traceroute - print the route packets take to network host
traceroute [-cdDIlnrSv] [-f first_ttl] [-g gateway_addr] [-m
max_ttl]
[-p port] [-P proto] [-q nqueries] [-s src_addr]
[-t tos]
[-w waittime] host [packetsize]
The Internet is a large and complex aggregation of network
hardware, connected
together by gateways. Tracking the route one's packets follow (or
finding the miscreant gateway that's discarding your packets) can be difficult.
traceroute utilizes the IP protocol `time to live'
field and attempts
to elicit an ICMP TIME_EXCEEDED response from each
gateway along
the path to some host.
The only mandatory parameter is the destination host name or
IP number.
The default probe datagram length is 38 bytes, but this may
be increased
by specifying a packet size (in bytes) after the destination
host name.
The options are as follows:
-c Do not increment the destination port number in successive UDP
packets. Rather, all UDP packets will have the same
destination
port, as set via the -p flag (or 33434 if none is
specified).
-d Turn on socket-level debugging.
-D Dump the packet data to standard error before transmitting it.
-f first_ttl
Set the first time-to-live used in outgoing probe
packets. The
effect is that the first first_ttl - 1 hosts will be
skipped in
the output of traceroute. The default value is 1
(skip no
hosts).
-g gateway_addr
Add gateway_addr to the list of addresses in the IP
Loose Source
Record Route (LSRR) option. If no gateways are
specified, the
LSRR option is omitted.
-I Equivalent to -P 1. Used for compatibility with
other OSes.
-l Display the ttl value of the returned packet. This
is useful for
checking for asymmetric routing.
-m max_ttl
Set the max time-to-live (max number of hops) used
in outgoing
probe packets. The default is the value of the system's
net.inet.ip.ttl MIB variable, which defaults to 64.
-n Print hop addresses numerically rather than symbolically and numerically
(saves a nameserver address-to-name lookup
for each
gateway found on the path).
-p port
Set the base UDP port number used in probes (default
is 33434).
traceroute hopes that nothing is listening on UDP
ports base to
base+nhops*nqueries-1 at the destination host (so an
ICMP
PORT_UNREACHABLE message will be returned to terminate the route
tracing). If something is listening on a port in
the default
range, this option can be used to pick an unused
port range.
-P proto
Change the protocol being used from UDP to a numeric
protocol or
a name as specified in /etc/protocols. This will
not work reliably
for most protocols. If set to 1 (ICMP), then
ICMP Echo Request
messages will be used (same as ping(8)).
-q nqueries
Set the number of probes per ``ttl'' to nqueries
(default is
three probes).
-r Bypass the normal routing tables and send directly
to a host on
an attached network. If the host is not on a directly attached
network, an error is returned. This option can be
used to ping a
local host through an interface that has no route
through it
(e.g., after the interface was dropped by routed(8)).
-s src_addr
Use the following IP address (which must be given as
an IP number,
not a hostname) as the source address in outgoing probe
packets. On hosts with more than one IP address,
this option can
be used to force the source address to be something
other than
the IP address of the interface the probe packet is
sent on. If
the IP address is not one of this machine's interface addresses
and the user is not the superuser, an error is returned and nothing
is sent.
-S Print how many probes were not answered for each
hop.
-t tos Set the type-of-service in probe packets to the following value
(default zero). The value must be a decimal integer
in the range
0 to 255. This option can be used to see if different types-ofservice
result in different paths. (If you are not
running a
4.3BSD-Tahoe or later system, this may be academic
since the normal
network services like telnet and ftp don't let
you control
the TOS). Not all values of TOS are legal or meaningful - see
the IP spec for definitions. Useful values are
probably `-t 16'
(low delay) and `-t 8' (high throughput).
-v Verbose output. Received ICMP packets other than
TIME_EXCEEDED
and UNREACHABLEs are listed.
-w waittime
Set the time (in seconds) to wait for a response to
a probe (default
3).
