Table of Contents
tcptraceroute - A traceroute implementation using TCP packets
tcptraceroute
[-nNFSAE] [ -i interface ] [ -f first ttl ]
[ -l length ] [ -q number of queries ] [ -t tos ]
[ -m max ttl ] [ -p source port ] [ -s source address ]
[ -w wait time ] host [ destination port ] [ length ]
tcptraceroute
is a traceroute implementation using TCP packets.
The more traditional traceroute(8)
sends out either UDP or ICMP ECHO packets with a TTL of one, and increments
the TTL until the destination has been reached. By printing the gateways
that generate ICMP time exceeded messages along the way, it is able to
determine the path packets are taking to reach the destination.
The problem
is that with the widespread use of firewalls on the modern Internet, many
of the packets that traceroute(8) sends out end up being filtered, making
it impossible to completely trace the path to the destination. However,
in many cases, these firewalls will permit inbound TCP packets to specific
ports that hosts sitting behind the firewall are listening for connections
on. By sending out TCP SYN packets instead of UDP or ICMP ECHO packets,
tcptraceroute is able to bypass the most common firewall filters.
It is
worth noting that tcptraceroute never completely establishes a TCP connection
with the destination host. If the host is not listening for incoming connections,
it will respond with an RST indicating that the port is closed. If the
host instead responds with a SYN|ACK, the port is known to be open, and
an RST is sent by the kernel tcptraceroute is running on to tear down the
connection without completing three-way handshake. This is the same half-open
scanning technique that nmap(1) uses when passed the -sS flag.
- -n
- Display
numeric output, rather than doing a reverse DNS lookup for each hop. By
default, reverse lookups are never attempted on RFC1918 address space,
regardless of the -n flag.
- -N
- Perform a reverse DNS lookup for each hop, including
RFC1918 addresses.
- -f
- Set the initial TTL used in the first outgoing packet.
The default is 1.
- -m
- Set the maximum TTL used in outgoing packets. The default
is 30.
- -p
- Use the specified local TCP port in outgoing packets. The default
is to obtain a free port from the kernel using bind(2). Unlike with traditional
traceroute(8), this number will not increase with each hop.
- -s
- Set the source
address for outgoing packets. See also the -i flag.
- -i
- Use the specified interface
for outgoing packets.
- -q
- Set the number of probes to be sent to each hop.
The default is 3.
- -w
- Set the timeout, in seconds, to wait for a response for
each probe. The default is 3.
- -S
- Set the TCP SYN flag in outgoing packets.
This is the default, if neither -S or -A is specified.
- -A
- Set the TCP ACK flag
in outgoing packets. By doing so, it is possible to trace through stateless
firewalls which permit outgoing TCP connections.
- -E
- Send ECN SYN packets,
as described in RFC2481.
- -t
- Set the IP TOS (type of service) to be used in
outgoing packets. The default is not to set any TOS.
- -F
- Set the IP "don't fragment"
bit in outgoing packets.
- -l
- Set the total packet length to be used in outgoing
packets. If the length is greater than the minimum size required to assemble
the necessary probe packet headers, this value is automatically increased.
- -d
- Enable debugging, which may or may not be useful.
Please see the
examples.txt file included in the tcptraceroute distribution for a few real
world examples.
To trace the path to a web server listening for connections
on port 80:
tcptraceroute webserver
To trace the path to a mail server
listening for connections on port 25:
tcptraceroute mailserver 25
No
error checking is performed on the source address specified by the -s flag,
and it is therefore possible for tcptraceroute to send out TCP SYN packets
for which it has no chance of seeing a response to.
Michael C. Toren <mct@toren.net>
For updates, please see:
http://michael.toren.net/code/tcptraceroute/
traceroute(8), ping(8),
nmap(1)
Table of Contents