Pages

PING, TRACE

Socket address - single identity IP:PORT, which is mapped to the application program process.
Socket types:
- Datagram sockets (UDP), also known as connectionless sockets
- Stream sockets (TCP/SCTP), also known as connection-oriented sockets,
- Raw sockets (or Raw IP sockets), typically available in routers and other network equipment.
    Here the transport layer is bypassed, and the packet headers are not stripped off, but are accessible to the application.
    Application examples:ICMP (Ping), IGMP, (OSPF).
There are also non-Internet sockets, implemented over other transport protocols, such as Systems Network Architecture (SNA).
See also Unix domain sockets (UDS), for internal inter-process communication.

Upper "Protocol number (type)" in IP Header, Type (0-255):
1     0x01    ICMP   Internet Control Message Protocol
6     0x06    TCP    Transmission Control Protocol
8     0x08    EGP     Exterior Gateway Protocol     RFC 888
17    0x11    UDP     User Datagram Protocol
27    0x1B    RDP     Reliable Datagram Protocol
88    0x58    EIGRP  EIGRP   
89    0x59    OSPF   Open Shortest Path First     RFC 1583

ICMP most used Types (Without Codes):
Type    ICMP message             Description
0  Echo reply             Replies to an ICMP echo request.
8  Echo request           Determines whether an IP node (a host or a router) is available on the network.
3  Destination unreachbl  Informs the host that a datagram cannot be delivered.
4  Source quench          Informs the host to lower the rate it sends datagrams because of congestion.
5  Redirect               Informs the host of a preferred route.
11 Time exceeded          Generated by a router. Indicates that the TTL of an IP packet has expired (TTL=0)
30 Traceroute             Information Request
RFC 1812 - Requirements for IP Version 4 Routers


PING

1) Windows OS (ping.exe)
 -> Sends 3 ICMP-8 packets with TTL=1
 <- Receive from destination ICMP-0

2) Linux, FreeBSD (and other unix OS)
-> Send ICMP-8 packets to network hosts
<- Receive from destination ICMP-0

3) Cisco IOS
The ping command sends ICMP Echo messages. If the Cisco IOS software receives an ICMP Echo message, it sends an ICMP Echo Reply message to the source of the ICMP Echo message.

Cisco Ping Test Characters
Character    Description
!        Exclamation points indicate receipt of a reply.
.        Periods indicate that the reply has timed out.
U        Destination is unreachable.
N        Network is unreachable.
P        Protocol is unreachable.
Q        Source quench
M        Could not fragment the packet.
?        Unknown packet type

TRACEROUTE

TraceRoute tools are based on:
-ICMP = Windows(only), *nix ("-I" option)
-UDP = Cisco IOS (only), Unix (default)
-TCP = tcptraceroute, lft, mtr

Used abbreviation:
S - Sender Device
I - Intermediate Device (Router)
D - Destination IP

1) Windows OS (tracert.exe)
S: ->  Sends 3 ICMP-8 packets with TTL=1
I: <-> Receive from any router ICMP-11 with TTL=1
   (All implementations of traceroute rely on ICMP (type 11) packets being sent to the originator)
D: <- Receive from destination ICMP-0

PathPing.exe is a utility introduced with Windows NT that combines ping and traceroute functionality.

2) FreeBSD, Linux & Cisco IOS
S: ->  Sends UDP datagram to dest port>=33434, src port random, TTL=1 (next packet - UDP destination port is incremented)
I: <->  Receive from any router ICMP-11 with TTL=1
D: <-  Destination reached - Receive ICMP-3, code 3 ("destination unreachable," "port unreachable") (ICMP "udp port 33435 unreachable")
OR A "host unreachable," "net unreachable," "maximum TTL exceeded," or a "timeout" type of message, which means that the probe is resent.


Linux, FreeBSD
=-=-=
Possible annotations after the time
!H, !N, or !P   - host, network  or  protocol  unreachable
!S    - source route failed
!F    - fragmentation needed - the RFC1191 Path MTU Discovery  value  is  displayed
!U or !W   - destination network/host unknown
!I   - source host is isolated
!A   - communication with  destination  network  administratively prohibited
!Z   - communication with destination host administratively prohibited
!Q   - for  this  ToS  the  destination  network  is unreachable
!T   - for this ToS the destination host is unreachable
!X   - communication administratively prohibited
!V   - host precedence violation
!C   - precedence  cutoff in effect or
!    - ICMP unreachable code
If almost all the probes result in some kind of unreachable, traceroute will give up and exit.

Cisco specific
=-=-=-=-=-=-=-
ICMP-3, code 3 packets are limited to one packet per 500 ms.
This explains why the response from the destination (see the outputs for the Cisco router and Linux) failed in the even responses.

