1LFT(8) BSD System Manager's Manual LFT(8)
2
4 lft — display the route packets take to a network host/socket; optionally
5 show heuristic network information in transitu
6
8 lft [-d dport] [-s sport] [-m retry min] [-M retry max] [-a ahead]
9 [-c scatter ms] [-t timeout ms] [-l min ttl] [-H max ttl] [-q ISN]
10 [-D device] [-ACENRSTVehinrvz] [<gateway> <...>] target:dport
11
13 The Internet is a large and complex aggregation of network hardware, con‐
14 nected together by gateways. Tracking the route one's packets follow (or
15 finding the miscreant gateway that's discarding your packets) can be dif‐
16 ficult. (from traceroute(8))
17 lft sends various TCP probes (differing from Van Jacobson's UDP-based
19 method) utilizing the IP protocol `time to live' field and attempts to
20 elicit an ICMP TIME_EXCEEDED (during transit) response from each gateway
21 along the path to some host. lft also listens for various TCP and ICMP
22 messages along the way to assist network managers in ascertaining per-
23 protocol heuristic routing information and can optionally retrieve vari‐
24 ous information about the networks it traverses.
25 The only mandatory parameter is the target host name or IP number.
27 Options toggle the display of more interesting data or change the vari‐
28 ables of the trace itself. The (-E/-e) adaptive option tries several
29 combinations of TCP states (changing flags inside the probes it sends) in
30 order to improve the chances of a successful trace and expose stateful
31 packet filters.
32 Other options are:
34 -d dport
36 Set dport as the destination TCP port of the probes LFT gener‐
37 ates. Default is 80. This option is useful to see if packets
38 follow a different route based on protocol destination, a likely
39 scenario when load balancers or proxies are involved. This
40 option may also bypass less sophisticated packet filter configu‐
41 rations.
42 -s sport
44 Set sport as the origin TCP port of the probes LFT generates.
45 Default is 53. This option is useful to see if packets follow a
46 different route based on protocol source. This option may also
47 bypass less sophisticated packet filter configurations.
48 -z Automatically select a pseudo-random source port. This option
50 may be useful if your local packet filter or proxy doesn't allow
51 you to use source ports outside of the dymanic range allocation.
52 -m min Set min as the minimum number of probes to send per host.
54 Default is 1 unless adaptive (-E) mode is used.
55 -M max Set max as the maximum number of probes to send per host.
57 Default is 5.
58 -a ahead
60 Set ahead as the number of hops forward to query before waiting
61 for a response. Default is 5.
62 -c scatter ms
64 Set scatter ms as the minimum number of milliseconds to wait
65 between sending probes. Default is 20.
66 -t timeout ms
68 Set timeout ms as the maximum number of milliseconds to wait
69 before assuming a probe was lost/discarded. Default is 1000.
70 -l min ttl
72 Set min tll as the minimum TTL (time-to-live) on outgoing probes
73 (essentially, the first hop in the line that you want to dis‐
74 play). Default is 1.
75 -q ISN Set ISN as the ISN (initial sequence number) of the first probe.
77 If unset, one will be automatically generated using a pseudo-ran‐
78 dom, time-seeded algorithm.
79 -D device
81 Set device as the network device or IP address to be used.
82 (e.g., "en1" or "1.2.3.4") If unset, lft will attempt to deter‐
83 mine and acquire the appropriate interface based on routing.
84 -H ttl Set ttl as the maximum TTL, essentially the maximum route traver‐
86 sal distance in hops. Default is 30.
87 -i Disable "stop" on ICMP other than TTL expired.
89 -n Print addresses numerically rather than symbolically and numeri‐
91 cally. Disables use of the DNS resolver completely.
92 -h Print addresses symbolically rather than symbolically and numeri‐
94 cally. If the DNS resolver fails to resolve an address, the
95 address is printed numerically.
96 -E/e Enable use of the adaptive engine which tries several combina‐
98 tions of TCP states (changing flags inside the probes it sends)
99 in order to improve the chances of a successful trace. The
100 engine also displays other useful information such as stateful
101 inspection firewalls or broken IP stacks encountered along the
102 way.
103 -N Enable lookup and display of network names (e.g., [GNTY-NET‐
105 BLK-4]). This option queries various registries of network
106 address allocation such as ARIN, RIPE, and APNIC.
