Why can I ping an IP address but not 'traceroute' it?

47

18

I can ping an IP address, but I can't traceroute it. How could this be?

[USERNAME@HOSTNAME ~]$ ping CENSORED.CENSORED
PING CENSORED.CENSORED (CENSORED) 56(84) bytes of data.
64 bytes from CENSORED.CENSORED (CENSORED): icmp_req=1 ttl=49 time=52.8 ms
64 bytes from CENSORED.CENSORED (CENSORED): icmp_req=2 ttl=49 time=49.4 ms
64 bytes from CENSORED.CENSORED (CENSORED): icmp_req=3 ttl=49 time=49.2 ms
64 bytes from CENSORED.CENSORED (CENSORED): icmp_req=4 ttl=49 time=50.4 ms
^C
--- CENSORED.CENSORED ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 49.276/50.494/52.804/1.401 ms
[USERNAME@HOSTNAME ~]$
[USERNAME@HOSTNAME ~]$ traceroute CENSORED.CENSORED
traceroute to CENSORED.CENSORED (CENSORED), 30 hops max, 60 byte packets
 1  CENSORED (CENSORED)  5.733 ms  6.000 ms  5.977 ms
 2  CENSORED (CENSORED)  0.428 ms  0.417 ms  0.393 ms
 3  CENSORED (CENSORED)  1.726 ms  1.718 ms  1.682 ms
 4  CENSORED (CENSORED)  26.699 ms  26.693 ms  26.670 ms
 5  CENSORED (CENSORED)  27.785 ms  27.769 ms  27.746 ms
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
[USERNAME@HOSTNAME ~]$

The fifth CENSORED IP address in the traceroute isn't the same as at the "ping CENSORED.CENSORED".

LanceBaynes

Posted 14 years ago

Reputation: 3 510

these stars do not mean censored, they mean there was no response – jbu – 8 years ago

What's the output from the traceroute? – ChrisF – 14 years ago

1why is the IP "censored" ? – Sathyajith Bhat – 14 years ago

1why is the IP "censored" ... maybe because it's not public?? pff – LanceBaynes – 14 years ago

8I presume the poster redacted the IP so that we don't try to hack his machine. – msw – 14 years ago

Answers

42

Try using a different method in your traceroute, for example TCP SYN or ICMP instead of the default UDP method.

For example note the difference between ICMP and TCP:

x@x:~$ ping -qc4 94.254.2.51
PING 94.254.2.51 (94.254.2.51) 56(84) bytes of data.
--- 94.254.3.90 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3009ms
rtt min/avg/max/mdev = 7.781/7.807/7.836/0.067 ms

x@x:~$ sudo traceroute -I 94.254.2.51
traceroute to 94.254.2.51 (94.254.2.51), 30 hops max, 40 byte packets
1  <REDACTED>
2  <REDACTED>
3  <REDACTED>
4  <REDACTED>
5  netnod-ix-ge-a-sth-1500.bahnhof.net (194.68.123.85)  1.307 ms  1.299 ms  1.432 ms
6  sto-cr1.sto-cr3.bahnhof.net (85.24.151.165)  7.166 ms  7.364 ms  7.336 ms
7  sto-cr3.gav-cr1.bahnhof.net (85.24.151.195)  7.251 ms  7.099 ms  7.220 ms
8  zitius-a322-gw-c.bahnhof.net (85.24.153.249)  7.059 ms  7.074 ms  7.145 ms
9  h-2-51.A322.priv.bahnhof.se (94.254.2.51)  7.619 ms  7.750 ms  8.070 ms

x@x:~$ sudo traceroute -T 94.254.2.51
traceroute to 94.254.2.51 (94.254.2.51), 30 hops max, 40 byte packets
1  <REDACTED>
2  <REDACTED>
3  <REDACTED>
4  <REDACTED>
5  netnod-ix-ge-a-sth-1500.bahnhof.net (194.68.123.85)  1.621 ms  1.683 ms  1.817 ms
6  sto-cr1.sto-cr3.bahnhof.net (85.24.151.165)  8.530 ms  7.861 ms  7.820 ms
7  sto-cr3.gav-cr1.bahnhof.net (85.24.151.195)  7.724 ms  7.539 ms  7.486 ms
8  zitius-a322-gw-c.bahnhof.net (85.24.153.249)  7.572 ms  7.537 ms  7.553 ms
9  * * *
10  * * *
11  * * *
12  * * *
13  * * *

Tzarium

Posted 14 years ago

Reputation: 811

2-T doesn't seem to be a switch for OSX. Is there an alternative to use TCP SYN on OSX? – Manachi – 8 years ago

2@Manachi: brew install tcptraceroute – iolsmit – 7 years ago

1@Manchi: read the manpage... : "traceroute -P TCP <IP>" – benba – 7 years ago

23

Traceroute is based on ICMP or UDP packets. It effectively pings each router on the path between you and censored.censored. It increases the Time-To-Live (TTL) for each subsequent packet it sends (from 1-30 normally) expecting that as each packet is sent with an increased TTL from the last, the next router in the path will return an error code.

