TraceRoute: Better Results with TCP SYN



  • There has been some talk this week about doing "advanced traceroutes" using TCP SYN instead of ICMP requests in order to get better, faster results. I think that many people feel that this is new or advanced or somehow not something that we have always had. However, the standard traceroute tool has long been doing this and we need only be aware of how to use it which is as simple as the -T flag on the standard traceroute command in Linux (check your man pages for your specific version if this does not work and please report back so that we can document.)

    Here is an example of a standard ICMP based traceroute, the default action:

    $ traceroute yahoo.com
    traceroute to yahoo.com (98.138.253.109), 30 hops max, 60 byte packets
     1  FIOS_Quantum_Gateway.fios-router.home (192.168.1.1)  1.127 ms  1.190 ms  1.319 ms
     2  47.186.128.1 (47.186.128.1)  2.496 ms  4.023 ms  4.021 ms
     3  172.102.51.152 (172.102.51.152)  7.062 ms  7.647 ms  7.634 ms
     4  ae7---0.scr01.dlls.tx.frontiernet.net (74.40.3.17)  7.607 ms  7.605 ms  7.590 ms
     5  ae0---0.cbr01.dlls.tx.frontiernet.net (74.40.4.14)  7.572 ms  7.555 ms  7.538 ms
     6  exchange-cust2.da1.equinix.net (206.223.118.2)  7.521 ms  3.433 ms  3.231 ms
     7  ae-3.pat2.dnx.yahoo.com (216.115.96.58)  34.136 ms ae-4.pat2.bfz.yahoo.com (216.115.97.207)  36.672 ms ae-3.pat2.dnx.yahoo.com (216.115.96.58)  35.558 ms
     8  ae-6.pat2.nez.yahoo.com (216.115.104.116)  35.975 ms ae-6.pat1.nez.yahoo.com (216.115.104.118)  36.616 ms  36.612 ms
     9  et-0-0-0.msr2.ne1.yahoo.com (216.115.105.179)  35.106 ms et-18-1-0.msr2.ne1.yahoo.com (216.115.105.185)  38.772 ms et-19-1-0.msr1.ne1.yahoo.com (216.115.105.27)  35.495 ms
    10  et-1-0-0.clr2-a-gdc.ne1.yahoo.com (98.138.97.73)  37.470 ms et-19-1-0.clr2-a-gdc.ne1.yahoo.com (98.138.97.75)  37.845 ms et-1-0-0.clr1-a-gdc.ne1.yahoo.com (98.138.97.69)  36.016 ms
    11  et-18-25.fab2-1-gdc.ne1.yahoo.com (98.138.0.93)  36.524 ms et-17-1.fab6-1-gdc.ne1.yahoo.com (98.138.93.5)  41.100 ms et-17-1.fab5-1-gdc.ne1.yahoo.com (98.138.93.1)  36.971 ms
    12  po-17.bas1-7-prd.ne1.yahoo.com (98.138.240.20)  35.994 ms po-12.bas2-7-prd.ne1.yahoo.com (98.138.240.26)  33.088 ms po-16.bas2-7-prd.ne1.yahoo.com (98.138.240.34)  33.267 ms
    13  * * *
    14  * * *
    15  * * *
    16  * * *
    17  * * *
    18  * * *
    19  * * *
    20  * * *
    21  * * *
    22  * * *
    23  * * *
    24  * * *
    25  * * *
    26  * * *
    27  * * *
    28  * * *
    29  * * *
    30  * * *
    

    And here is the same command using the -T command to switch from the default to TCP SYN packets instead, bypassing the commonly blocked ICMP protocols. Notice that this also requires elevated privileges to run because it can easily be used for a DoS attack.

    $ sudo traceroute -T yahoo.com
    traceroute to yahoo.com (98.139.183.24), 30 hops max, 60 byte packets
     1  FIOS_Quantum_Gateway.fios-router.home (192.168.1.1)  0.960 ms  1.096 ms  1.245 ms
     2  47.186.128.1 (47.186.128.1)  4.399 ms  4.893 ms  4.893 ms
     3  172.102.51.82 (172.102.51.82)  6.160 ms  6.548 ms  6.546 ms
     4  ae7---0.scr01.dlls.tx.frontiernet.net (74.40.3.17)  4.878 ms  4.875 ms  4.873 ms
     5  ae0---0.cbr01.dlls.tx.frontiernet.net (74.40.4.14)  5.650 ms  51.704 ms  52.083 ms
     6  exchange-cust2.da1.equinix.net (206.223.118.2)  8.926 ms  5.519 ms  3.123 ms
     7  xe-2-0-2.pat1.dce.yahoo.com (216.115.96.93)  29.173 ms  29.616 ms  29.617 ms
     8  ae-8.pat1.bfz.yahoo.com (216.115.101.231)  42.673 ms ae-9.pat2.bfz.yahoo.com (216.115.101.199)  49.814 ms ae-0.pat1.bfy.yahoo.com (216.115.97.196)  42.649 ms
     9  et-0-0-0.msr1.bf1.yahoo.com (74.6.227.129)  42.643 ms et-19-0-0.pat2.bfz.yahoo.com (216.115.97.105)  42.613 ms et-0-0-0.msr2.bf1.yahoo.com (74.6.227.137)  45.617 ms
    10  et-0-1-1.clr2-a-gdc.bf1.yahoo.com (74.6.122.19)  42.619 ms et-19-1-0.msr1.bf1.yahoo.com (74.6.227.133)  42.044 ms et-19-0-1.clr1-a-gdc.bf1.yahoo.com (74.6.122.35)  40.177 ms
    11  po8.fab4-1-gdc.bf1.yahoo.com (72.30.22.39)  41.775 ms UNKNOWN-74-6-122-X.yahoo.com (74.6.122.91)  41.214 ms po7.fab6-1-gdc.bf1.yahoo.com (72.30.22.11)  41.764 ms
    12  po-13.bas2-7-prd.bf1.yahoo.com (98.139.129.211)  40.512 ms po-11.bas1-7-prd.bf1.yahoo.com (98.139.129.177)  40.907 ms po7.fab3-1-gdc.bf1.yahoo.com (72.30.22.5)  38.354 ms
    13  ir2.fp.vip.bf1.yahoo.com (98.139.183.24)  37.887 ms  41.289 ms po-10.bas1-7-prd.bf1.yahoo.com (98.139.129.161)  39.821 ms
    

    That's all that there is too it. Better results, faster.