TCP traceroute works fine but not UDP

networkingpingunix

So I ran into this issue where doing

traceroute some-server.abc.com

returned *** for multiple lines and finally reached maximum hops limit.

Doing a traceroute -T some-server.abc.com works perfectly fine. I checked the man pages and by default traceroute uses UDP protocol and -T forces it to use TCP probe packets.

What can be the possible reasons for such behaviour.
Also note that ping works fine with this host.

Best Answer

Quote from traceroute Wikipedia page:

On Unix-like operating systems, the traceroute utility uses User Datagram Protocol (UDP) datagrams by default, with destination port numbers ranging from 33434 to 33534. The traceroute utility usually has an option to instead use ICMP Echo Request (type 8) packets, like the Windows tracert utility does, or to use TCP SYN packets.[1][2] If a network has a firewall and operates both Windows and Unix-like systems, more than one protocol must be enabled inbound through the firewall for traceroute to work and receive replies.

Most likely reason why traceroute UDP packets are not getting through is firewall.

Related Solutions

How does TCP Ping or Traceroute Work

I believe you are referring to these utilities:

http://www.vdberg.org/~richard/tcpping.html

http://michael.toren.net/code/tcptraceroute/

Since tcpping requires tcptraceroute, I'll start with tcptraceroute.

The author of tcptraceroute states that unlike a traditional traceroute, "By sending out TCP SYN packets instead of UDP or ICMP ECHO packets, tcptraceroute is able to bypass the most common firewall filters."

Further: It is worth noting that tcptraceroute never completely establishes a TCP connection with the destination host.

So, tcptraceroute does not measure the time it takes to complete the three-way handshake because that never happens. It measures the time from the initial SYN to the SYN/ACK. This is sometimes referred to as a half-open connection scan.

From the nmap manpage:

          This technique is often referred to as half-open scanning,
          because you don’t open a full TCP connection. You send a SYN
          packet, as if you are going to open a real connection and then
          wait for a response. A SYN/ACK indicates the port is listening
          (open), while a RST (reset) is indicative of a non-listener. If
          no response is received after several retransmissions, the port
          is marked as filtered. The port is also marked filtered if an
          ICMP unreachable error (type 3, code 1,2, 3, 9, 10, or 13) is
          received.

As to your packet size question, the above description also has the answer. Since tcptraceroute sends a standard SYN packet, it should be a small packet, perhaps 64 bytes.

Traceroute, ICMP, UDP and TCP

ICMP messages are still IP packets. Traceroute uses ECHO Request (ICMP type 8) by default on Unix and Windows with incrementing TTLs, logging the sending address of each Time Exceeded (Type 11) message it gets back from the hops along the route. (cf: http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol)

This is the 'correct' way to do it, but you can run in to problems if some of the systems on the route drop or differently handle ICMP traffic.

Some implementations of traceroute (on Linux for example) have -T and -U options for switching to TCP/UDP instead (and a following -p argument to specify a destination port). This is useful for more closely simulating real traffic, which might get you a more accurate result in some cases.

I suspect the OSX implementation defaults to UDP for that reason, but I can't say for sure. You might find a switch to use ICMP instead.

Best Answer

Related Solutions

How does TCP Ping or Traceroute Work

Traceroute, ICMP, UDP and TCP

Related Topic