This program attempts to trace the route an IP packet would
follow to
some internet host by launching UDP probe packets with a
small ttl (time
to live) then listening for an ICMP "time exceeded" reply
from a gateway.
We start out probes with a ttl of one and increase by one
until we get an
ICMP "port unreachable" (which means we got to "host") or
hit a max
(which defaults to 64 hops and can be changed with the -m
flag). Three
probes (changed with -q flag) are sent at each ttl setting
and a line is
printed showing the ttl, address of the gateway and round
trip time of
each probe. If the probe answers come from different gateways, the address
of each responding system will be printed. If there
is no response
within a 5 sec. timeout interval (changed with the -w flag),
a "*" is
printed for that probe.
We don't want the destination host to process the UDP probe
packets so
the destination port is set to an unlikely value (if some
clod on the
destination is using that value, it can be changed with the
-p flag).
A sample use and output might be:
$ traceroute nis.nsf.net.
traceroute to nis.nsf.net (35.1.1.48), 64 hops max, 56
byte packet
1 helios.ee.lbl.gov (128.3.112.1) 19 ms 19 ms 0 ms
2 lilac-dmc.Berkeley.EDU (128.32.216.1) 39 ms 39 ms
19 ms
3 lilac-dmc.Berkeley.EDU (128.32.216.1) 39 ms 39 ms
19 ms
4 ccngw-ner-cc.Berkeley.EDU (128.32.136.23) 39 ms
40 ms 39 ms
5 ccn-nerif22.Berkeley.EDU (128.32.168.22) 39 ms 39
ms 39 ms
6 128.32.197.4 (128.32.197.4) 40 ms 59 ms 59 ms
7 131.119.2.5 (131.119.2.5) 59 ms 59 ms 59 ms
8 129.140.70.13 (129.140.70.13) 99 ms 99 ms 80 ms
9 129.140.71.6 (129.140.71.6) 139 ms 239 ms 319 ms
10 129.140.81.7 (129.140.81.7) 220 ms 199 ms 199
ms
11 nic.merit.edu (35.1.1.48) 239 ms 239 ms 239 ms
Note that lines 2 & 3 are the same. This is due to a buggy
kernel on the
2nd hop system - lbl-csam.arpa - that forwards packets with
a zero ttl (a
bug in the distributed version of 4.3 BSD). Note that you
have to guess
what path the packets are taking cross-country since the
NSFNET (129.140)
doesn't supply address-to-name translations for its NSSes.
A more interesting example is:
$ traceroute allspice.lcs.mit.edu.
traceroute to allspice.lcs.mit.edu (18.26.0.115), 64
hops max
1 helios.ee.lbl.gov (128.3.112.1) 0 ms 0 ms 0 ms
2 lilac-dmc.Berkeley.EDU (128.32.216.1) 19 ms 19 ms
19 ms
3 lilac-dmc.Berkeley.EDU (128.32.216.1) 39 ms 19 ms
19 ms
4 ccngw-ner-cc.Berkeley.EDU (128.32.136.23) 19 ms
39 ms 39 ms
5 ccn-nerif22.Berkeley.EDU (128.32.168.22) 20 ms 39
ms 39 ms
6 128.32.197.4 (128.32.197.4) 59 ms 119 ms 39 ms
7 131.119.2.5 (131.119.2.5) 59 ms 59 ms 39 ms
8 129.140.70.13 (129.140.70.13) 80 ms 79 ms 99 ms
9 129.140.71.6 (129.140.71.6) 139 ms 139 ms 159 ms
10 129.140.81.7 (129.140.81.7) 199 ms 180 ms 300
ms
11 129.140.72.17 (129.140.72.17) 300 ms 239 ms 239
ms
12 * * *
13 128.121.54.72 (128.121.54.72) 259 ms 499 ms 279
ms
14 * * *
15 * * *
16 * * *
17 * * *
18 ALLSPICE.LCS.MIT.EDU (18.26.0.115) 339 ms 279 ms
279 ms
Note that the gateways 12, 14, 15, 16 & 17 hops away either
don't send
ICMP "time exceeded" messages or send them with a ttl too
small to reach
us. 14 - 17 are running the MIT C Gateway code that doesn't
send "time
exceeded"s. God only knows what's going on with 12.
