Traceroute: Probing Further Downstream

When we left off, we were two hops into a trace from H1 to H2 using the topology shown in Figure 1:

At this point, the display on H1 looked something like this:

H1#trace ip 4.4.4.4 probe 1

Type escape sequence to abort.

Tracing the route to 4.4.4.4

1 1.1.1.1  1 msec

2 2.2.2.2  2 msec

Now H1 sends a probe packet towards H2 with the IP TTL set to three and starts the timer. When the probe packet arrives at R1, it will decrement the TTL to two and forward the packet towards H2. The probe packet will then reach R2 with a TTL of two. When the probe packet arrives at R2, it will decrement the TTL to one and forward the packet towards R3. The probe packet will then reach R3 with a TTL of one. When R3 receives the probe packet, it will decrement the TTL to zero, discard the probe packet, and send an ICMP “TTL Exceeded” message (TEM) packet back to H1. This TEM packet will have a destination address of H1 and a source address of 3.3.3.3, R3’s best local interface to reach H1 (Fa0/0). The TEM packet then makes its way back to H1.

When H1 receives the TEM packet, it displays the source address in the TEM packet as the address of the third-hop router, along with the round-trip time. What appears on H1’s screen at this point looks something like this:

H1#trace ip 4.4.4.4 probe 1

Type escape sequence to abort.

Tracing the route to 4.4.4.4

1 1.1.1.1  1 msec

2 2.2.2.2  2 msec

3 3.3.3.3  4 msec

Finally, H1 sends a probe packet towards H2 with the IP TTL set to four and starts the timer. When the probe packet arrives at R1, it will decrement the TTL to three and forward the packet towards H2. The probe packet will then reach R2 with a TTL of three. When the probe packet arrives at R2, it will decrement the TTL to two and forward the packet towards R3. The probe packet will then reach R3 with a TTL of two.  When R3 receives the probe packet, it will decrement the TTL to one and forward the packet towards H2. When H2 receives the probe packet, it will send a reply packet back to H1 (H2 is not a router, and since it’s not governed by RFC 1812, it doesn’t care about the TTL). The reply packet will have a destination address of H1 (1.1.1.2) and a source address of H2 (4.4.4.4). The reply packet then makes its way back to H1.

Upon receipt of the reply, H1 displays the address of H2 and the timing information. At this point, the trace display would resemble this:

H1#trace ip 4.4.4.4 probe 1

Type escape sequence to abort.

Tracing the route to 4.4.4.4

1 1.1.1.1  1 msec

2 2.2.2.2  2 msec

3 3.3.3.3  4 msec

4 4.4.4.4  5 msec

Once H1 has received a reply to the probe packet from H2 (the target host), it stops sending probe packets, and the trace is complete.

Now, just like Van Jacobsen, creator of the original “Traceroute” back in 1987, you know how it works! Next time, we’ll discuss various options.

In this article

Join the Conversation