You can invoke this escape sequence when you simultaneously press Ctrl+Shift+6

In Cisco routers, the codes for a traceroute command reply are:

    ! -- success
    * -- time out
    N -- network unreachable
    H -- host unreachable
    P -- protocol unreachable
    A -- admin denied
    Q -- source quench received (congestion)
    ? -- unknown (any other ICMP message)

TCP TRACEROUTES
=-=-=-=-=-=-=-

    * tcptraceroute - Sending  out TCP SYN packets instead of UDP  or ICMP  ECHO packets, is  able to  bypass the  most common firewall filters.
    * lft (layer 4(tcp) traceroute) - also implements numerous other features including AS number lookups through Regional Internet Registries and     other reliable sources, Loose Source Routing, firewall and load balancer detection, etc.
    LFT sends various TCP SYN and FIN probes
    * hping - is a network tool able to send custom TCP/IP packets and to dis-
       play target replies like ping program does  with  ICMP  replies.  hping
       handle  fragmentation,  arbitrary packets body and size and can be used
       in order to transfer  files  encapsulated  under  supported  protocols.
       Using hping you are able to perform at least the following stuff:

        - Test firewall rules
        - Advanced port scanning
        - Test net performance using different protocols,
          packet size, TOS (type of service) and fragmentation.
        - Path MTU discovery
        - Transferring files between even really fascist firewall
          rules.
        - Traceroute-like under different protocols.
        - Firewalk-like usage.
        - Remote OS fingerprinting.
        - TCP/IP stack auditing.
        - A lot of others.

    * mtr (my traceroute) is an enhanced version of ICMP traceroute which is available for Unix-like and Windows systems.   


$tcptraceroute ebay.com
Selected device fxp0, address 1.1.1.1, port 58062 for outgoing packets
Tracing the path to ebay.com (66.211.160.88) on TCP port 80, 30 hops max
 8  te0-0-0-7.ccr21.fra03.atlas.cogentco.com (130.117.48.53)  43.533 ms  43.545 ms  43.481 ms
 9  dtag.fra03.atlas.cogentco.com (130.117.14.150)  45.764 ms  45.730 ms  45.685 ms
10  217.239.40.102 (217.239.40.102)  200.949 ms  201.038 ms  201.033 ms
11  194.25.208.10 (194.25.208.10)  204.544 ms  204.808 ms  204.820 ms
12  * * *
13  * * *
14  * * *
15  * * *
16  pages.ebay.com (66.211.160.88) [open]  214.009 ms  214.200 ms  214.722 ms


$lft -A -T -m 2  ebay.com 
LFT trace started at 18-Mar-11 18:09:49 EET
Tracing .......*****.***.....T
TTL LFT trace to pages.ebay.com (66.211.160.88):80/tcp
  ....ommited
3  [9050] 193.231.106.33 8.6/8.7ms
**  [neglected] no reply packets received from TTLs 4 through 7
 8  [174] te0-0-0-7.ccr21.fra03.atlas.cogentco.com (130.117.48.53) 43.6/43.5ms
 9  [174] dtag.fra03.atlas.cogentco.com (130.117.14.150) 45.8/45.7ms
10  [3320] 217.239.40.102 200.7ms
11  [3320] 194.25.208.10 204.5ms
**  [neglected] no reply packets received from TTLs 12 through 15
16  [11643] [target open] pages.ebay.com (66.211.160.88):80 214.2ms
LFT trace finished at 18-Mar-11 18:09:57 EET (7.98s elapsed)

/usr/ports/net/tcptrace/pkg-descr
/usr/ports/net/tcptraceroute/pkg-descr
/usr/ports/net/tcptraceroute-devel/pkg-descr
/usr/ports/net-mgmt/tcptrack/pkg-descr



Question 1) Strange ping traceroute behaviors:

$ ping 172.16.8.219
PING 172.16.8.219 (172.16.8.219): 56 data bytes
ping: sendto: Invalid argument
ping: sendto: Invalid argument



$ traceroute 192.168.5.6
traceroute to 192.168.5.6 (192.168.5.6), 64 hops max, 40 byte packets
traceroute: sendto: Invalid argument
 1 traceroute: wrote 192.168.5.6 40 chars, ret=-1
 *traceroute: sendto: Invalid argument
traceroute: wrote 192.168.5.6 40 chars, ret=-1



Answer 1) Caused by wrong gateway in route table (netstat -nr) or if gateway is not directly connected to host:
$ netstat -nr

172.16.0.0/16      172.17.13.1        UGS         0      259    em3

but
172.17.13.1 is not directly connected to this server, so correct should be:
$ netstat -nr
172.16.0.0/16      172.17.10.1       UGS         0      259    em3
172.17.10.1 is directly connected to host (Layer2).