If hop 6 isn't responding, it's probably specifically blocking ICMP/UDP messages. Ping therefore works because the routers between you and it are just passing the ICMP/UDP packets through to it rather than responding to them, as they do with a traceroute.

Rhys Gibson

Posted 14 years ago

Reputation: 4 218

2On most (all?) *nix distros, traceroute uses UDP by default, not ICMP. – h0tw1r3 – 14 years ago

Good point, will amend. – Rhys Gibson – 14 years ago

so all the routers after 5 block UDP? is that correct? – LanceBaynes – 14 years ago

I don't think so. Someone else might have a better explanation but I think that hop 6 isn't responding and isn't passing on the packets, as otherwise you'd at least get a last response from your destination (unless it's more than 30 hops away). – Rhys Gibson – 14 years ago

1But I'm sure that it's less then 30 hops away. So the answer isn't good. At hop 7,8,9,etc. I would have replies in the traceroute :\ – LanceBaynes – 14 years ago

It's not about whether the routers between you and the end host block UDP (they almost certainly don't), but the end host isn't responding to the standard UDP method of tracerouting (which is far from uncommon, hence the invention of ICMP and TCP tracerouting).

If the end host was reachable but intermediate routers dropped TTL=1 packaged, you'd see a couple of lines with "* * *" and THEN your end host, which (as you said) is probably less than 30 hops away. – Tzarium – 14 years ago

12

I saw no answer to the why part of the questions.

Several ISPs are known to make their routers stealth to traceroute in two ways: they either don't decrement TTL in IP packets (making themselves IP wormholes) or they don't respond to expired TTL while still forwarding ICMP.

The reason is to keep their internal network topology private. That's all.

Issuing traceroutes from/to multiple sources/destination reveals information on network topology, which is something like not everyone appreciates.

usr-local-ΕΨΗΕΛΩΝ

Posted 14 years ago

Reputation: 3 733

2

Traceroute relies on ICMP messages, which some routers might be configured to not respond to.

LawrenceC

Posted 14 years ago

Reputation: 63 487

Ping is ICMP as well, it doesn't explain the difference. I have the advantages of reading other answers that state traceroute can use udp as well, which i didn't know before. – Rich Homolka – 14 years ago

Well, one way to explicitly block traceroute ICMP packets is to drop incoming ICMP's that are TTL=1. Maybe they are doing that for some reason. – LawrenceC – 14 years ago

2

Sometimes it's worth using ping to get traceroute-like information:

#!/bin/bash
for TTL in 1 2 3 4 5 6 7 8 9 10 11 12
do
    ping -c 1 -n -t $TTL a.b.c.d
done

By calling ping with a -t $TTL argument, you can sometimes elude the firewall, and find out IP addresses and so forth of routers behind firewalls.

Bruce Ediger

Posted 14 years ago

Reputation: 533

3This is the same as invoking traceroute with the -I flag, although (oddly enough) that would require superuser status. – Tzarium – 14 years ago

1@Tzarium ping also requires superuser status, it just has the suid bit set, so you get it for free. – itsadok – 11 years ago

0

Either all noded from 6 onwards doesn't respond to UDP packets or node 6 itself block udp packets. You can try the fllowing methods, which I hope will work based on which node in the path to detination blocks ICMP/TCP SYN :

  1. Use ICMP to traceroute : $ sudo traceroute -I

  2. Use TCP syn to traceroute : $ sudo traceroute -T

  3. If it's the hops which it is exceeding, then use either of the following : $ sudo traceroute -I -m 60

OR

$ sudo traceroute -T -m 60

The latter worked for me while tracerouting to an ftp across the continent.

Naresh

Posted 14 years ago

Reputation: 1

0

For using ping command to traceroute in unix environment, try this :

for ((TTL=1;TTL<30;TTL++));
do
ping -c 1 -t $TTL <IP>;
done

Naresh

Posted 14 years ago

Reputation: 1

Asked: 14 years ago

Viewed: 130 091 times

Active: 7 years ago