107 -A Enable lookup and display of of AS (autonomous system) numbers
109 (e.g., [1]). This option queries one of several whois servers
110 (see options 'C' and 'R') in order to ascertain the origin ASN of
111 the IP address in question. By default, LFT uses the pWhoIs ser‐
112 vice whose ASN data tends to be more accurate and more timely
113 than using the RADB as it is derived from the Internet's global
114 routing table and multiple Tier-1 ISP perspectives. See
115 www.pwhois.org
116 -r Force use of the RIPE NCC RIS whois service to lookup ASNs. This
118 is an alternative source of timely ASN-related information built
119 using the Internet's global routing table and multiple Tier-1 ISP
120 perspectives. See www.ripe.net/projects/ris
121 -C Force use of the Cymru whois service to lookup ASNs. This is an
123 alternative source of timely ASN-related information built using
124 the Internet's global routing table and multiple Tier-1 ISP per‐
125 spectives. See www.cymru.com
126 -R Force use of the RADB whois service to lookup ASNs. This tends
128 to be quick, but incomplete and usually inaccurate with regard to
129 the 'actual' Internet routing table. See www.radb.net
130 -T Enable display of LFT's execution timer. This option places
132 timers on the trace itself and on lookups and name resolution to
133 show where LFT is spending its time, waiting on resolvers, or
134 processing trace packets.
135 -S Suppress display of the real-time status bar. This option makes
137 LFT show its completed trace output only, no-frills.
138 -V Display verbose output. Use more V's for more info.
140 -v Display version information, then exit(1).
142 Any hosts listed after these options and before the final host/target
144 will comprise the loose source route. Since network operators have secu‐
145 rity concerns regarding the use of source routing, don't expect the LSRR
146 options to do anything for you in most public networks.
147
149 A sample use and output might be:
150 [edge.lax]$ lft -S 4.2.2.2
152 Hop LFT trace to vnsc-bak.sys.gtei.net (4.2.2.2):80/tcp
154 1 ln-gateway.centergate.com (206.117.161.1) 0.5ms
155 2 isi-acg.ln.net (130.152.136.1) 2.3ms
156 3 isi-1-lngw2-atm.ln.net (130.152.180.21) 2.5ms
157 4 gigabitethernet5-0.lsanca1-cr3.bbnplanet.net (4.24.4.249) 3.0ms
158 5 p6-0.lsanca1-cr6.bbnplanet.net (4.24.4.2) 3.4ms
159 6 p6-0.lsanca2-br1.bbnplanet.net (4.24.5.49) 3.3ms
160 7 p15-0.snjpca1-br1.bbnplanet.net (4.24.5.58) 10.9ms
161 8 so-3-0-0.mtvwca1-br1.bbnplanet.net (4.24.7.33) 11.1ms
162 9 p7-0.mtvwca1-dc-dbe1.bbnplanet.net (4.24.9.166) 11.0ms
163 10 vlan40.mtvwca1-dc1-dfa1-rc1.bbnplanet.net (128.11.193.67) 11.1ms
164 ** [neglected] no reply packets received from TTLs 11 through 20
165 ** [4.2-3 BSD bug] the next gateway may errantly reply with reused TTLs
166 21 [target] vnsc-bak.sys.gtei.net (4.2.2.2) 11.2ms
167 The (-S) option was used to suppress the real-time status bar for clean
170 output. LFT's "**" notifiers in between hops 10 and 21 represent addi‐
171 tional useful information: the first is a "[neglected]" indicator that
172 lets us know that none of the probes sent with the TTLs indicated
173 elicited responses. This could be for a variety of reasons, but the
174 cause of this specific occurrence is described in the next informative
175 message which indicates that this is likely the result of a bug in the
176 4.[23] BSD network code (and its derivatives): BSD 4.x (x < 3) sends an
177 unreachable message using whatever TTL remains in the original datagram.
178 Since, for gateways, the remaining TTL is zero, the ICMP "time exceeded"
179 is guaranteed to not make it back to us. LFT does its best to identify
180 this condition rather than print lots and lots of hops that don't exist
181 (trying to reach a high enough TTL).
