Comments on: Understanding Traceroute

By: shopping

shopping — Sun, 08 Jun 2008 20:45:03 +0000

So, if I’m running Linux and the server I’m pinging runs Microsoft, I send a UCP trigger but do I receive a USP trigger back or do I receive an ICMP trigger back?
This is interesting – I wasn’t aware that each operating system was different. What is IOS? That doesn’t sound like Mac OS. It would be interesting if you mentioned Mac OS as well (I can’t for the life of me, figure our what IOS could possibly mean.)

By: Ip Address

Ip Address — Fri, 22 Feb 2008 20:37:22 +0000

I like this tutorial about network tool traceroute with example and i use very oft windows command tracert for network troubleshooting.
Thanks for this!

By: Brian McGahan, CCIE 8593

Brian McGahan, CCIE 8593 — Sat, 05 Jan 2008 03:31:40 +0000

Hi Anthony,

The problem with sending UDP traceroute through a stateful firewall is that the outbound packet is UDP, but the inbound reply is either ICMP time-exceeded (for devices in the transit path), or ICMP port-unreachable (for the final devices). To allow this inbound on the outside interface of the PIX firewall you therefore need an inbound access-list such as the follows:

access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable

By: Anthony Fajri

Anthony Fajri — Sat, 05 Jan 2008 02:37:50 +0000

Hi Brian, thanks for the post and the summary of discussion in CCIE group study.

About 1 year ago, I made similar post in my blog in this post.

Do you have idea, how to allow pix to allow udp traceroute?
in my understanding, Unix traceroute is not using fix port number, but use dynamic and sequence port number (ie. 1st hop is using 33444, 2nd hop is using 22445, 3rd hop is using 33446, etc).

ps: for tcp traceroute, I use tracetcp for windows (because my laptop is using windows).