Wednesday, October 11, 2006

Linux traceroute vs Windows tracert

This story has moved to NerdBoys.com. Please read this story at its new location.

13 comments:

Bogdan D said...

Well actually both traceroute aplications use UDP..Windows and Linux.It's because of the way traceroute works.It sends UDP packets with incremental TTL values in the level 3 header.At first it sends a packet with a TTl value of 1...adn the first router that receives the packet sets the TTL to 0..and when it has to forward it..it doesen;t do so because of the TTL field..thus it sends a Time Exceeded ICMP mesage back to the host.The next packet will have a TTL of 2 and so on and so forth.The implementation of traceroute is the same in Windows and Linux.Send UPD and receive ICMP.

Joe said...

Nope. I beg to differ, Bogdan. Windows tracert does NOT use UDP. It uses ICMP. Here is a snippet about tracert from the Windows Server 2003 help file:

Determines the path taken to a destination by sending Internet Control Message Protocol (ICMP) Echo Request or ICMPv6 messages to the destination with incrementally increasing Time to Live (TTL) field values.

More proof is here. See the part that says "The UNIX version of Tracert performs the same function as the Windows version except that the IP payload is a UDP packet".

For the final evidence, note that when tracerouting to my office, Windows tracert worked and Linux traceroute did not work when our firewall policy was to DROP UDP packets.

If you're inclined, hook up tcpdump and see for yourself.

Anonymous said...

Hi Joe;if I want block traceroute on linux what should I do?,if i deny ports from 33434 to 33600 ,it's not enough ,because this range changed by -p parameter of traceroute.
and if I want block traceroute on a windows machine but ping will be open what do I do?!!!...block icmp-type echo request? so what happen for ping?!!! it also block.
what's correct solution?

Joe said...

Ehsan,

To block traceroute on Linux, start by DROPping ports 33434 to 33600. Of course, you make a good point that this range can be overridden with the -p option. If you are REALLY paranoid, you can DROP all UDP traffic and then only open the ports that you have services running on. Sometimes this is easier said than done though. One way to figure out what UDP ports you are using is to run "netstat -nul". This will show you all of the UDP port numbers that processes on your box are listening on.

As for blocking the ICMP flavor of traceroute/tracert, I think all you have to do is drop ICMP type 30 (traceroute). I think the following rule should do it:
iptables -A INPUT -p icmp --icmp-type 30 -j DROP

Unknown said...

Nope - that will not do it. Windows does use ICMP, but it does not use the implementation described in RFC1393 (as far as I know, no operating system to date uses the RFC1393 implementation of traceroute -which uses a special IP option instead of low TTL values- ).

Windows uses "normal" ICMP echo requests with low TTL values. And the replies are ICMP type 11 (TTL exceeded), or ICMP type 0 (echo reply, when the destination has been reached).

So if you want to block both Windows and *NIX traceroutes, you need to either:
-block outgoing messages destined to UDP ports 33434 to 33534, AND outgoing ICMP echo-request messages
or
-block incoming ICMP type 11 and type 0 messages.

[and speaking of tcpdump - I have in front of me an Ethereal capture of a Windows tracert session, showing the messages I mentioned: outbound ICMP echo-requests, and inbound ICMP time-exceeded and echo-reply. ]

Anonymous said...

You made my day,I have both *nix machines and windows machines in our lab, tracerts were going thru from windows but not from *nix, i was wondering why, when google brot me to your page.
Now i know probably udp is blocked in my firewall..
Thanks dude.

Anonymous said...

Hi Joe, if i would like to disable block traceroute in windows server 2003 platform. What should i do?

Joe said...

I think the info you need is all in my blog post. To block ICMP traceroute, you could try configuring your firewall to drop ICMP packets of type 30 (Traceroute). You might also have to drop ICMP packets of type 0 (Echo Reply) and 8 (Echo). To block UDP traceroute, you could try configuring your firewall to drop UDP packets in the destination port range of 33434 to 33600. I hope that helps. There are probably a million web pages that could help you too.

Anonymous said...

I know this is old now, but it was the first useful google hit I got when trying to understand why UDP was used.

I eventually came upon this, which seems to give a nice answer: http://www.inetdaemon.com/tools/traceroute/definition.shtml

Unknown said...

I seem to keep coming back to this page from time to time :)

This time, an answer to what you said in the post:
I googled to find out why Linux traceroute uses UDP by default but I couldn't find any definitive reasons.

The reason is RFC792 (ICMP), which says:
To avoid the infinite regress of messages about messages etc., no ICMP messages are sent about ICMP messages

This is the reason why Unix (and Linux, and Cisco, and other implementations) use UDP. Technically speaking, it is the Windows implementation that is breaking the RFC, not the other way around :)

Speaking of which - your article also says "According to RFC1393, traceroute implementations are supposed to use the ICMP protocol.". While true in theory, that RFC refers to the use of the traceroute ICMP message - which has never been implemented on a large scale (see my previous message).

Anonymous said...

I think all you are trying to say Bogd is that the windows implementation uses type 8 instead of the dedicted traceroute types (30 etc).

The original blog is correct in the sense that windows uses icmp and linux udp.

On linux you can force traceroute to use ICMP over UDP with traceroute -P ICMP ipnr, note that the linux ICMP trace also uses type 8.

Anonymous said...

A belated thank-you for this! Very helpful and explains why a network engineer using Windows and I (using Linux) were seeing different things on our network.

Anonymous said...

Try for fun:

http://vTechnology.pl/vTrace/

:-)