Penetration Testing mailing list archives
Re: Traceroutes to Cisco Routers
From: Frank Knobbe <frank () knobbe us>
Date: Wed, 09 Jun 2004 17:53:17 -0500
On Sat, 2004-06-05 at 05:55, Dieter Sarrazyn wrote:
Performing the trace with udp packets (default on linux), the router answers with it's ip address of the interface closest to you (external interface of the router). Performing traces with icmp (-I flag in linux, default in windows), the router answers with it's ip address that you are tracing to (mostlikely the internal interface of the router).
Easily explained: The UDP traceroute works by collecting ICMP unreachables. In essence, it is working of the lack of UDP responses. (well, it doesn't expect one, it expects error codes). The ICMP traceroute does receive a final Echo Reply packet back when the ICMP Echo Request got delivered. Multi-homed systems report error conditions from the closest interface (i.e. WAN i/f says "sorry, can't route from WAN to LAN"). The ICMP Echo Request is being sent to the LAN i/f, which will then reply with the ICMP echo. So, ICMP unreachables in UDP traceroutes come back from the WAN i/f while the ICMP Echo Reply in the ICMP traceroute comes back from the LAN i/f. If the devices filters ICMP, you only get the last hop before the WAN i/f while you don't get anything from either WAN or LAN i/f of the device your tracerouting. Regards, Frank PS: (Using WAN and LAN in lieu of external and internal).
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Traceroutes to Cisco Routers Dieter Sarrazyn (Jun 07)
- Re: Traceroutes to Cisco Routers Ranjeet Shetye (Jun 09)
- Re: Traceroutes to Cisco Routers James Fields (Jun 10)
- Re: Traceroutes to Cisco Routers Frank Knobbe (Jun 10)
- <Possible follow-ups>
- Re: Traceroutes to Cisco Routers juan . losada (Jun 10)