[Linux] Detailed explanation of network diagnostic traceroute command

traceroute traces routed packets from an IP network to a given host. It exploits the Time to Live (TTL) field of the IP protocol and attempts to elicit an ICMP TIME_EXCEEDED response from every gateway on the path to the host. The default packet size it sends is 60 bytes (IPv4, CentOS7.X).

Through traceroute we can know the path that information takes from your computer to the host on the other end of the Internet. Of course, the path a data packet takes from the same starting point (source) to the same destination (destination) may be different every time, but basically the route taken is the same most of the time. In Linux system, we call it traceroute, in MS Windows it is tracert. Traceroute measures how long it takes by sending small packets to the destination device until they return. Each device on a path is tested three times by traceroute by default. The output results include the time (ms) of each test and the name of the device (if any) and its IP address.

In most cases, we will directly execute the command line on the Linux host system:

traceroute hostname

On Windows systems, the tracert command is executed:

tracert hostname

1.2 Command format

Official translation:

traceroute traces routed packets from an IP network to a given host. It exploits the IP protocol's Time to Live (TTL) field and attempts to elicit an ICMP TIME_EXCEEDED response from every gateway on the path to the host.

The only required parameter for traceroute is the name or IP address of the target host. The optional packet_length is the total size of the detection packet (IPv4 default is 60 bytes, IPv6 default is 80 bytes)

The program attempts to trace the route that an IP packet will follow to certain internet hosts by launching probe packets with a TTL (time to live) and then listening for ICMP "timeout" replies from the gateway. We start the probe with a ttl of 1 and then increase it by 1 until we get an ICMP "port unreachable" (or TCP reset), which means we reach the "host", or the maximum is reached (default is 30 hops) . Send three probes per ttl setting (by default) Print out a line showing the ttl, gateway address and round trip time for each probe. If desired, additional information can be appended to the address. If the probe answers come from different gateways, the address of each responding system will be printed. If there is no response within 5.0 seconds (default), a "*" (asterisk) is printed for the probe.

After the travel time, some additional comments can be printed: !H, !N, or !P (Host, network, or protocol unreachable), !S (Source routing failed), !F (Fragmentation required), !X ( Management prohibits communication), !V (host priority violation), !C (priority valid cutoff), or !<num> (ICMP unreachable code <num>). If almost all probes result in some kind of unreachability, traceroute will give up and exit.

1.3 Principle

The complete process of the traceroute program: first it sends an IP data packet with a TTL field of 1 to the destination host. The first router that processes this data packet decrements the TTL value by 1, then discards the datagram and sends an ICMP to the source host. message ("timeout" information, this message contains the IP address of the router, so that the address of the first router is obtained), and then traceroute sends a datagram with a TTL of 2 to obtain the IP address of the second router, This process continues until the datagram reaches the destination host.

As shown in the figure, in IPv4, ICMP messages belong to the IP subprotocol. A value of 1 in the Protocol field indicates that the message carries ICMPv4.

As shown in the figure, it is the message format of ICMPv4. All ICMP messages begin with an 8-bit Type and Code field, followed by a 16-bit CheckSum field covering the entire message.

The meaning of each field is as follows:

Type : Specifies the type of ICMP message, occupies 1 byte. Common types include: Echo Reply (Echo Reply: 0), Echo Request (Echo Request: 8), etc.
Code : Specifies the code of the ICMP message, accounting for 1 byte. Used to further describe ICMP messages and used in combination with the Type field.
Checksum : Checksum, used to check whether the ICMP message is damaged, occupies 2 bytes.
Data : data, variable length. It can be any data, and the length is determined by the specific ICMP message type and code.

Traceroute based on ICMP messages is implemented as follows: when you enter the traceroute command + ip on the client, the client initiates an ICMP echo request message, the first data packet, TTL=1, so that the first hop router After receiving it, when forwarding it, the TTL will be reduced by one, that is, TTL = 0, and then discarded. Then the first-hop router will return an ICMP timeout error message. After the client receives it, it will determine whether it has received an ICMP reply. Display response message? If it has not been received, it will continue to send echo request messages, and the TTL will be increased by 1 to try. When it reaches the server, the server will send an ICMP echo response message.

