Penetration Testing mailing list archives
RE: Traceroute question
From: Tal Argoni <moskito () 012 net il>
Date: Thu, 28 Dec 2006 10:26:08 +0200
Traceroute base on the IP header time-to-live (TTL) field. TTL field is used to limit IP datagram's. TTL functions as a decrementing counter, Each hop (router etc..) that a datagram passes through reduces the TTL field by one. If the TTL value reaches 0, the datagram is discarded and a time exceeded in transit Internet Control Message Protocol (ICMP) message is created to inform the source of the failure (Type 11 code 0). Now.. What if there is a machine that function as packet filter? Well.. The last 2 host have the same ip address. Why? The firewall defined to return Echo Reply (Type 0 code 0). The first time that the firewall handle the packet that his TTL was 0, The firewall return time exceeded, the second packet has a TTL 1, The firewall will pass thru the packet to the next machine, that will Return echo reply if it is the destination or time exceeded if it's not. Assume it return an echo reply. And the firewall not allow a ICMP outgoing packets, the firewall return with his own ip the echo reply. That why we get 2 or more result with the same ip. A solution: Try to do a TCP traceroute because Windows tracert base on ICMP, Unix traceroute base on UDP. You can use Hping. -----Original Message----- From: Becky Nelson [mailto:ralf.jacober () gmail com] Sent: Thursday, December 28, 2006 3:37 AM To: pen-test () securityfocus com Subject: Traceroute question I am running a traceroute and have two hops that report the same address. Could someone please explain what would cause this? I suspect that this is some type of firewall? Regards, Ralf
Current thread:
- Traceroute question Becky Nelson (Dec 27)
- Re: Traceroute question Marcelo Caceres (Dec 28)
- Re: Traceroute question sami ghourabi (Dec 28)
- RE: Traceroute question Tal Argoni (Dec 28)
- Re: Traceroute question Rob Sherwood (Dec 28)
- RE Traceroute question Francois Labreque (Dec 28)
- Re: RE Traceroute question Datta Vaidya (Dec 29)
- re: Traceroute question Robert MacDonald (Dec 28)
- Re: Traceroute question Cedric Blancher (Dec 29)
- <Possible follow-ups>
- RE: Traceroute question Omar Salvador Alcalá Ruiz (Dec 29)