All files are for educational and/or historic purposes only. [back to library]
[exec] Raven: how does traceroute actually work? [exec] is there something in the TCP header or so [Raven] exec, i'll explain [snider] traceroute isnt ovetr TCP [angst] something about a TTL field I know that [Raven] ooh, i can feel a spontaneous lecture coming! (Samcon) snider: strange its probably with the ripper [Raven] is anyone logging this? [angst] I know what it is in my head, just cant type what I want to say :) (Samcon) im [Raven] who else is logging? (Samcon) just a sec [snider] samcon, well it is something with the identification and auth of it (Samcon) im always logging btw [tcs] are u holding a tutorial session ? [Raven] ok, so the topic of this spontaneous lecture is... [Raven] how does traceroute works [Cypher] lecture? [Raven] Cypher, spontaneous [FrEEkY] raven untill phoneabuse.com is working I just refer people to BSRF [snider] yea, although we have explained the matter a million times in here [Raven] ok try to be quiet please [Raven] so anyway, first of all, what is traceroute? [Raven] traceroute traces the route that a packet goes through to get to a certain ip / hostname [Raven] it's especially good to detect network problems [Raven] if you're having trouble connecting to a certain host, you could run traceroute and see where the problem is [Raven] where the chain stops [Raven] any questions so far? [Olaf] there is a great command in widows tracert [Olaf] is it related? [Raven] Olaf, in windows you can type tracert from dos [Raven] in unix/linux, you can type traceroute [Raven] or tracert if you make an alias [Raven] :-) [Olaf] my poor linux [Raven] anyway for windows, there's also www.samspade.org [Raven] ok, we're continuing [Raven] so anyway, this is what traceroute does [Raven] now, how does it work? (Samcon) traceroute is the thing with the packet that gets +1 node every time no ? [Raven] ok, first of all, i have to explain a little about TCP/IP ?¯ joins [|The_Crow| (*[email protected])] [Raven] TCP/IP packets can be divided into two types [Raven] a) ip packets [Raven] b) icmp packets [Raven] each packet has a header part and a data part ?¯ nick change [ Cypher ¯ Cypher[awaY] ] [Raven] the header contains info about the sender, the target and any other information that is necessary so the packet would get to it's destination [Raven] now, icmp packets have a header, and a data [Raven] there are 13 (i think) types of icmp packets [Raven] one of them, for example, is ICMP_ECHO_REQUEST [Raven] which is used for pinging [Raven] however icmp is mainly used for errors [Raven] now, there are ip packets [Raven] ip packets have a header and a data part [Raven] the header contains the source and destination ip [Raven] and a few other values [Raven] like the TTL, for example [Raven] (i'll explain later) [Raven] the data part is either a TCP or a UDP packet [Raven] these two terms are explained in bsrf's tcpip tutorial [Raven] any questions so far? [Raven] no? good. [Raven] ok, so this TTL value serves a great role in killing misrouted packets [Raven] supposed something happens and packets start looping or wandering around the net endlessly [Raven] that'd be a serious waste of bandwidth, right? [Olaf] yes [FrEEkY] mmhmm [Raven] so this is why the ip header contains a TTL value [Raven] and so does the icmp header, i think [Olaf] it decreases [Raven] i don't remember [Raven] anyway this TTL value is decreased whenever a packet goes through a router [Raven] TTL = Time To Live (Samcon) thats what i meant [Raven] whenever a packet goes through a router, the TTL value is decreased by one [angst] ICMP (Internet Control Message Protocol) BTW.... :) [Raven] that way, if a packet goes through too many hops on the way, it gets killed [Raven] and an icmp error is sent back to the sender [Raven] windows 95 sends packets with a TTL value of 32 [Raven] i don't know about win 98 [Raven] anyway sometimes you'll have to go through more than 32 hops, so you'll get an error and windows will send the packet again with TTL = 64 [Raven] now, here's how traceroute works: [Raven] first of all it sends out a packet with TTL = 1 [Raven] the packets goes through the first hop, and dies [Raven] that router sends back an icmp error, and that way we can determine his ip / hostname [Raven] because we can tell who is sending the packet by looking at the icmp header [Raven] then, traceroute sends a packet with TTL = 2 [Raven] it travels through the first hop (which we already know) and dies in the second [Raven] we get an error from the second router, thus revealing it's ip [Raven] this goes on until the packet reaches it's destination ?¯ quits [Olaf (*[email protected])] (Ping timeout) ?¯ quits [tcs (*[email protected])] (Quit: I'll check the logs...) [Raven] that way, we can tell where our packets go through by getting an error message from each hop [Raven] that's all. that's how traceroute works [Raven] :-) [Raven] end of spontaneous lecture [exec] cool