182 Now, using the adaptive engine option:
184 [edge.lax]$ lft -E -S 4.2.2.1
187 Hop LFT trace to vnsc-pri.sys.gtei.net (4.2.2.1):80/tcp
189 1 ln-gateway.centergate.com (206.117.161.1) 0.5/0.5ms
190 2 isi-acg.ln.net (130.152.136.1) 2.1/2.3ms
191 3 isi-1-lngw2-atm.ln.net (130.152.180.21) 2.6/7.1ms
192 4 gigabitethernet5-0.lsanca1-cr3.bbnplanet.net (4.24.4.249) 6.1/3.9ms
193 ** [firewall] the next gateway may statefully inspect packets
194 5 p0-0-0.lsanca1-csr1.bbnplanet.net (4.24.4.10) 155.4/3.7ms
195 6 [target] vnsc-pri.sys.gtei.net (4.2.2.1) 22.6/3.7/*/*/*/*/*ms
196 In the scenario above, the adaptive engine was able to identify a state‐
199 ful, packet-inspecting firewall in the path. Another example with more
200 options:
201 [edge.lax]$ lft -S -A -T -m 2 -d 80 -s 53 www.yahoo.com
204 Hop LFT trace to w9.scd.yahoo.com (66.218.71.88):80/tcp
206 1 [226] ln-gateway.centergate.com (206.117.161.1) 1 ms
207 2 [226] isi-acg.ln.net (130.152.136.1) 2 ms
208 3 [226] isi-1-lngw2-atm.ln.net (130.152.180.21) 3 ms
209 4 [1] gigether5-0.lsanca1-cr3.bbnplanet.net (4.24.4.249) 3 ms
210 5 [1] p6-0.lsanca1-cr6.bbnplanet.net (4.24.4.2) 5 ms
211 6 [1] p6-0.lsanca2-br1.bbnplanet.net (4.24.5.49) 3 ms
212 7 [1] p1-0.lsanca2-cr2.bbnplanet.net (4.25.112.1) 3 ms
213 8 [16852] pos4-0.core1.LosAngeles1.Level3.net (209.0.227.57) 3 ms
214 9 [3356] so-4-0-0.mp1.LosAngeles1.Level3.net (209.247.10.193) 3 ms
215 10 [3356] so-3-0-0.mp2.SanJose1.Level3.net (64.159.1.130) 11 ms
216 11 [3356] gige10-0.ipcolo4.SanJose1.Level3.net (64.159.2.42) 11 ms
217 12 [3356] cust-int.level3.net (64.152.81.62) 52 ms
218 13 [10310] vl17.bas2.scd.yahoo.com (66.218.64.150) 53 ms
219 14 [10310] w9.scd.yahoo.com (66.218.71.88) [target] 54 ms
220 LFT's trace took 5.23 seconds. Resolution required 3.58 seconds.
222 Note the -Ar above displays ASNs using the RADB as a whois source. A
225 better option may have been to use the -A alone or perhaps -AC.
226 And why not request netblock lookups?
228 [edge.lax]$ lft -S -N www.microsoft.com
231 Hop LFT trace to www.us.microsoft.com (207.46.197.113):80/tcp
233 1 [LOS-NETTOS-BLK4] ln-gateway.centergate.com (206.117.161.1) 2 ms
234 2 [LOS-NETTOS] isi-acg.ln.net (130.152.136.1) 3 ms
235 3 [LOS-NETTOS] isi-1-lngw2-pos.ln.net (130.152.80.30) 5 ms
236 4 [GNTY-4-0] gigether5-0.lsanca1-cr3.bbnplanet.net (4.24.4.249) 4 ms
237 5 [GNTY-4-0] p6-0.lsanca1-cr6.bbnplanet.net (4.24.4.2) 3 ms
238 6 [GNTY-4-0] p6-0.lsanca2-br1.bbnplanet.net (4.24.5.49) 3 ms
239 7 [GNTY-4-0] p15-0.snjpca1-br1.bbnplanet.net (4.24.5.58) 10 ms
240 8 [GNTY-4-0] p9-0.snjpca1-br2.bbnplanet.net (4.24.9.130) 11 ms
241 9 [GNTY-4-0] so-1-0-0.sttlwa2-br1.bbnplanet.net (4.0.3.229) 27 ms
242 10 [GNTY-4-0] so-0-0-0.sttlwa1-hcr1.bbnplanet.net (4.24.11.202) 28 ms
243 11 [GNTY-4-0] so-7-0-0.sttlwa1-hcr2.bbnplanet.net (4.24.10.234) 28 ms
244 12 [GNTY-4-0] p1-0.sttlwa1-cr2.bbnplanet.net (4.24.10.241) 29 ms
245 13 [GNTY-4-0] p2-0.msseattle.bbnplanet.net (4.25.89.6) 32 ms
246 14 [MICROSOFT-GLOBAL-NET] 207.46.154.9 32 ms
247 15 [MICROSOFT-GLOBAL-NET] 207.46.155.17 33 ms
248 16 [MICROSOFT-GLOBAL-NET] 207.46.129.51 [prohibited] 35 ms
249
252 Victor Oppleman, Eugene Antsilevitch, and other helpers around the world.
253
255 Nils McCarthy: Thanks to Nils for writing 'FFT', LFT's predecessor.
256
258 To report bugs, send e-mail to <lft@oppleman.com>
259
261 traceroute(8), netstat(1), whois(1), whob(8)
262
264 The lft command first appeared in 1998 as 'fft'. Renamed as a result of
265 confusion with fast fourier transforms, lft stands for 'layer four
266 traceroute.'
267LFT August 17, 2002 LFT