Re: tracking TCP session hop by hop

[Yifeng Zhou <zhuifeng0426 () gmail com>]

Thank you all for the reply!

I think traceroute/tcptraceroute is a good way to track tcp session as we
can use same 5 tuple as normal TCP does.

Bill brought up an interesting point about MPLS and Ethernet, I give it a
bit of think and here's what i can tell, please correct me if i'm wrong

for MPLS, everything should be the same prior enter MPLS cloud. At ingress
router, it will push MPLS label (also entropy label if enabled), but it
should be the same for traceroute traffic and actual TCP traffic(we have
same 4 tuple, or 5, including incoming interface on router), so the
label/entropy label should be same. Inside MPLS cloud, normally router will
use mpls label, src, dst ip, port number(or entropy label if enabled) as
hash seed(depends on configuration) to calculate which ECMP path it will
use. Choose member link inside lAG might be another story for non-entropy
enabled MPLS cloud, but we don't really care as they belong to same
IP(layer-3) path, but I think they should be same as well?

Thanks

2017-11-29 9:06 GMT-08:00 William Herrin <bill () herrin us>:

> On Tue, Nov 28, 2017 at 3:48 PM, Yifeng Zhou <zhuifeng0426 () gmail com>
> wrote:
>
> > Is there any way that we can track TCP session hop by hop?
> >
> > Say we have 10 ECMP between A and Z point, what's the easiest way to track
> > specific session is using which path? How we can check between
> > servers(Linux/Unix) and between Routers(Cisco/Juniper etc)?
>
> A TCP connection is uniquely identified by the combination of four
> numbers: The source IP address, the source port, the destination IP address
> and the destination port. You used the word session, but sessions happen
> above TCP in the stack and may use more than one TCP connection.  Every
> packet in the connection contains all four numbers and no packet from any
> other connection contains the same four numbers.
>
> If you want to track the connections, you capture the packets at each
> point in the path (router products have vendor-specific ways of doing this)
> and see which unique sets of the four numbers went through which router and
> router interface.
>
>
> If you want to -test- which path a TCP connection -would- take, Ruairi's
> afore-mentioned tcptraceroute is the way to go. The regular traceroute with
> modern Linux servers also supports the "-T" flag which does the same thing.
> It works just like regular traceroute but uses synthetic TCP SYN packets
> instead of ICMP or UDP packets, allowing the packets to pass firewalls
> which would otherwise block the trace.
>
> Bear in mind that in each case you will likely only see the path taken at
> the IP level. Underlying transits at the Ethernet or MPLS level are
> intentionally invisible to the endpoints.
>
> Regards,
> Bill Herrin
>
>
> --
> William Herrin ................ herrin () dirtside com  bill () herrin us
> Dirtside Systems ......... Web: <http://www.dirtside.com/>