1TCPTRACEROUTE(1) General Commands Manual TCPTRACEROUTE(1)
2
6 tcptraceroute - A traceroute implementation using TCP packets
7
9 tcptraceroute [-nNFSAE] [ -i interface ] [ -f first ttl ]
10 [ -l length ] [ -q number of queries ] [ -t tos ]
11 [ -m max ttl ] [ -p source port ] [ -s source address ]
12 [ -w wait time ] host [ destination port ] [ length ]
13
15 tcptraceroute is a traceroute implementation using TCP packets.
16 The more traditional traceroute(8) sends out either UDP or ICMP ECHO
18 packets with a TTL of one, and increments the TTL until the destination
19 has been reached. By printing the gateways that generate ICMP time
20 exceeded messages along the way, it is able to determine the path pack‐
21 ets are taking to reach the destination.
22 The problem is that with the widespread use of firewalls on the modern
24 Internet, many of the packets that traceroute(8) sends out end up being
25 filtered, making it impossible to completely trace the path to the des‐
26 tination. However, in many cases, these firewalls will permit inbound
27 TCP packets to specific ports that hosts sitting behind the firewall
28 are listening for connections on. By sending out TCP SYN packets
29 instead of UDP or ICMP ECHO packets, tcptraceroute is able to bypass
30 the most common firewall filters.
31 It is worth noting that tcptraceroute never completely establishes a
33 TCP connection with the destination host. If the host is not listening
34 for incoming connections, it will respond with an RST indicating that
35 the port is closed. If the host instead responds with a SYN|ACK, the
36 port is known to be open, and an RST is sent by the kernel tcptracer‐
37 oute is running on to tear down the connection without completing
38 three-way handshake. This is the same half-open scanning technique
39 that nmap(1) uses when passed the -sS flag.
40
42 -n Display numeric output, rather than doing a reverse DNS lookup
43 for each hop. By default, reverse lookups are never attempted
44 on RFC1918 address space, regardless of the -n flag.
45 -N Perform a reverse DNS lookup for each hop, including RFC1918
47 addresses.
48 -f Set the initial TTL used in the first outgoing packet. The
50 default is 1.
51 -m Set the maximum TTL used in outgoing packets. The default is
53 30.
54 -p Use the specified local TCP port in outgoing packets. The
56 default is to obtain a free port from the kernel using bind(2).
57 Unlike with traditional traceroute(8), this number will not
58 increase with each hop.
59 -s Set the source address for outgoing packets. See also the -i
61 flag.
62 -i Use the specified interface for outgoing packets.
64 -q Set the number of probes to be sent to each hop. The default is
66 3.
67 -w Set the timeout, in seconds, to wait for a response for each
69 probe. The default is 3.
70 -S Set the TCP SYN flag in outgoing packets. This is the default,
72 if neither -S or -A is specified.
73 -A Set the TCP ACK flag in outgoing packets. By doing so, it is
75 possible to trace through stateless firewalls which permit out‐
76 going TCP connections.
77 -E Send ECN SYN packets, as described in RFC2481.
79 -t Set the IP TOS (type of service) to be used in outgoing packets.
81 The default is not to set any TOS.
82 -F Set the IP "don't fragment" bit in outgoing packets.
84 -l Set the total packet length to be used in outgoing packets. If
86 the length is greater than the minimum size required to assemble
87 the necessary probe packet headers, this value is automatically
88 increased.
89 -d Enable debugging, which may or may not be useful.
91 --dnat
93 Enable DNAT detection, and display messages when DNAT transi‐
94 tions are observed. DNAT detection is based on the fact that
95 some NAT devices, such as some Linux 2.4 kernels, do not cor‐
96 rectly rewrite the IP address of the IP packets quoted in ICMP
97 time-exceeded messages tcptraceroute solicits, revealing the
98 destination IP address an outbound probe packet was NATed to.
99 NAT devices which correctly rewrite the IP address quoted by
100 ICMP messages, such as some Linux 2.6 kernels, will not be
101 detected. For some target hosts, it may be necessary to use
102 --dnat in conjunction with --track-port. See the examples.txt
103 file for examples.
104 --no-dnat
106 Enable DNAT detection for the purposes of correctly identifying
107 ICMP time-exceeded messages that match up with outbound probe
108 packets, but do not display messages when a DNAT transition is
109 observed. This is the default behavior.
110 --no-dnat-strict
112 Do not perform any DNAT detection whatsoever. No attempt will
113 be made match up ICMP time-exceeded messages with outbound probe
114 packets, and when tracerouting through a NAT device which does
115 not rewrite the IP addresses of the IP packets quoted in ICMP
116 time-exceeded messages, some hops along the path may appear to
117 be unresponsive. This option should not be needed in the vast
118 majority of cases, but may be utilized if it is suspected that
119 the DNAT detection code is misidentifying ICMP time-exceeded
120 messages.
121
123 Please see the examples.txt file included in the tcptraceroute distri‐
124 bution for a few real world examples.
125 To trace the path to a web server listening for connections on port 80:
127 tcptraceroute webserver
129 To trace the path to a mail server listening for connections on port
131 25:
132 tcptraceroute mailserver 25
134
136 No error checking is performed on the source address specified by the
137 -s flag, and it is therefore possible for tcptraceroute to send out TCP
138 SYN packets for which it has no chance of seeing a response to.
139
141 Michael C. Toren <mct@toren.net>
142
144 For updates, please see:
145 http://michael.toren.net/code/tcptraceroute/
146
148 traceroute(8), ping(8), nmap(1)
149 2006 March 28 TCPTRACEROUTE(1)