[TriLUG] Understanding Traceroute

James Jones jc.jones at tuftux.com
Tue Mar 1 12:52:09 EST 2011


Aaron & all,

My cable modem is Zyxel Prestige 900. It provides me with 5 ip
addresses. Because of the associated ip addresses, the gateway is
probably part of the modem as well. I get different results depending
on which ip & router I am using. Here is my present network:

 traceroute raleigh-coc.org
traceroute to raleigh-coc.org (96.10.17.238), 30 hops max, 60 byte packets
 1  192.168.1.1 (192.168.1.1)  0.435 ms  0.632 ms  0.803 ms
 2  66.26.45.25 (66.26.45.25)  176.435 ms  176.792 ms  177.072 ms
 3  gig16-1.rlghncoo-ar44.nc.rr.com (24.25.20.190)  179.112 ms
179.372 ms  179.670 ms

>From one that really concerns me: ( mindspring on #2??? should not be there )

traceroute raleigh-coc.org
traceroute to raleigh-coc.org (96.10.17.238), 30 hops max, 60 byte packets
 1  192.168.1.1 (192.168.1.1)  0.877 ms  1.171 ms  1.447 ms
 2  user-0c8hsg1.cable.mindspring.com (24.136.242.1)  237.848 ms
238.148 ms  238.475 ms
 3  66.26.45.25 (66.26.45.25)  240.148 ms  243.025 ms  244.660 ms
 4  gig16-1.rlghncoo-ar44.nc.rr.com (24.25.20.190)  245.011 ms  245.272 ms  248.

jcj

On Tue, Mar 1, 2011 at 12:04 PM, Aaron Joyner <aaron at joyner.ws> wrote:
> Another way of phrasing this (maybe more precise, maybe less... but
> hopefully illuminative) is to say that you'll see an entry for every
> host along your path which:
> 1) is making a layer 3 routing decision about your packet
> 2) decrements the IP TTL
> 3) responds with an ICMP TTL Expired in transit when it decrements a
> packet's TTL to zero
> 4) can send you ICMP packets (ie. those packets aren't dropped by some
> intermediary)
>
> The reason you don't see the cable modem is that it doesn't pass test
> (1) above.  It's picks up packets off your local ethernet segment and
> (mostly) blindly transfers them across the cable network to another
> end point, where they're picked up off the cable network and injected
> onto some other network segment, probably some flavor of Ethernet
> inside your provider's central office.  It's acting more like a switch
> or a hub, than a router, per-say.  An even better analogy would be to
> say that it's acting like a modem.  :)
>
> Not seeing your gateway is marginally more surprising, but there are
> some simple / innocent explanations.  What was the first hop you did
> see?  It's plausible that is the same machine as your gateway, but it
> responds with a TTL expired-in-transit message from a different IP on
> the same router.  Routers have (by definition) more than one
> interface, usually more than just a couple.  There's not a lot of
> benefit in correlating the source IP of that TTL expired-in-transit
> packet with the interface IP they received the packet on, so it's
> usually not done.
>
> If you can include the output of your traceroute command, sanitized to
> protect the innocent if you like, we can probably help you to decode
> it's particulars.
>
> Happy networking!
> Aaron S. Joyner
>
>
> On Tue, Mar 1, 2011 at 10:57 AM, Alexey Toptygin <alexeyt at freeshell.org> wrote:
>> On Tue, 1 Mar 2011, James Jones wrote:
>>
>>> All,
>>>
>>> I attempted to use traceroute ( ubuntu 10.04 ) today and expected
>>> certain results which didn't happen. I expected to see:
>>> 1. my router's ip address
>>> 2. my cable modem's ip address
>>> 3. my gateway's ip address
>>> 4. finally the route to destination
>>> I saw number 1 & 4, but not number 2 or 3.
>>>
>>> command was simple  traceroute destination
>>>
>>> Was I expecting too much?
>>
>> Traceroute will show you the IP on the interface facing you on every device
>> along the path to destination that decrements the IP TTL field (i.e. acts as
>> a router), with the caviat that some devices will not send the ICMP messages
>> that traceroute relies on, in which case you will see stars for that hop.
>>
>> IME cable modems never have an IP address assigned, they are purely layer 2
>> devices.
>>
>> You should be seeing the IP of the gateway upstream from the router on your
>> premises. If you don't and you see a row of stars that means it's not
>> sending ICMP TTL exceeded messages. If its IP is missing and you don't see a
>> row of stars, it's possible that it's configured to send all ICMP errors
>> from a single IP, which is not the one on the interface facing you (i.e. you
>> are seeing it, but not with the address you expect); another possibility in
>> this case is that the gateway is misconfigured and is not decrementing TTL
>> for some reason (this is very rare, but I have seen it at least once).
>>
>>                        Alexey
>> --
>> This message was sent to: Aaron S. Joyner <aaron at joyner.ws>
>> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
>> address.
>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>> Unsubscribe or edit options on the web  :
>> http://www.trilug.org/mailman/options/trilug/aaron%40joyner.ws
>> TriLUG FAQ          : http://www.trilug.org/wiki/Frequently_Asked_Questions
>>
> --
> This message was sent to: jc jones <jc.jones at tuftux.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  : http://www.trilug.org/mailman/options/trilug/jc.jones%40tuftux.com
> TriLUG FAQ          : http://www.trilug.org/wiki/Frequently_Asked_Questions
>



-- 
Jc Jones
Blogs -
http://www.wendellgeek.com/weblog/
http://kixtech.blogspot.com/

webmaster for:
http://www.wendellgeek.com
http://classof1955.org
http://www.tuftux.com
http://www.therealpatpatterson.com
http://jonesjc.freeshell.org
http://www.trilug.org/~jonesjc



More information about the TriLUG mailing list