Menu
Is free
registration
the main  /  Tips/ Tracert protocol. TRACERT - tracing a route to a given host in the Windows command line

Tracert protocol. TRACERT - tracing a route to a given host in the Windows command line

Practical lessons No. 03-006

Tracert network utility (traceroute on Linux, Cisco IOS, MAC OS). Principles of operation and use.

Utility tracert used by to study the routes of IP packets in networks operating using the TCP / IP protocol stack including global network Internet. When using this program, you must remember that when it is running, a fairly large number of IP packets are generated both on your host and on intermediate routers. This puts additional strain on the network.

tracert [- d] [- hmaximum number] [- j node list] [-w interval] [target_name]

Parameters:

- d refusal to resolve IP addresses of intermediate nodes into names

- hmaximum number maximum number of hops (hops) when searching for a destination node

-j node_list specifies the use of the free routing option in the IP header with the set of intermediate destinations specified in list_of_nodes (now practically not supported on routers)

-w interval sets the time in milliseconds to wait for each response

target_name specifies the destination identified by the IP address or hostname.

The utility is based on manipulating the contents of the standard header fields and IP packet header options. The main tool of the utility is the contents of the "time to live" (or TTL) field.

The required element is the IP address or hostname of the destination.

Having received it from the user, the utility sends a series (usually three) packets to the network to this address with the TTL value set to 1. These packets have no chance of reaching the destination, since the first router along the route, subtracting 1 from this TTL, will receive 0. And he must destroy such a packet upon expiration of the permitted network lifetime. But at the same time, the router must send the sender of this unsuccessful packet an ICMP message about its tragic fate (type 11, code 0).

As a result, your computer will very quickly receive three notifications about the destruction of previously sent packets. Keeping in mind the time of sending and recording the time of receipt of ICMP notifications, the tracert utility is not difficult to calculate the average response time, which is displayed on the screen.

Then the next series of packets is sent with a TTL of 2, and so on until the packets reach their destination.

When a packet addressed to it with a TTL that has reached 1 arrives at the address of a host or router, it is accepted. Since there is no need to forward it further, an ICMP time-to-live message will not be generated.

To find out that the trace has been successfully completed, all series of packets are sent with UDP messages embedded in them, indicating a port number that the recipient does not know to exist. On intermediate routers, this does not matter, but the receiver, having failed to use the attached information, is forced to inform the sender about it using the same ICMP protocol, but with different values ​​of the message type (3) and code (3).

Such a message is interpreted by the sender as confirmation of the completion of the transfer.

An important feature of the tracert utility is the ability to find out the names of intermediate nodes. This allows you to get an idea of ​​the organizational structure and the geographical location of the package route.

Hostnames are based on the Domain Name System (DNS):

Formally, both users and programs can access hosts, mailboxes and other resources of the Internet by their IP addresses, but if for a program the procedure for “memorizing” an IP address is no different from “memorizing” any other 4 bytes of information of any type, then for a user memorizing number combinations like 111.124.133.44 is difficult simply from a point view of the device of our memory. In addition, the identification of any services with the IP addresses of the hosts or servers on which they operate makes it extremely difficult to transfer them if necessary. To take into account the "human factor" and separate machine names from their addresses, it was decided to use ASCII text names. However, the network only understands numeric addresses, so a mechanism is needed to convert ASCII strings to IP addresses.

When it first started, on the ARPANET, the correspondence between text and binary addresses was stored in special files , which lists all hosts and their IP addresses. On a network of several hundred large machines, this approach worked fine.

But when thousands of workstations were connected to the network, problems arose: the number of records that had to be stored grew rapidly, and it is rather difficult to centrally manage the names of all the hosts of the giant international network.

To solve these problems, a domain name service (DNS, Domain Name System). This system is used to translate hostnames and destinations Email in IP addresses, but can also be used for other purposes. The definition of the DNS system was given in RFCs 1034 and 1035.

A domain name is a name consisting of words separated by periods. The left word of the name refers to the host. All other words form the domain name. The naming system has a hierarchical, tree-like structure.

Each node (circles in the figure) has a label up to 63 characters long. The root of a tree is a special node without a label. Labels can contain uppercase or lowercase letters. A domain name for any node in a tree is a sequence of labels that begins with a node acting as a root, with labels separated by periods. (Here you can see the difference from the usual file system where the full path always starts at the top (root) and goes down the tree.) Each tree node must have a unique domain name, but the same labels can be used at different points in the tree.

