How does the tcp ping or traceroute work? Does it take in account just the time it takes to establis the TCP handshake?
Also in ICMP ping you can specify the packet size, can this be achieved in TCP ping?
Asked
Active
Viewed 1.5k times
9
-
I don't know anyone that runs a tcp echo server; perhaps you mean UDP? – Chris S May 12 '11 at 22:19
-
1My understanding is that there are tools that do this without the ECHO. What they do is they send a SYN packet to the router on port 80 and wait for the ACK. I just want to confirm this is what it is... here is a commercial tool http://www.netscantools.com/nstpro_ping.html – GeorgeU May 12 '11 at 22:21
4 Answers
6
I believe you are referring to these utilities:
http://www.vdberg.org/~richard/tcpping.html
http://michael.toren.net/code/tcptraceroute/
Since tcpping requires tcptraceroute, I'll start with tcptraceroute.
The author of tcptraceroute states that unlike a traditional traceroute, "By sending out TCP SYN packets instead of UDP or ICMP ECHO packets, tcptraceroute is able to bypass the most common firewall filters."
Further: It is worth noting that tcptraceroute never completely establishes a TCP connection with the destination host.
So, tcptraceroute does not measure the time it takes to complete the three-way handshake because that never happens. It measures the time from the initial SYN to the SYN/ACK. This is sometimes referred to as a half-open connection scan.
From the nmap manpage:
This technique is often referred to as half-open scanning,
because you don’t open a full TCP connection. You send a SYN
packet, as if you are going to open a real connection and then
wait for a response. A SYN/ACK indicates the port is listening
(open), while a RST (reset) is indicative of a non-listener. If
no response is received after several retransmissions, the port
is marked as filtered. The port is also marked filtered if an
ICMP unreachable error (type 3, code 1,2, 3, 9, 10, or 13) is
received.
As to your packet size question, the above description also has the answer. Since tcptraceroute sends a standard SYN packet, it should be a small packet, perhaps 64 bytes.
dmourati
- 24,720
- 2
- 40
- 69
0
I am not aware of any standard specification or reference implementation for "TCP Ping" or "TCP Traceroute", so you probably need to pick a particular pair of tools that implement these tests and then use a packet sniffer to see what those particular tools do.
Spiff
- 2,496
- 16
- 17
-2
Does it take in account just the time it takes to establis the TCP handshake?
no... your machine sends out 3 UDP packets with a TTL (Time-to-Live) of 1. When those packets reach the next hop router, it will decrease the TTL to 0 and thus reject the packet. It will send an ICMP Time-to-Live Exceeded (Type 11), TTL equal 0 during transit (Code 0) back to your machine - with a source address of itself, therefore you now know the address of the first router in the path.
More info Please see http://www.tek-tips.com/faqs.cfm?fid=381
Pete White
- 23
- 2
-
+1 But it does not have to send three, that is arbitrary and controllable, and it sends ICMP packets not UDP as a rule. – Orbling May 12 '11 at 22:48
-
1The question is not about the traditional traceroute which utilizes ICMP, or the UDP alternate. It is specifcally for Traceroute that relies on TCP packets. – GeorgeU May 12 '11 at 22:51
-
@Orbling the original Unix traceroute, and all Un*x-like traceroutes to this day by default send UDP packets out, and get ICMP time exceeded packets back. You might be thinking of a nonstandard implementation of traceroute, such as Microsoft's "tracert". – Spiff May 13 '11 at 03:51
-2
Traceroute'' is a network debugging utility that attempts to trace the path a packet takes through the network. Traceroute transmits packet with small time to live(TTL) values. At every router the value is being decremented by 1 and if TTL reaches 0 the packet has been expired and is discarded. Traceroute depends on the common router practice of sending an ICMP Time Exceeded message, documented in RFC 792, back to the sender when this occurs.
Stephen Lembert
- 222
- 2
- 2