Traceroute - A slick hack for intermediate router and path discovery.
Traceroute is a utility to track the path/route that data packets on a TCP/IP network take to a specified destination.
No system knows the full path to its destination beforehand. It merely knows the path to its next hop or router and traceroute is a hack that uses this property of the Internet Protocol to determine routers in its path.
TTL is a field in the header of every IP packet. When a packet is created by the host OS, it is typically assigned a TTL of 16, 30 or 255. Every router the packet passes along its journey to its destination decrements this value by 1. If the TTL field is reduced to 0, the router assumes the packet is in some sort of loop and it is encapsulated in an ICMP TTL exceeded message and sent back to the source address.
A specially constructed packet, usually ICMP echo or UDP is sent with a remote destination address and a randomly selected port number that is also typically incremented with each traceroute packet. UNIX/Linux uses UDP while Microsoft Windows tracert uses ICMP.
The TTL (Time To Live) field is very low on these packets; it starts at 1.
This causes the packets to be rejected by routers as if they were looping. These rejections (ICMP TTL exceeded) messages help traceroute determine the intermediate routers.
So the first router than comes across traceroute's special packet with a TTL of 1 will decrement it. Now the TTL is 0 and the router assumes the packet is in a loop and returns it with an ICMP TTL exceeded message telling traceroute the IP address of the first router.
Traceroute now sends another packet with a TTL of 2. This packet makes it to the second router on the way before its TTL is decremented to 0 and traceroute deduces that the second TTL exceeded message is from the second router on the path to the destination.
Traceroute now crafts packets with a TTL of 3 and 4 and so on to determine the path to the destination.
Traceroute knows the path discovery is complete when it receives an ICMP echo reply or an ICMP destination unreachable message from the router. It will also display relevant ICMP host unreachable, network unreachable and any other ICMP messages received from the routers.
Traceroute is designed to determine the network addresses that packets go through. Using it with NAT can create confusion. Running traceroute from a translated address should not cause an issue, but running traceroute to a translated address may cause unpredictable mapping or fail.
If traceroute's packets can't reach the destination host or can't elicit a response from it; it will time out.
Another non UDP/ICMP traceroute implementation is the utility tcptraceroute which can be used through restrictive firewalls that block UDP/ICMP. It crafts TCP packets with the SYN flag set and awaits a SYN/ACK. When a SYN/ACK is received, it indicates something is listening on this port for connections. Point it at ports which are typically open like HTTP or SMTP. When it receives a response, tcptraceroute sends a packet with an RST flag to close the connection.
Security and dependability
tcptraceroute allows to probe for hosts behind a firewall that would drop UDP packets. This is exactly why ICMP TTL exceeded messages should not be allowed to leave a LAN segment behind a router for the Internet.
Fudging traceroute results isn't difficult and a trivial approach to this is by using the IPSTEALTH code in the FreeBSD Project (/sys/netinet/ip_input.c). The additional reading links below showcase this and more in greater detail.
Additional reading: