-1

I am learning about traceroute and have some question want to ask about it. When I run traceroute 8.8.8.8 and dump traffics by tcpdump -i wlan0 'udp or icmp' -n -v, I confuse something.

1) Why my system send packets with different TTL (TTL=1, TTL=2, TTL=3) without wait for receive TTL time exceeded message?. I mean send three IP packets with TTL=1 then wait for TTL time exceeded message response and then send three IP packets with TTL=2 and so on.

Part of dump file:

19:03:42.106216 IP (tos 0x0, ttl 1, id 10914, offset 0, flags [none], proto UDP 
(17), length 60)
    192.168.1.6.49812 > 8.8.8.8.33434: UDP, length 32
19:03:42.106257 IP (tos 0x0, ttl 1, id 10915, offset 0, flags [none], proto UDP 
(17), length 60)
    192.168.1.6.52790 > 8.8.8.8.33435: UDP, length 32
19:03:42.106272 IP (tos 0x0, ttl 1, id 10916, offset 0, flags [none], proto UDP (17), length 60)
    192.168.1.6.55112 > 8.8.8.8.33436: UDP, length 32
19:03:42.106285 IP (tos 0x0, ttl 2, id 10917, offset 0, flags [none], proto UDP (17), length 60)
    192.168.1.6.53449 > 8.8.8.8.33437: UDP, length 32
19:03:42.106297 IP (tos 0x0, ttl 2, id 10918, offset 0, flags [none], proto UDP (17), length 60)
    192.168.1.6.42008 > 8.8.8.8.33438: UDP, length 32
19:03:42.106308 IP (tos 0x0, ttl 2, id 10919, offset 0, flags [none], proto UDP (17), length 60)

2) Response packets contain data of request packet but I notice that it have different TTL value with TTL value in request packet. Like this

Request packet has ttl=4

19:03:42.106381 IP (tos 0x0, ttl 4, id 10925, offset 0, flags [none], proto UDP (17), length 60)
    192.168.1.6.38055 > 8.8.8.8.33445: UDP, length 32

Response packet has ttl=1

19:03:42.159000 IP (tos 0x0, ttl 251, id 4287, offset 0, flags [DF], proto ICMP (1), length 56)
    123.29.10.178 > 192.168.1.6: ICMP time exceeded in-transit, length 36
    IP (tos 0x0, *ttl 1*, id 10925, offset 0, flags [none], proto UDP (17), length 60, bad cksum 8f05 (->bd46)!)
    192.168.1.6.38055 > 8.8.8.8.33445: UDP, length 32

So why does ttl value change?

Edit: 3) From Eddie's answer. I saw more and noticed that, 'ICMP unreachable message' response has TTL~=1 and first 'ICMP unreachable message' response has ttl value =2. So why?

8.8.8.8 > 192.168.1.6: ICMP 8.8.8.8 udp port 33466 unreachable, length 36
    IP (tos 0x80, ttl 2, id 10956, offset 0, flags [none], proto UDP (17), length 60, bad cksum 8d66 (->bba7)!)
    192.168.1.6.33995 > 8.8.8.8.33466: UDP, length 32
19:03:42.346002 IP (tos 0x0, ttl 46, id 0, offset 0, flags [none], proto ICMP (1), length 56)
    8.8.8.8 > 192.168.1.6: ICMP 8.8.8.8 udp port 33467 unreachable, length 36
    IP (tos 0x80, ttl 3, id 10957, offset 0, flags [none], proto UDP (17), length 60, bad cksum 8c65 (->baa6)!)
    192.168.1.6.49358 > 8.8.8.8.33467: UDP, length 32
19:03:42.348871 IP (tos 0x0, ttl 46, id 0, offset 0, flags [none], proto ICMP (1), length 56)
    8.8.8.8 > 192.168.1.6: ICMP 8.8.8.8 udp port 33468 unreachable, length 36
    IP (tos 0x80, ttl 2, id 10959, offset 0, flags [none], proto UDP (17), length 60, bad cksum 8d63 (->bba4)!)
    192.168.1.6.44693 > 8.8.8.8.33468: UDP, length 32
19:03:42.362155 IP (tos 0x0, ttl 46, id 0, offset 0, flags [none], proto ICMP (1), length 56)
    8.8.8.8 > 192.168.1.6: ICMP 8.8.8.8 udp port 33469 unreachable, length 36
    IP (tos 0x80, ttl 2, id 10962, offset 0, flags [none], proto UDP (17), length 60, bad cksum 8d60 (->bba1)!)
    192.168.1.6.43577 > 8.8.8.8.33469: UDP, length 32
19:03:42.362185 IP (tos 0x20, ttl 47, id 0, offset 0, flags [none], proto ICMP (1), length 56)
    8.8.8.8 > 192.168.1.6: ICMP 8.8.8.8 udp port 33470 unreachable, length 36
    IP (tos 0x80, ttl 3, id 10963, offset 0, flags [none], proto UDP (17), length 60, bad cksum 8c5f (->baa0)!)
    192.168.1.6.60249 > 8.8.8.8.33470: UDP, length 32
19:03:42.382381 IP (tos 0x0, ttl 46, id 0, offset 0, flags [none], proto ICMP (1), length 56)
    8.8.8.8 > 192.168.1.6: ICMP 8.8.8.8 udp port 33471 unreachable, length 36
    IP (tos 0x80, ttl 3, id 10965, offset 0, flags [none], proto UDP (17), length 60, bad cksum 8c5d (->ba9e)!)
    192.168.1.6.33430 > 8.8.8.8.33471: UDP, length 32

Thanks for reading !

user173717
  • 35
  • 5

1 Answers1

1

Part of the ICMP TTL Expired in Transit message is a copy of the original packet which caused for the ICMP error message to be sent as seen by the Router sending the ICMP TTL Expired message.

When you sent the packet, it started with a TTL of 4. But every router in the path towards the destination decremented the TTL by one, until it finally got to the router with the IP 123.29.10.178. When that Router received it, it had a TTL of 1. And as it should, it reduce the TTL upon receiving the packet to 0, which triggered dropping the packet and responding with the ICMP TTL Expired message.

So it is including a copy of the packet as it saw it in its ICMP TTL Expired message, and it saw the TTL as 1 when that particular router received the packet.

You will see a TTL of 1 in all of the "duplicate packets" within the "TTL Expired" message, because by definition they are only sent when a packet with a TTL is received at 1, and decremented to 0.

If you want to learn more, there is some good information on this thread about Traceroute and the TTL.

Community
  • 1
Eddie
  • 14,808
  • 6
  • 42
  • 82
  • Hi, I understand what you said, but when I see at some response from destination (eg 8.8.8.8). The ttl value != 1 (only response packets from destination) and I notice that the first **unreachable message** has ttl=2, because the packet arrived it had ttl=2 ?. – user173717 Jul 06 '15 at 15:09
  • @user173717 It seems like you are asking a different question now, one to do with the ICMP Port Unreachable message. That is different from the ICMP TTL Expired in Transit message you were asking about earlier. I would suggest creating a new question thread to address the new question, and mark an answer as correct on this one, and/or ask for continue clarification (on the same line of thought). – Eddie Jul 06 '15 at 19:18