Reputation: 63
How to identify packets of traceroute?
I'm working in C and using the pcap library to analyze a cap file that has packets that were sent/received during the execution of traceroute. The problem I'm having is identifying packets that were sent/received from the traceroute since the cap file includes other packets as well.
Is there any specific criteria I could check against when trying to determine if any given packet is from traceroute? Or is this not possible?
Would appreciate any help/advice you could offer.
Upvotes: 1
Views: 2699
Answers (2)
Reputation: 5069
The program traceroute work by sending UDP/ICMP packets with incrementing IP TTL field. These IP TTL field are typically very small compared to what a typical application will send (in mine is 64).
So if you capture with filter with
ip.ttl < 20
You may get these packets (you may tweak the number in the above filter), remember, if your are close to the host that run traceroute program, you can even catch it by "ip.ttl < 5".
Upvotes: 0
Reputation:
$ man traceroute
TRACEROUTE(8) BSD System Manager's Manual TRACEROUTE(8)
NAME
traceroute -- print the route packets take to network host
...
-I Use ICMP ECHO instead of UDP datagrams. (A synonym for "-P
icmp").
...
This program attempts to trace the route an IP packet would follow to
some internet host by launching UDP probe packets with a small ttl (time
to live) then listening for an ICMP "time exceeded" reply from a gateway.
We start our probes with a ttl of one and increase by one until we get an
ICMP "port unreachable" (which means we got to "host") or hit a max
(which defaults to net.inet.ip.ttl hops & can be changed with the -m
flag). Three probes (changed with -q flag) are sent at each ttl setting
and a line is printed showing the ttl, address of the gateway and round
trip time of each probe. If the probe answers come from different gate-
ways, the address of each responding system will be printed. If there is
no response within a 5 sec. timeout interval (changed with the -w flag),
a "*" is printed for that probe.
We don't want the destination host to process the UDP probe packets so
the destination port is set to an unlikely value (if some clod on the
destination is using that value, it can be changed with the -p flag).
So, by default, traceroute packets are UDP packets sent to some random port; that makes them somewhat hard to distinguish from other traffic.
If somebody uses the -I option, it'll use ICMP ECHO packets, which are easier to distinguish from other traffic, although not easier to distinguish from, for example, traffic from the "ping" command.
You could try looking for packets with a small TTL.
Upvotes: 2
Related Questions
- Improve INSERT-per-second performance of SQLite
- How to set, clear, and toggle a single bit
- How do I determine the size of my array in C?
- duplicate packets in wireshark during playback
- Detecting UDP vs. non-UDP packets in PCAP
- How do function pointers in C work?
- Understanding the router behavior in traceroute sessions
- How to write packets from vpn tunnel to pcap file
- Removing duplicate packets from pcap