There is a root name denoted by the "." Character and is often not written in the domain name. There are first level domain names. They are divided into 2 categories - territory domain names and subject domain domain names. Second-level and subsequent domain names can be anything, and no two identical domain or host names can exist. So, if N i - Domain name level i, and T is a word, then the i + 1 level domain name is formed according to the rule N i +1 = T + N i .. A domain name that ends with a dot is called an absolute domain name or full name domain (FQDN - fully qualified domain name).

Again, since IP addresses uniquely identify hosts on a network, there is a one-to-one relationship between multiple hostnames and multiple addresses.

This relationship is established by a table in which there are as many hostname, IP address records as there are host domain names. When naming a new host, a record must be added to the table; if an existing one is renamed, the record must be changed. It is convenient to use such a naming system because they are easy to remember and are not tied to geographically localized IP networks. When transferring a named resource from one host to another, you just need to change the entry for its name in the name table. It is difficult to maintain such a table for the Internet on one site and it is impossible to keep it up to date.

The DNS database is distributed. The hierarchical system of names corresponds to the hierarchical system of DNS servers on which the fragments of the table are located. Ideally, there should be a separate name server for each domain. A name server database at any level must contain records for all child domains at the next level. All first-level domains are contained in the root name servers database. They are served by the NIC organization.

In reality, one host can host a base for several domains, and the same or overlapping bases can be located on several hosts. The branch of the name tree that is under the same management along with the hosts on which the database of this branch of the tree is located is called a DNS zone. Typically, a zone has one primary name server and several secondary name servers. Changes in the zone are made to the database of the primary server of the zone, with the subsequent duplication of this information on the secondary servers.

The process of transferring information from a primary server to a secondary server is called a zone transfer. When a new host appears in the zone, the administrator adds the appropriate information (minimum, name and IP address) to the disk file on the primary server. Secondary servers regularly poll the primary (usually every 3 hours), and if the primary contains new information, the secondary receives it using a zone transfer.

Based on the specified functionality of the system and its structure, it follows that the protocol should include two components - the protocol for resolving names into IP addresses and the protocol for exchanging data between nodes of a distributed database, in particular, between the primary and backup servers of the zone.

Address Resolution System.

In order for the software of the TCP / IP protocol stack to use the name service, the IP address of the name server must be specified in the stack settings, the zone of which includes the host or another server that accepts requests from the host's network. When an Application Element uses a domain name to represent the second party in the session, the IP address resolution process is initiated. The host naming service application sends a request to the name server. If the name server can resolve the address, it sends a response containing that address. If the name server cannot resolve the request, it can initiate two name resolution scripts

    the server responds with the address of the root name server, and the host issues a request to that server (an iterative request).

    The zone server generates a request to the root server and, having received the response, stores it in a buffer and sends a response with the address to the host that requested the service (recursive request).

The response from the server that controls the domain is called authoritative.

Every name server on the Internet must contain the addresses of the root servers in the database.

Name resolution . In addition to its main function of resolving a host's domain name into its IP address, the DNS protocol also provides reverse resolution of an IP address into a domain name using the subzones of the in_addr.arpa reverse zone.

It is the capabilities of this protocol that allow the tracert utility not only to work successfully when specifying a trace location in the form of a DNS name, but also to provide us with information about the names of intermediate nodes.

Self-test questions

    What is the Domain Name System and what is it used for.

    What is the maximum size of a domain host label

    What is the name of the DNS root domain

    What types and codes of ICMP messages does tracert use?

    Which field of the IP packet header is used to set the packet lifetime by the tracert utility

    Tracert utility parameters

    Purpose of the tracert utility and options for its use

Necessary equipment

IBM PC - compatible computer with a licensed Windows operating system, connection to local network, Internet access.

Tasks

1. Using the tracert command, define the route of distribution of IP packets to the site www.sgu.ru

2. Using the tracert command, define the route of distribution of IP packets to one of the following sites: www. nla. gov. au , www. ibge. gov. br , www. kunaicho. go. jp(you can choose any site outside of Russia).

3. Repeat the tracing with the –d option.

4. Describe the structure of the DNS name of the server you traced.

5. Use the services of the service www. ip2 location. com/ demo. aspx(or similar) and determine the approximate location of the intermediate points of the route.

6. Draw a route map.

7. Comment on the results.

Submit the work progress report in printed or electronic form with copies of the utility operation screens.

Using these utilities allows you to trace the route to the remote host, determine the round-trip delay time (RTT-round-trip delay time), IP address and, in some cases, the domain name of the intermediate router. They are based on ICMP error messages.

How Tracert works.

