Socket types:
- Datagram sockets (UDP), also known as connectionless sockets
- Stream sockets (TCP/SCTP), also known as connection-oriented sockets,
- Raw sockets (or Raw IP sockets), typically available in routers and other network equipment.
Here the transport layer is bypassed, and the packet headers are not stripped off, but are accessible to the application.
Application examples:ICMP (Ping), IGMP, (OSPF).
There are also non-Internet sockets, implemented over other transport protocols, such as Systems Network Architecture (SNA).
See also Unix domain sockets (UDS), for internal inter-process communication.
Upper "Protocol number (type)" in IP Header, Type (0-255):
1 0x01 ICMP Internet Control Message Protocol
6 0x06 TCP Transmission Control Protocol
8 0x08 EGP Exterior Gateway Protocol RFC 888
17 0x11 UDP User Datagram Protocol
27 0x1B RDP Reliable Datagram Protocol
88 0x58 EIGRP EIGRP
89 0x59 OSPF Open Shortest Path First RFC 1583
Type ICMP message DescriptionRFC 1812 - Requirements for IP Version 4 Routers
0 Echo reply Replies to an ICMP echo request.
8 Echo request Determines whether an IP node (a host or a router) is available on the network.
3 Destination unreachbl Informs the host that a datagram cannot be delivered.
4 Source quench Informs the host to lower the rate it sends datagrams because of congestion.
5 Redirect Informs the host of a preferred route.
11 Time exceeded Generated by a router. Indicates that the TTL of an IP packet has expired (TTL=0)
30 Traceroute Information Request
1) Windows OS (ping.exe)
-> Sends 3 ICMP-8 packets with TTL=1
<- Receive from destination ICMP-0
2) Linux, FreeBSD (and other unix OS)
-> Send ICMP-8 packets to network hosts
<- Receive from destination ICMP-0
3) Cisco IOS
The ping command sends ICMP Echo messages. If the Cisco IOS software receives an ICMP Echo message, it sends an ICMP Echo Reply message to the source of the ICMP Echo message.
Cisco Ping Test Characters
Character Description
! Exclamation points indicate receipt of a reply.
. Periods indicate that the reply has timed out.
U Destination is unreachable.
N Network is unreachable.
P Protocol is unreachable.
Q Source quench
M Could not fragment the packet.
? Unknown packet type
TRACEROUTE
TraceRoute tools are based on:
-ICMP = Windows(only), *nix ("-I" option)
-UDP = Cisco IOS (only), Unix (default)
-TCP = tcptraceroute, lft, mtr
Used abbreviation:
S - Sender Device
I - Intermediate Device (Router)
D - Destination IP
1) Windows OS (tracert.exe)
S: -> Sends 3 ICMP-8 packets with TTL=1
I: <-> Receive from any router ICMP-11 with TTL=1
(All implementations of traceroute rely on ICMP (type 11) packets being sent to the originator)
D: <- Receive from destination ICMP-0
PathPing.exe is a utility introduced with Windows NT that combines ping and traceroute functionality.
2) FreeBSD, Linux & Cisco IOS
S: -> Sends UDP datagram to dest port>=33434, src port random, TTL=1 (next packet - UDP destination port is incremented)
I: <-> Receive from any router ICMP-11 with TTL=1
D: <- Destination reached - Receive ICMP-3, code 3 ("destination unreachable," "port unreachable") (ICMP "udp port 33435 unreachable")
OR A "host unreachable," "net unreachable," "maximum TTL exceeded," or a "timeout" type of message, which means that the probe is resent.
Linux, FreeBSD
=-=-=
Possible annotations after the time
!H, !N, or !P - host, network or protocol unreachable
!S - source route failed
!F - fragmentation needed - the RFC1191 Path MTU Discovery value is displayed
!U or !W - destination network/host unknown
!I - source host is isolated
!A - communication with destination network administratively prohibited
!Z - communication with destination host administratively prohibited
!Q - for this ToS the destination network is unreachable
!T - for this ToS the destination host is unreachable
!X - communication administratively prohibited
!V - host precedence violation
!C - precedence cutoff in effect or
! - ICMP unreachable code
Cisco specific
=-=-=-=-=-=-=-
ICMP-3, code 3 packets are limited to one packet per 500 ms.
This explains why the response from the destination (see the outputs for the Cisco router and Linux) failed in the even responses.
