Understanding traceroute

This information is pulled from archive.nanong.org.

The traceroute utility is used to know which path our packets are taking to get to the destination. It uses TTL (time to live) trick to trick the network. The TTL is a mechanism used to help avoid packets infinitely looping around on a network. Because each packet has TTL header, that number reduces each time the packet hits a router. Let’s dive in how traceroute uses TTL to show paths a packet used.

How it works?

So, the traceroute utility is using TTL to figure out real path of the packet until it gets to its true destination. It does so by manipulating TTL header by setting TTL 1 and once it hits router, router strips that to 0 and discards the packet. By doing so, by default, the router must send an ICMP packet to the source IP address sending him Type: 11 (Time-to-live exceeded) message, basically telling him “Dude, I killed your packet because it had TTL of 1”. For traceroute this is good, as the program will now increase TTL by 1 and send it again. However, this time packet will go through first router and arrive at the second network. The R2 will open the packet and figure out it has TTL of 1. It discards it and sends back ICMP to the real source IP address (traceroute client). The traceroute now knows 2 paths where packet went. It does this all around until it gets to the real IP address we provided.

We type IP address and it shows every router hop along the way. However, very few people are skilled at interpreting traceroute. Its output looks easy to read but it’s not.

Here are the steps on how traceroute works:

  1. The traceroute sends packet toward destination with TTL (Time to live) of 1.
  2. Each router that forwards the packet decrements TTL by 1.
  3. When TTL hits 0, router returns ICMP TTL EXCEED to source IP
  4. The source address of this ICMP determines the traceroute hop IP
  5. Source receives ICMP, calculates time difference, and displays a “hop”
  6. The traceroute goes back to step 1, but increments packet with TTL +1
  7. The traceroute does that until destination returns “ICMP UNREACHABLE”
  8. When source receives ICMP UNREACHABLE, traceroute ends.
https://archive.nanog.org/sites/default/files/tuesday_steenbergen_troublshootingtraceroute_62.49.pdf

Usually, traceroute sends three probes per hop, that is three “test” packets with TTL 0, then it increments them with TTL +1. By using three probes, it calculates latency per hop (more accurate than 1 probe). Each probe uses UDP pakets with incrementing destination ports, or it can use ICMP or TCP probes.

Each probe packet may be forwarded to a completely different path. Administrator may see this as multiple IP addresses for each hop, or it can be invisible – depends.

Traceroute latency calculation

Traceroute calculates latency based on timestamps when the probe is launched and when it received ICMP packet back. Then, traceroute subtracts the difference to determine a round-trip time.

Interpreting DNS in a traceroute

Information we can discover is:

  • geographic locations
  • interface type and capacities
  • router type
  • network boundaries

Knowing the geographical location of the router is first step of identifying an issue. It helps to understand network interconnections.

Router types/roles

Knowing the role of a router can be useful. We can guess the context and get basic understanding of the roles:

  • Core routers: CR, Core, GBR, BB, CCR, EBR
  • Peering routers: BR, Border, Edge, IR, IGR, Peer
  • Customer routers: AR, Aggr, Cust, CAR, HSA, GW

Understanding Network Latency

There are three primary causes of network latency:

  1. Serialization delay – The delay caused by the encoding of a data as packets get across the network. Serialization is the process of encoding chunks of data (packets) for transmission across the network (faster the interface, quicker the serialization).
  2. Queuing delay – The delay caused by the router/switch buffering the packet while waiting for an opportunity to transmit it. Queuing is when a router or switch hold a packet in its memory, while waiting for a way to transmit the packet via a desired interface. Each time packet gets hold in memory and not getting delivered, a latency of a packet delivery is increasing.
  3. Propagation delay – The delay caused while the electromagnetic signal is propagating (weakening) from source to destination. This delay is the time spent on the wire. Example of propagation over fiber is that fiber is made of glass with refractive index of ~1.48, meaning that light travels trough fiber at ~200.000km/s and not 300km/s (200,000km/s = 200km per milisecond). Also, a round-trip around the world at the equator, via perfectly straight fiber route, would take around 400ms due to speed-of-light propagation delays.

Leave a Reply