The silent gateway 12 in the above may be the result of a
bug in the
4.[23] BSD network code (and its derivatives): 4.x (x <= 3)
sends an unreachable
message using whatever ttl remains in the original
datagram.
Since, for gateways, the remaining ttl is zero, the ICMP
"time exceeded"
is guaranteed to not make it back to us. The behavior of
this bug is
slightly more interesting when it appears on the destination
system:
1 helios.ee.lbl.gov (128.3.112.1) 0 ms 0 ms 0 ms
2 lilac-dmc.Berkeley.EDU (128.32.216.1) 39 ms 19 ms
39 ms
3 lilac-dmc.Berkeley.EDU (128.32.216.1) 19 ms 39 ms
19 ms
4 ccngw-ner-cc.Berkeley.EDU (128.32.136.23) 39 ms
40 ms 19 ms
5 ccn-nerif35.Berkeley.EDU (128.32.168.35) 39 ms 39
ms 39 ms
6 csgw.Berkeley.EDU (128.32.133.254) 39 ms 59 ms
39 ms
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 rip.Berkeley.EDU (128.32.131.22) 59 ms ! 39 ms !
39 ms !
Notice that there are 12 "gateways" (13 is the final destination) and exactly
the last half of them are "missing". What's really
happening is
that rip (a Sun-3 running Sun OS3.5) is using the ttl from
our arriving
datagram as the ttl in its ICMP reply. So, the reply will
time out on
the return path (with no notice sent to anyone since ICMP's
aren't sent
for ICMP's) until we probe with a ttl that's at least twice
the path
length. i.e., rip is really only 7 hops away. A reply that
returns with
a ttl of 1 is a clue this problem exists. traceroute prints
a "!" after
the time if the ttl is <= 1. Since vendors ship a lot of
obsolete (DEC's
Ultrix, Sun 3.x) or non-standard (HP-UX) software, expect to
see this
problem frequently and/or take care picking the target host
of your
probes.
Other possible annotations after the time are !H, !N, !P
(got a host,
network or protocol unreachable, respectively), !A, !C (access to the
network or host, respectively, is prohibited), !X (communication administratively
prohibited by filtering), !S or !F (source route
failed or
fragmentation needed - neither of these should ever occur
and the associated
gateway is busted if you see one), !U (destination network or host
unknown), !T (destination network or host unreachable for
TOS), !<code>
(other ICMP unreachable code). If almost all the probes result in some
kind of unreachable, traceroute will give up and exit.
$ traceroute -g 10.3.0.5 128.182.0.0
will show the path from the Cambridge Mailbridge to PSC,
while
$ traceroute -g 192.5.146.4 -g 10.3.0.5 35.0.0.0
will show the path from the Cambridge Mailbridge to Merit,
using PSC to
reach the Mailbridge.
This program is intended for use in network testing, measurement and management.
It should be used primarily for manual fault isolation. Because
of the load it could impose on the network, it is unwise to use
traceroute during normal operations or from automated
scripts.
netstat(1), ping(8)
The very first traceroute (never released) used ICMP
ECHO_REQUEST datagrams
as probe packets. During the first night of testing
it was discovered
that more than half the router vendors of the time
would not return
an ICMP TIME_EXCEEDED for an ECHO_REQUEST. traceroute was
then changed
to use UDP probe packets. Most modern TCP/IP implementations will now
generate an ICMP error message to ICMP query messages, and
the option to
use ECHO_REQUEST probes was re-implemented.
The traceroute command first appeared in 4.4BSD.
Implemented by Van Jacobson from a suggestion by Steve Deering. Debugged
by a cast of thousands with particularly cogent suggestions
or fixes from
C. Philip Wood, Tim Seaver and Ken Adelman.
OpenBSD 3.6 June 6, 1993
[ Back ] |