You can invoke this escape sequence when you simultaneously press Ctrl+Shift+6
In Cisco routers, the codes for a traceroute command reply are:
! -- success
* -- time out
N -- network unreachable
H -- host unreachable
P -- protocol unreachable
A -- admin denied
Q -- source quench received (congestion)
? -- unknown (any other ICMP message)
TCP TRACEROUTES
=-=-=-=-=-=-=-
* tcptraceroute - Sending out TCP SYN packets instead of UDP or ICMP ECHO packets, is able to bypass the most common firewall filters.
* lft (layer 4(tcp) traceroute) - also implements numerous other features including AS number lookups through Regional Internet Registries and other reliable sources, Loose Source Routing, firewall and load balancer detection, etc.
LFT sends various TCP SYN and FIN probes
* hping - is a network tool able to send custom TCP/IP packets and to dis-
play target replies like ping program does with ICMP replies. hping
handle fragmentation, arbitrary packets body and size and can be used
in order to transfer files encapsulated under supported protocols.
Using hping you are able to perform at least the following stuff:
- Test firewall rules
- Advanced port scanning
- Test net performance using different protocols,
packet size, TOS (type of service) and fragmentation.
- Path MTU discovery
- Transferring files between even really fascist firewall
rules.
- Traceroute-like under different protocols.
- Firewalk-like usage.
- Remote OS fingerprinting.
- TCP/IP stack auditing.
- A lot of others.
* mtr (my traceroute) is an enhanced version of ICMP traceroute which is available for Unix-like and Windows systems.
$tcptraceroute ebay.com
Selected device fxp0, address 1.1.1.1, port 58062 for outgoing packets
Tracing the path to ebay.com (66.211.160.88) on TCP port 80, 30 hops max
8 te0-0-0-7.ccr21.fra03.atlas.cogentco.com (130.117.48.53) 43.533 ms 43.545 ms 43.481 ms
9 dtag.fra03.atlas.cogentco.com (130.117.14.150) 45.764 ms 45.730 ms 45.685 ms
10 217.239.40.102 (217.239.40.102) 200.949 ms 201.038 ms 201.033 ms
11 194.25.208.10 (194.25.208.10) 204.544 ms 204.808 ms 204.820 ms
12 * * *
13 * * *
14 * * *
15 * * *
16 pages.ebay.com (66.211.160.88) [open] 214.009 ms 214.200 ms 214.722 ms
$lft -A -T -m 2 ebay.com
LFT trace started at 18-Mar-11 18:09:49 EET
Tracing .......*****.***.....T
TTL LFT trace to pages.ebay.com (66.211.160.88):80/tcp
....ommited
3 [9050] 193.231.106.33 8.6/8.7ms
** [neglected] no reply packets received from TTLs 4 through 7
8 [174] te0-0-0-7.ccr21.fra03.atlas.cogentco.com (130.117.48.53) 43.6/43.5ms
9 [174] dtag.fra03.atlas.cogentco.com (130.117.14.150) 45.8/45.7ms
10 [3320] 217.239.40.102 200.7ms
11 [3320] 194.25.208.10 204.5ms
** [neglected] no reply packets received from TTLs 12 through 15
16 [11643] [target open] pages.ebay.com (66.211.160.88):80 214.2ms
LFT trace finished at 18-Mar-11 18:09:57 EET (7.98s elapsed)
/usr/ports/net/tcptrace/pkg-descr
/usr/ports/net/tcptraceroute/pkg-descr
/usr/ports/net/tcptraceroute-devel/pkg-descr
/usr/ports/net-mgmt/tcptrack/pkg-descr
PING 172.16.8.219 (172.16.8.219): 56 data bytes
ping: sendto: Invalid argument
ping: sendto: Invalid argument
traceroute to 192.168.5.6 (192.168.5.6), 64 hops max, 40 byte packets
traceroute: sendto: Invalid argument
1 traceroute: wrote 192.168.5.6 40 chars, ret=-1
*traceroute: sendto: Invalid argument
traceroute: wrote 192.168.5.6 40 chars, ret=-1
$ netstat -nr
172.16.0.0/16 172.17.13.1 UGS 0 259 em3
$ netstat -nr172.17.10.1 is directly connected to host (Layer2).
172.16.0.0/16 172.17.10.1 UGS 0 259 em3