2

For a few days now I started making the interesting observation of a machine intermittently not responding to an ICMP ping, while it still responds to an ICMP based traceroute (specifically set via the -I parameter).

As far as I know both would use ICMP's echo request, so I wouldnt expect any difference there.

Would anyone have an explanation for this?

  • ICMP ping primarily uses icmp echo request and icmp echo reply. traceroute/tracert on the other hand depend a bit on the implementation. I suggest: https://en.m.wikipedia.org/wiki/Traceroute or the awesome http://www.amazon.com/TCP-Illustrated-Protocols-Addison-Wesley-Professional-ebook/dp/B00666M52S/ref=sr_1_2_twi_2_kin?s=books&ie=UTF8&qid=1436114132&sr=1-2&keywords=TCP%2FIP+Illustrated%2C+Vol.+1%3A+The+Protocols – ErikE Jul 05 '15 at 16:32

2 Answers2

2

Most probably the pong from ping is blocked/gets discarded, while traceroute uses an error message form a node/hop to determine the route. Traceroute is not a standard tool, in that it uses a trick to get the information. The trick is to manipulate the TTL, so the hop responds with an ICMP error (ICMP TTL exceeded), and that is why this is possible.

Konrad Gajewski
  • 1,498
  • 3
  • 15
  • 29
  • Thanks Konrad, if I understand you correctly you are saying it would work because instead of sending an ICMP reply it sends a TTL exceeded and the former would be blocked, while the latter wouldnt be. Correct? –  Jul 05 '15 at 15:54
  • Yes. Why it blocks the pong - I don't know. I can just guess. From my experience, I have rarely seen traceroute blocked, but ICMP echo gets blocked more often. But since you are saying that it is intermittent, something else must be going on. You need to diagnose it further. Faulty firewall? Failing equipment? – Konrad Gajewski Jul 05 '15 at 16:18
0

I could give you a list of all header fields in the IP header. And for each header field, I could explain that ping and traceroute might use different values for that field. And that the other end of the connection might filter traffic based on the value of that header field.

That would however not be a very helpful answer. Instead I'll suggest you inspect the header fields of the outgoing traffic using a tool designed for that purpose. You can use tcpdump to perform an initial analysis and save the traffic for further investigation. For more thorough inspection I find Wireshark to be a better suited tool, it can inspect traffic previously captured using tcpdump, it can also capture traffic directly from the network interface such that you can inspect it in real time.

The most obvious differences to look for would be the length and hop limit. With traceroute the receiving end will receive packets with varying hop limit, and as long as it responds to one of them, you will see the response. With ping it will receive only a specific hop limit.

You also need to pay attention to whether any replies are actually received. On a misconfigured target you might see packets being silently dropped, but a properly configured target could send you an error message indicating why it won't process the request. It is possible that an odd response would be dropped as unexpected by one program while being displayed by the other.

Several of the header fields can be varied using command line flags for both ping and traceroute. If you suspect a specific header field is triggering different behavior, look for command line flags to modify that specific header field to confirm your suspicion.

kasperd
  • 29,894
  • 16
  • 72
  • 122