The time to live (TTL) value of the first sent packet is set to 1. When the IP protocol of the first router receives this packet, it decrements the TTL by one according to its algorithm and receives 0. The router drops the packet with a zero time to live and returns it to the source ICMP - Datagram timeout error message (ICMP message type 11 code 0). This message contains the name of the router and its IP address. When this ICMP message arrives at the sender, the sender uses the timer to find out the round trip time (RTT), as well as (from the ICMP message) the name and IP address of the intermediate router. Then the next IP packet is sent, but now with a TTL value of 2. This packet already reaches the second router, but again there it "dies" about which in the same way, it is reported to the sender node in the same way. And so on until it reaches the final node. Based on these answers, a trace is built. For example:

Route tracing to rt.ru with a maximum number of hops of 30: 1 3 ms 1 ms 2 ms net235-72.ufa.ertelecom.ru 2 2 ms 2 ms 1 ms bb2.bsr02.ufa.ertelecom.ru 3 2 ms 1 ms 1 ms lag-10-438.bbr01.samara.ertelecom.ru 4 18 ms 18 ms 18 ms 46.61.227.202 5 19 ms 19 ms 18 ms 46.61.227.201 6 19 ms 19 ms 19 ms so-0-0-0.m10 -ar2.msk.ip.rostelecom.ru 7 19 ms 19 ms 19 ms 109.207.0.226 8 19 ms 19 ms 19 ms www.rt.ru Trace completed.

From this trace, we see that the host www.rt.ru is available with the number of hops (hops) - 8, its ip is 109.207.14.4, and the round-trip time to this resource is 19ms.

How Traceroute works.

The principle is identical, with one exception. The utility by default sends UDP datagrams towards the specified host to some arbitrary port, usually to "high", most likely not occupied by another service (for example, 12500, 30678) or to a reserved one (for example 0), in fresh versions the default port is 33434. First, a series of 3 such packets with TTL = 1 is sent, when responses arrive, the transit time is measured and the domain name of the transit node is determined. Then, as mentioned above, the next series of packets with TTL = 2 are sent, etc. Finally, we get a PORT_UNREACHABLE response from the target host, which means that the trace has ended.

An example of a trace back to the same resource:

Traceroute to rt.ru (109.207.14.4), 30 hops max, 40 byte packets 1 * * * 2 bb1.bsr02.ufa.ertelecom.ru (212.33.234.101) 13.059 ms 13.222 ms 13.597 ms 3 lag-10-438. bbr01.samara.ertelecom.ru (212.33.233.111) 0.360 ms 0.382 ms 0.612 ms 4 46.61.227.202 (46.61.227.202) 17.484 ms 17.511 ms 17.512 ms 5 46.61.227.201 (46.61.227.201) 17.803 ms 17.791 ms 17.778 ms 6 so -0-0-0.m10-ar2.msk.ip.rostelecom.ru (87.226.139.74) 18.179 ms 18.211 ms 17.988 ms 7 109.207.0.226 (109.207.0.226) 18.213 ms 18.697 ms 18.288 ms 8 * * * ^ C

From the result of the output, the question arises why in this case the trace did not reach the end, and the so-called asterisks (* * *) appeared in the output, and the answer lies in the difference (in this example). Very often, routers / hosts are configured so that they do not respond to this kind of request, in which case asterisks appear. This does not mean at all that there are any problems. This is done in order to unload the equipment. In this example, hop 1 and 8 do not respond to UDP datagrams, but if you run the traceroute utility with the -I key, then the tracing will work, because this key forces me to send already ICMP datagrams.

$ traceroute -I rt.ru traceroute to rt.ru (109.207.14.4), 30 hops max, 40 byte packets 1 net233-86.ufa.ertelecom.ru (212.33.233.86) 162.924 ms 163.654 ms 163.666 ms 2 bb1.bsr02 .ufa.ertelecom.ru (212.33.234.101) 8.095 ms 38.117 ms 50.262 ms 3 lag-10-438.bbr01.samara.ertelecom.ru (212.33.233.111) 0.382 ms 0.407 ms 0.417 ms 4 46.61.227.202 (46.61.227.202 ) 17.592 ms 17.623 ms 17.613 ms 5 46.61.227.201 (46.61.227.201) 17.597 ms 17.609 ms 17.613 ms 6 so-0-0-0.m10-ar2.msk.ip.rostelecom.ru (87.226.139.74) 17.943 ms 17.924 ms 18.001 ms 7 109.207.0.226 (109.207.0.226) 18.092 ms 18.026 ms 18.010 ms 8 www.rt.ru (109.207.14.4) 18.205 ms 18.301 ms 18.308 ms

Conclusion.

