Cisco’s Traceroute Implementation

Given this topic is very basic and small but its allways good to have those informations handy, you never know when you need it 🙂

Cisco’s Traceroute implementation uses a mix of UDP and ICMP packets. A Cisco devices sends 3 UDP packets (default) with an invalid port address and a TTL of 1. Since the TTL is set to one the first router in the path will send a time to live exceeded in transit message (ICMP Type 11, Code 0) back to the source, since its not the target of the packet but it cannot forward the packet to the next hope due to the TTL of 1.
After the device received the 3 ICMP packets it will send 3 UDP packets again but this time with a TTL of 2. The same process recurs until the destination is reached. The destination then will send destination unreachable (port unreachable) messages (ICMP type 3, code 3) instead of the time to live exceeded messages. The traceroute process then knows that it reached the destination and the process can be stopped.
The device can build the path to the destination based on the ICMP messages, since those messages use the interface towards the source device as their source address.

The following table shows output characters for the traceroute command:

Character Description
nn msec Displays the round trip delay for each try and note in milliseconds (Default is 3 tries)
* The try timed out (Default is 3 seconds)
A Administratively prohibited, such as via an ACL
Q Source Quench, the target is too busy to answer
I User interrupted test
U Port unreachable
H Host unreachable
N Network unreachable
P Protocol unreachable
T Timeout
? Unknown packet type
Advertisements

7 comments

  1. Jana

    Why do you send 3 packets everytime? Why not one? Does a Cisco device send 3 by default? (I think this is what you meant) And why? Reliability?

  2. pashtuk

    Hi Jana
    If you do a traceroute on a cisco device, you’ll always see three numbers at the end of the row, each stating the time it took for that hop. I don’t know why they send exactly three and not two or five (as the default ping value is).

  3. Marts

    Hello,

    could you please explain the following traceroute output? As you said, usually you see three response times at each IP. In here you have three IPs for hop 12. Also the response time decreases with additional hops, how is that possible?

    ***output omitted***
    12 x.x.80.30 180 msec
    x.x.80.2 196 msec
    x.x.80.14 240 msec
    ***output omitted***
    14 x.x.154.38 60 msec 60 msec 64 msec

    • pashtuk

      Hi Mats
      I think the three IPs show three different routers on the path to the destination with some kind of loadsharing in between, not 100% sure here.

      The delay is another thing, ICMP processing in routers isn’t high priority in its processing, so it might take longer to process and answer then passing the data to the next hop while the router does have more important processes to go through.

  4. eblip

    im a bit stuck on ….why i get a * meaning probe timed out …rather than a host unreachable…as i know my host is unreachable…as its non existant on the subnet….you see if i got a host unreachable then the traceroute would stop….but with this timeout it continues until i stop it…can someone please explain.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s