Traceroute: Impact on the Behavior of Trace Programs.

When we left off, H1 had just sent a probe packet towards H2, as shown in Figure 1:

When the probe packet arrives at R1, per RFC 1812 (section 5.3.1), that router will decrement the packet’s IP TTL. Since the TTL in the probe packet was one, after being decremented the TTL will be zero, and R1 will discard the probe packet. The RFC also specifies that the router should send a packet containing an ICMP “TTL Exceeded” message (TEM) back to the originating host. This is a key part of the operation of the trace utility, so let’s take a closer look at this. When R1 sends the TEM packet back to H1, it sets the destination address of the TEM packet to H1’s IP address (the source address of the probe packet), but to what does it set the TEM packet’s source address?

In general, whenever a router itself generates (sources) a packet, the source address of the packet is set to the IP address of the interface on which the packet leaves the router. How does the router decide from which interface to send the packet? The same way it knows which interface to use when forwarding a data packet…  it looks in its routing table of course! The interface or subinterface specified by the routing table for that particular destination is referred to as the “best local interface”, and it’s this interface’s address that is assigned as the TEM packet’s source address. In this case, R1’s best local interface for H1 is Fa0/0, so the source address of the TEM packet is set to 1.1.1.1 (R1’s Fa0/0 interface).

When H1 receives the TEM packet, it displays the source address in the TEM packet as the address of the first-hop router (H1’s default gateway). It also notes the time between sending the probe packet and receipt of the TEM (typically measured in milliseconds), and displays this as the round-trip time for the first hop. What appears on H1’s screen at this point looks something like this:

H1#trace ip 4.4.4.4 probe 1

Type escape sequence to abort.

Tracing the route to 4.4.4.4

1 1.1.1.1  1 msec

What we see is the hop count on the left (1), the IP address of the device at that location (1.1.1.1), and the round-trip time between sending the probe packet and receiving the reply (1 msec). Since a host’s default gateway is typically connected to it by a high-speed LAN, the round-trip time from a host to its default gateway is usually quite short, often less than a millisecond. Depending on the implementation, this may show up as “0” or “<1” in the display.

Now let’s say that H1 sends a probe packet towards H2 with the IP TTL set to two, and starts the timer. When the probe packet arrives at R1, it will decrement the TTL to one and forward the packet towards H2, using the outbound interface specified by its routing table. The probe packet will then reach R2 with a TTL of one. When R2 receives the probe packet, it will decrement the TTL to zero, discard the probe packet, and send a TEM packet back to H1. This TEM packet will have a destination address of H1 and a source address of 2.2.2.2, R2’s best local interface to reach H1 (Fa0/1). The TEM packet then makes its way back to H1.

When H1 receives the TEM packet, it displays the source address in the TEM packet as the address of the second-hop router, along with the round-trip time. What appears on H1’s screen at this point looks something like this:

H1#trace ip 4.4.4.4 probe 1

Type escape sequence to abort.

Tracing the route to 4.4.4.4

1 1.1.1.1  1 msec

2 2.2.2.2  2 msec

Next time, we’ll see what happens as we probe further downstream.

In this article

Join the Conversation