It should be noted that asterisks can also appear when tracing ICMP packets, this also does not mean that there is a problem. It all depends on how the administrator has configured the equipment. This is his hardware and it is customized according to his needs. This phenomenon is quite normal. Also, don't panic if the destination host is not pinging. It is possible that the resource was simply closed from them.

& nbsp & nbsp Utility for tracing the route to a given node TRACERT.EXE is one of the most commonly used network diagnostic tools. Its main purpose is to obtain a chain of nodes through which an IP packet passes, addressed to an end node, the name or IP address of which is specified by a command line parameter.

Command line format:

tracert [-d] [-h maxNumber] [-j hostlist] [-w timeout] [-R] [-SSourceAddress] [-4] [-6] endName

Command line parameters:

-d- do not use resolution in hostnames.

-h max Number- the maximum number of hops when searching for a node.

-j list of Nodes- free choice of a route according to the list of nodes (only IPv4).

-w timeout- timeout for each response in milliseconds.

-R- path trace (IPv6 only).

-S Source address- use the specified source address (only IPv6).

-4 - forced use of IPv4.

-6 - forced use of IPv6.

The trace is based on a method for analyzing responses when ICMP packets are sequentially sent to a specified address with a TTL field increasing by 1. ("Time to Live" - ​​Time To Live). In fact, this field has nothing to do with time, but is a counter of the number of possible hops when transmitting a routed packet. Each router, having received a packet, subtracts one from this field stored in the packet header and checks the received TTL counter value. If the value becomes zero, the packet is discarded and an ICMP time-to-live message is sent to the sender ("Time Exceeded" message, value 0x11 in the ICMP header).

If it were not for the inclusion of the TTL field in IP packets, then in case of errors in the routes, a situation could arise when the packet will forever circulate in the network, forwarded by routers in a circle.

& nbsp & nbsp When the tracert.exe command is executed, an ICMP packet is first sent with the TTL field in the header equal to 1 and the first router in the chain (usually this is the default gateway from the network connection settings), subtracting one from the TTL, gets its zero value and reports that the lifetime has been exceeded. Thus, the TRACERT.EXE utility obtains the IP address of the first router involved in delivering packets to the end node. This sequence is repeated three times, so in the result line generated by tracert.exe, after the transition number, three response times are displayed:
1 & nbsp & nbsp 1 ms & nbsp & nbsp 1 - hop number (1 - first router)
1 ms 192.168.1.1 - its address (or name)

& nbsp & nbsp Then the procedure is repeated, but the TTL is set to 2 - the first router will reduce it to 1 and send it to the next in the chain, which, after subtracting 1, will zero the TTL and report that the lifetime has been exceeded. The TRACERT.EXE utility will receive the second IP-address of the node involved in delivering the packet to the recipient and its response time. The tracing process will continue until it reaches the end node, the name or address of which is specified as a command line parameter, for example, tracert yandex.ru, or until a malfunction is detected that prevents delivery of the package. By default, the TRACERT.EXE utility uses a maximum hop count of 30, which should be enough to reach any node on the planet. If necessary, a different counter value can be set using the parameter -h

Example of execution results tracert google.com

tracert google.com- tracing the route to the google.com node

Result:


Trace route to google.com with a maximum hop count of 30:
1 1 ms 2 498 ms 444 ms 302 ms ppp83-237-220-1.pppoe.mtu-net.ru
3 * * * .
4282 ms * * a197-crs-1-be1-53.msk.stream-internet.net
5,518 ms 344 ms 382 ms ss-crs-1-be5.msk.stream-internet.net
6 462 ms 440 ms 335 ms m9-cr01-po3.msk.stream-internet.net
7 323 ms 389 ms 339 ms bor-cr01-po4.spb.stream-internet.net
8 475 ms 302 ms 420 ms anc-cr01-po3.ff.stream-internet.net
9 334 ms 408 ms 348 ms 74.125.50.57
10 451 ms 368 ms 524 ms 209.85.255.178
11 329 ms 542 ms 451 ms 209.85.250.140
12,616 ms 480 ms 645 ms 209.85.248.81
13 656 ms 549 ms 422 ms 216.239.43.192
14,378 ms 560 ms 534 ms 216.239.43.113
15 511 ms 566 ms 546 ms 209.85.251.9
16,543 ms 682 ms 523 ms 72.14.232.213
17 468 ms 557 ms 486 ms 209.85.253.141
18 593 ms 589 ms 575 ms yx-in-f100.google.com

Trace completed.