1. The client sends the first ICMP echo request message with TTL=1 . After the first-hop router receives it, it checks the destination address and forwards it. Before forwarding, the TTL will be decremented by 1. After the decrement is completed, the TTL will be equal to 0. Discard the packet and return a TTL expired ICMP message to the client. The client receives the TTL expired ICMP message and obtains the first hop address from the source address in the message: 10.10.10.10

2. Since the client finds that it has not received the ICMP echo response message , it continues to try to send, and the TTL is increased by 1. After the first hop router receives it, it forwards it according to the destination address. When forwarding, the TTL is decremented by 1. After the decrement is completed, the TTL=1. After receiving the packet, the second-hop router checks the destination address and forwards it. Before forwarding, the TTL will be decremented by 1. After the decrement is completed, the TTL = 0, the packet will be discarded and a TTL expired ICMP message will be returned to the client.

The client receives the TTL expired ICMP message and obtains the second hop address from the source address in the message: 20.20.20.20

3. Since the client still has not received the ICMP echo response message , it continues to try to send, and the TTL is increased by 1. After the first hop router receives it, it forwards it according to the destination address. When forwarding, the TTL is decremented by 1, and after the decrement is completed, the TTL=2. After the second hop router receives it, it checks the destination address and forwards it. Before forwarding, the TTL will be decremented by 1. After the decrement is completed, the TTL = 1. If the TTL is not 0, the router will continue forwarding. The data packet finally reaches the server! The server checked the destination address and found it was mine, so it continued to decapsulate it, looked at the IP data part (ICMP), and found that it was an ICMP message with an echo request, so it sent an ICMP message with an echo response to the client.

The client receives and echoes the ICMP message of the response, confirming that the UDP packet has successfully reached the server. The traceroute ends and the source IP address is recorded: 192.168.2.1

1.4 Command functions

The traceroute command allows you to trace the routing path of network data packets. The default data packet size is 40Bytes, and the user can set it separately.

Specific parameter format: traceroute [-dFlnrvx][-f<survival value>][-g<gateway>...][-i<network interface>][-m<survival value>][-p<communication port> ][-s<source address>][-t<service type>][-w<timeout seconds>][host name or IP address][packet size]

Command parameters:

parameter	Definition
-d	Use Socket-level debugging capabilities.
-f	Set the size of the live value TTL of the first detection packet.
-F	Don't split the packet.
-g	Set source routing gateways, up to 8 can be set.
-i	Send packets using the specified network interface.
-I	Traceroute using ICMP ECHO
-T	Use TCP SYN for traceroute (default port is 80)
-m	Set the maximum survival value TTL size of the detection packet.
-N	The number of probe packets sent at the same time. Sending multiple probes simultaneously can increase the speed of traceroute greatly. The default value is 16.
-n	Use the IP address directly instead of the host name.
-p	Set the communication port of UDP transmission protocol.
-r	Ignore the ordinary Routing Table and send the data packet directly to the remote host.
-s	Set the IP address of the local host to send data packets.
-t	Set the TOS value for detecting packets.
-in	Show the execution process of the instruction in detail.
-In	Set the time to wait for the remote host to report back.
-x	Turn on or off the correctness check of data packets.

2. Use examples

Example 1: Traceroute usage is simple and the most common usage

Order:

traceroute www.baidu.com

Output:

[root@hdp105 ~]#  traceroute www.baidu.com
traceroute to www.baidu.com (110.242.68.4), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  124.89.90.205 (124.89.90.205)  4.446 ms  4.398 ms  3.707 ms
 4  123.139.0.85 (123.139.0.85)  3.225 ms 123.139.1.29 (123.139.1.29)  12.200 ms 123.139.1.177 (123.139.1.177)  2.085 ms
 5  * 221.11.0.145 (221.11.0.145)  35.491 ms *
 6  219.158.111.233 (219.158.111.233)  33.572 ms * 221.11.0.45 (221.11.0.45)  33.728 ms
 7  110.242.66.166 (110.242.66.166)  65.619 ms 110.242.66.170 (110.242.66.170)  65.541 ms *
 8  110.242.66.178 (110.242.66.178)  20.313 ms 221.194.45.134 (221.194.45.134)  20.487 ms 110.242.66.182 (110.242.66.182)  19.403 ms
 9  221.194.45.134 (221.194.45.134)  22.095 ms * 221.194.45.130 (221.194.45.130)  19.838 ms

.....
29  * * *
30  * * *

illustrate:

The records start from 1 according to the sequence number. Each record is a hop, and each hop represents a gateway. We see that some lines have three times, the unit is ms, which is actually the default parameter of -q. After the detection packet sends three packets to each gateway, the gateway responds and returns the time; if you use traceroute -q 4 www.58.com, it means sending 4 packets to each gateway.

