This article explains the "Tracert" output and what happens underneath using Wireshark Captures.
Below, we take a look at the output of tracert to "ping.com".
From the tracert output, we can tell the following :
> "ping.com" resolves to 13.107.246.35
> "ping.com" is 7 hops away from user machine
> For each hop, there were three ICMP echo requests sent
The first ICMP echo request packet captured in Wireshark is shown below :
Notice the Time to Live [IP header] is set as 1.
TTL (Time to Live) is a concept to avoid loops in the networks.
Tracert manipulates the TTL value inside the IP packet.
Layer-3 device decreases the TTL value by 1 and forwards the IP packet.
If the Layer-3 device receives an IP Packet with TTL value of 1, it shall drop the packet and sent an ICMP Time exceeded Packet informing the source that the packet has reached the last hop and it can't go any further.
This information is sent as an ICMP Time-to-live exceeded packet.
Since three ICMP echo request packets are sent, three ICMP Time-to-live exceeded packets are received by the user machine.
Using these three responses, the Tracert calculates the response time as 1 ms, 3 ms and 3 ms for the respective packets.
The response comes from 192.168.1.1, thus, declaring itself as a first hop in the path to reach "ping.com"
The second ICMP echo request packet captured in Wireshark is shown below :
Notice the Time to Live [IP header] is set as 2.
So, Tracert increases the TTL value in IP header by 1 and sends the ICMP echo request to "ping.com" [13.107.246.35] again.
The Tracert keeps on increasing the TTL value until it receives ICMP echo reply packets from ping.com.
Hence, it completes the Tracert output telling which layer-3 devices it crossed to reach the destination "ping.com".
However, two layer-3 devices were not found at 5th and 7th hop as there could be firewall rules preventing any ICMP related responses.
This is due to security reason where the Administrator do not want their Layer-3 details to be revealed.
No comments:
Post a Comment