& nbsp & nbsp Trace results may contain lines with an asterisk instead of the node address (node ​​number 3 in the example). This is not necessarily a sign of a router malfunction, and more often than not, it indicates that the settings of this node prohibit the sending of ICMP messages for security reasons and to reduce the load on the channel in the case of some types of DDoS attacks. For example, similar settings are used in Microsoft networks... The corporation's servers do not respond to ping and do not allow route tracing to them.

Examples of using TRACERT

tracert google.com- trace the route to the node google.com.

tracert 8.8.8.8- trace the route to the host with the IP address 8.8.8.8

tracert -d yandex.ru- trace the route to the node yandex.ru without resolving IP addresses to hostnames. Tracing in this mode is faster.

tracert -d -6 ipv6.google.com- perform tracing using the IPv6 protocol.

Sample trace results using IPv6:

trace to ipv6.google.com (2a00: 1450: 4013: c00 :: 71), 30 hops max, 40 byte packets 1 2a02: 348: 82 :: 1 (2a02: 348: 82 :: 1) 8.087 ms 8.063 ms 8.086 ms 2 te0-22.cr1.nkf.as49685.net (2001: 4cb8: 40b: 1 :: 1d01) 2.143 ms 2.129 ms 2.103 ms 3 amsix-router.google.com (2001: 7f8: 1 :: a501: 5169: 1) 1.379 ms 1.415 ms 1.422 ms 4 (2001: 4860 :: 1: 0: 87ab) 1.437 ms (2001: 4860 :: 1: 0: 87aa) 2.157 ms (2001: 4860 :: 1: 0: 87ab ) 1.408 ms 5 (2001: 4860 :: 8: 0: 87b0) 1.494 ms 1.469 ms (2001: 4860 :: 8: 0: 87b2) 8.350 ms 6 (2001: 4860 :: 8: 0: b1b7) 5.364 ms 5.321 ms 4.748 ms 7 (2001: 4860 :: 2: 0: 8651) 4.653 ms 6.994 ms (2001: 4860 :: 2: 0: 8652) 13.926 ms 8 ee-in-x71.1e100.net (2a00: 1450: 4013 : c00 :: 71) 4.732 ms 4.733 ms 4.783 ms

There are in network life (especially for dial-up users 😉 moments when it is impossible to reach some host (I often have www.microsoft.com; - |) - here this utility will come to the rescue (in Windows - tracert .exe). With its help, you can try to determine on which part of the IP network the failure occurred - either the host fell, or the provider has a brake, or your IP connection is shitty :).

But what I really love tracert for is the possibilities for studying IP networks that it gives - and they are different, in scale and focus;). The first step is to research your ISP's subnet. With traceroute, you can explore the network itself, putting into practice the theoretical knowledge gained - about routing, DNS servers, backbones, subnetting systems, but you never know about anything else;).

How it works?

First, you need to remember the format of the IP packet header, more precisely one of its fields - TTL (Time To Live). This eight-bit field specifies the maximum number of hops (hop - "hop" - the passage of a datagram from one router to another) during which a packet can be on the network. Every router
processing this datagram, performs the operation TTL = TTL-1. When the TTL becomes zero, the router discards the packet,
an ICMP Time message is sent to the sender
Exceeded.

The utility sends a packet with TTL = 1 in the direction of the specified host and waits for a time exceeded response to be returned from. The respondent is recorded as the first hop (the result of the first step towards the goal). Then packets with TTL = 2, 3, 4, etc. are sent sequentially. in order, until at some TTL value the packet reaches the target and receives a response from it.

* nix traceroute sends UDP packets towards the specified host to an arbitrary port - most likely not occupied by another service (for example 28942, 30471) or to a reserved one, for example 0, by default - 33434. First, a series of 3 such packets with TTL = 1, upon the arrival of responses, the transit time is measured and the domain name of the transit node is determined (although this depends on the specified options). Then, another series of packets with the same TTL are sent, designed to identify the same hop. Finally, we get a port unreachable response from the target host, which means that the trace has ended.
The standard Windows console tracert works the same way, but it only sends ICMP echo request packets.

I myself gladly use both the standard tracert and the one built into CyberKit (a pretty good utility
there is also Necrosoft Quick Traceroute). I can't advise anything additional under Linux - I used only the standard Debian "ovsky traceroute :)."

In conclusion, don't be afraid to experiment - this is the only way to truly "understand" the network. Search for information and use it. Good luck.