Sometimes when we traceroute a host, we will see some lines represented by asterisks. When this happens, it may be that the firewall blocks the ICMP return information, so we cannot get any relevant packet return data.

Example 2: Hop count setting

Command: Limit routing to stop after 10 hops

traceroute -m 10 www.baidu.com

Output:

[root@hdp105 ~]# traceroute -m 10 www.baidu.com
traceroute to www.baidu.com (110.242.68.4), 10 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  124.89.90.205 (124.89.90.205)  5.417 ms  5.530 ms  5.287 ms
 4  123.139.1.29 (123.139.1.29)  1.992 ms 123.139.1.177 (123.139.1.177)  1.968 ms 123.139.2.161 (123.139.2.161)  1.945 ms
 5  * 221.11.0.1 (221.11.0.1)  2.090 ms *
 6  219.158.111.233 (219.158.111.233)  35.322 ms 221.11.0.69 (221.11.0.69)  28.003 ms *
 7  219.158.111.233 (219.158.111.233)  33.298 ms  33.255 ms *
 8  221.194.45.130 (221.194.45.130)  20.088 ms 110.242.66.170 (110.242.66.170)  20.029 ms 221.194.45.130 (221.194.45.130)  20.582 ms
 9  * * 221.194.45.134 (221.194.45.134)  21.801 ms
10  * * *
[root@hdp105 ~]#

Example 3: Set the number of detection packets

Command: Limit the route to 10 hops and send 4 probe packets to each hop.

[root@hdp105 ~]# traceroute -q 4 -m 10 www.baidu.com
traceroute to www.baidu.com (110.242.68.3), 10 hops max, 60 byte packets
 1  * * * *
 2  * * * *
 3  124.89.90.205 (124.89.90.205)  3.536 ms  3.507 ms  2.734 ms  3.425 ms
 4  * * * 123.139.2.37 (123.139.2.37)  2.599 ms
 5  221.11.0.1 (221.11.0.1)  2.756 ms  2.727 ms  5.096 ms  7.570 ms
 6  * 221.11.0.169 (221.11.0.169)  22.440 ms 221.11.0.69 (221.11.0.69)  27.588 ms *
 7  * 110.242.66.186 (110.242.66.186)  25.913 ms 219.158.111.233 (219.158.111.233)  21.579 ms 110.242.66.178 (110.242.66.178)  20.378 ms
 8  221.194.45.130 (221.194.45.130)  23.732 ms 110.242.66.162 (110.242.66.162)  20.793 ms 221.194.45.130 (221.194.45.130)  20.476 ms  23.077 ms
 9  221.194.45.134 (221.194.45.134)  24.247 ms * * *
10  * * * *
[root@hdp105 ~]#

As shown in the figure below, you can see the time it takes to send 4 probe packets and output 4 packets.

Example 4: Display IP address without checking host name

Order:

traceroute -n -m 10 www.baidu.com

Output:

Example 5: Bypassing the normal routing table and sending directly to the network-connected host

Order:

traceroute -r www.baidu.com

Output:

Example 6: The basic UDP port used by the detection packet is set to 6888

Order:

traceroute -p 6888 www.baidu.com

Output:

[root@hdp105 ~]# traceroute -p 6888 -m 10 www.baidu.com
traceroute to www.baidu.com (110.242.68.4), 10 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  124.89.90.205 (124.89.90.205)  2.079 ms  2.502 ms  2.440 ms
 4  123.139.0.85 (123.139.0.85)  2.280 ms 123.139.2.161 (123.139.2.161)  1.945 ms 123.139.1.29 (123.139.1.29)  2.212 ms
 5  * 221.11.0.53 (221.11.0.53)  27.007 ms *
 6  221.11.0.97 (221.11.0.97)  22.444 ms * *
 7  110.242.66.170 (110.242.66.170)  20.305 ms * *
 8  110.242.66.174 (110.242.66.174)  20.119 ms 221.194.45.130 (221.194.45.130)  19.840 ms 221.194.45.134 (221.194.45.134)  21.036 ms
 9  * 221.194.45.130 (221.194.45.130)  20.001 ms *
10  * * *
[root@hdp105 ~]#