final jump in the trail. (Fortunately, it seems that at least the DNS servers respond with something angry.)

This method is allowed for unprivileged users.

udplite

-UL Use udplite

datagrams for probes (with constant destination port, default value 53).

This method is allowed for unprivileged users. Options:

coverage=num Set udplite send coverage to num.

raw -P proto

Send raw proto-protocol packet. No protocol-specific headers are used, only IP header. It implies -N 1. Options: protocol=proto Use proto IP protocol (default 253).

Notes

To speed up the work, several probes are usually sent simultaneously. On the other hand, it creates a “packet storm”, especially in the response direction. Routers can speed up icmp responses, and some of the responses can be lost. To avoid this, decrease the number of concurrent probes, or even set it to 1 (as in the initial traceroute implementation), i.e. -N 1

The end host (destination) can remove some of the concurrent probes, and might even respond only to the most recent ones. It can lead to additional “looks expired” jumps near the final hop. We use a smart algorithm to automatically detect such a situation, but if it can’t help in your case, just use -N 1 as well.

For even greater stability, you can slow down the work of the program with the -z option, for example, use –z 0.5 for the half-second pause between probes.

If some hops report nothing for each method, the last chance to get something is to use the ping -R command (IPv4, and only for the nearest 8 hops).

See also ping

(8), ping6(8), tcpdump(8), netstat(8)

Referenced by

bing(8), brctl(8), dnstracer(8), firewalk(8), hping2(8), hping3(8), lft(8), mtr(8), nttlscan(1), sipsak(1), tcptraceroute(1),

tcptraceroute6(8), tracepath(8), traceproto(8),

traceroute_selinux(8)