Re: RE Traceroute question

["Datta Vaidya" <dnvaidya () rilinfo net>]

I have noticed it many times on Juniper routers also when we are using
subinterfaces. As the way traceroute work I guess it is due to dual response
from the destination hop which returns twice to the sender and on the basis
of ICMP ttl expired error sender shows it twice.

Also if we note it keenly the MS value in both the responses varies from
each other. The second response shows little bit more milli seconds hence I
am guessing that the returning HOP gives one response of TTL expired
immedietely at main interface and one might be coming from sub interface or
any such mechanisum which also get chance to process same packet hence there
is some dely in second packet.

Hope my assumptions are right.

Datta Vaidya

----- Original Message -----
From: "Francois Labreque" <flabreq () ca ibm com>
To: "Becky Nelson" <ralf.jacober () gmail com>
Cc: <listbounce () securityfocus com>; <pen-test () securityfocus com>
Sent: Thursday, December 28, 2006 8:18 PM
Subject: RE Traceroute question


listbounce () securityfocus com a écrit sur 2006-12-27 20:36:58 :

> I am running a traceroute and have two hops that report the same
> address.  Could someone please explain what would cause this?  I
> suspect that this is some type of firewall?
>
> Regards,
>
> Ralf

It can be a firewall that does PAT, or it can be certain models of higher
end Cisco routers (75xx series) that will do that if they have
distributed-forwarding turned on.