When I do a trace on the www.google.com domain from my laptop, am I using icmp or udp ?
I thought it was icmp type 11 but while searching for something else I came across rules where icmp type 30 was used and I saw rules where udp was used.
Can someone explain to me how that works ?
I'm working on a firewall (iptables) for a virtual dedicated server.
The type of packet that is sent differs depending on the implementation. By default Windows
tracert
uses ICMP and both Mac OS X and Linuxtraceroute
use UDP. I don't have BSD or Solaris machines or any other OS on hand to check but the man page for the Mac OS X version mentions its provenance is BSD 4.3.The Mac and Linux versions I have offer the ability to choose a variety of different protocols including ICMP, TCP, UDP and GRE packets. Other protocols can be specified by their name or number but traceroute doesn't know anything about how other protocols work. It just blindly sends them.
They can also both change the payload and the source and destination ports in order to avoid firewalls or discover which router along the path is dropping packets of a certain size.
All versions of traceroute rely on ICMP type 11 (Time exceeded) responses from each hop along the route. If ICMP type 11 responses are being blocked by your firewall, traceroute will not work. These packets are inbound, not outbound.
ICMP type 30 is specifically designated for traceroute and is labeled as an "Information Request". I haven't been able to find anywhere where this is actually used. The man page for the Mac OS X and Linux versions says that
-I
will send ICMP type 8 (echo request). Wikipedia says that Windowstracert
also uses ICMP echo requests. ICMP type 30 or type 8 are outbound packets, not inbound.ICMP type 0 (echo response) may come back as the very last packet when the TTL exactly equals the number of hops. Traceroute will know it has finished when it receives one of these. This is an inbound packet.
TCP SYN packets will cause either a
RST
packet or aSYN ACK
packet in response when they reach their destination. If you receive aSYN ACK
packet, it's polite to follow up with aRST
packet so as not to leave a half-open connection on the server.It is possible to get ICMP type 3 code 4 responses back instead of ICMP type 11 responses if you send a large packet with the "Do not fragment" flag set, however this is likely only to allow you to find the hop with the smallest MTU. You will normally only get this sort of response from one hop along the route. Not all of them.
Traditional traceroute uses UDP on incrementing ports for every hop.
You can use any sort of packet to implement it - ICMP, TCP SYN, etc. All it takes is the IP packet expiring and you are golden.
Various implementations, like MacOS, offer support for multiple types of traceroute, as well as modes that don't increment ports, etc, to bypass firewall restrictions.