forked from mct/tcptraceroute
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtcptraceroute.1
204 lines (204 loc) · 5.81 KB
/
tcptraceroute.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
.TH TCPTRACEROUTE 1 "2006 March 28"
.SH NAME
tcptraceroute \- A traceroute implementation using TCP packets
.SH SYNOPSIS
.B tcptraceroute [\-nNFSAE] [ \-i
.I interface
.B ] [ \-f
.I first ttl
.B ]
.br
.B [ \-l
.I length
.B ] [ \-q
.I number of queries
.B ] [ \-t
.I tos
.B ]
.br
.B [ \-m
.I max ttl
.B ] [ \-p
.I source port
.B ] [ \-s
.I source address
.B ]
.br
.B [ \-w
.I wait time
.B ]
.I host
.B [
.I destination port
.B ]
.B [
.I length
.B ]
.SH DESCRIPTION
.B tcptraceroute
is a traceroute implementation using TCP packets.
.P
The more traditional
.IR traceroute (8)
sends out either UDP or ICMP ECHO packets with a TTL of one, and increments
the TTL until the destination has been reached. By printing the gateways that
generate ICMP time exceeded messages along the way, it is able to determine the
path packets are taking to reach the destination.
.P
The problem is that with the widespread use of firewalls on the modern
Internet, many of the packets that
.IR traceroute (8)
sends out end up being filtered, making it impossible to completely trace the
path to the destination. However, in many cases, these firewalls will permit
inbound TCP packets to specific ports that hosts sitting behind the
firewall are listening for connections on. By sending out TCP SYN packets
instead of UDP or ICMP ECHO packets,
.B tcptraceroute
is able to bypass the most common firewall filters.
.P
It is worth noting that
.B tcptraceroute
never completely establishes a TCP connection with the destination host.
If the host is not listening for incoming connections, it will respond with
an RST indicating that the port is closed. If the host instead responds
with a SYN|ACK, the port is known to be open, and an RST is sent by the
kernel
.B tcptraceroute
is running on to tear down the connection without completing
three\-way handshake. This is the same half\-open scanning technique
that
.IR nmap (1)
uses when passed the
.BR \-sS
flag.
.SH OPTIONS
.B
.IP \-n
Display numeric output, rather than doing a reverse DNS lookup for each hop.
By default, reverse lookups are never attempted on RFC1918 address space,
regardless of the \-n flag.
.B
.IP \-N
Perform a reverse DNS lookup for each hop, including RFC1918 addresses.
.B
.IP \-f
Set the initial TTL used in the first outgoing packet. The default is 1.
.B
.IP \-m
Set the maximum TTL used in outgoing packets. The default is 30.
.B
.IP \-p
Use the specified local TCP port in outgoing packets. The default is to
obtain a free port from the kernel using
.IR bind (2).
Unlike with traditional
.IR traceroute (8),
this number will not increase with each hop.
.B
.IP \-s
Set the source address for outgoing packets. See also the \-i flag.
.B
.IP \-i
Use the specified interface for outgoing packets.
.B
.IP \-q
Set the number of probes to be sent to each hop. The default is 3.
.B
.IP \-w
Set the timeout, in seconds, to wait for a response for each probe. The
default is 3.
.B
.IP \-S
Set the TCP SYN flag in outgoing packets. This is the default, if neither
\-S or \-A is specified.
.B
.B
.IP \-A
Set the TCP ACK flag in outgoing packets. By doing so, it is possible to
trace through stateless firewalls which permit outgoing TCP connections.
.B
.IP \-E
Send ECN SYN packets, as described in RFC2481.
.B
.IP \-t
Set the IP TOS (type of service) to be used in outgoing packets. The
default is not to set any TOS.
.B
.IP \-F
Set the IP "don't fragment" bit in outgoing packets.
.B
.IP \-l
Set the total packet length to be used in outgoing packets. If the length
is greater than the minimum size required to assemble the necessary probe
packet headers, this value is automatically increased.
.B
.IP \-d
Enable debugging, which may or may not be useful.
.B
.IP \-\-dnat
.br
Enable DNAT detection, and display messages when DNAT transitions are
observed. DNAT detection is based on the fact that some NAT devices,
such as some Linux 2.4 kernels, do not correctly rewrite the IP address
of the IP packets quoted in ICMP time-exceeded messages
tcptraceroute solicits, revealing the destination IP address an outbound
probe packet was NATed to. NAT devices which correctly rewrite the IP
address quoted by ICMP messages, such as some Linux 2.6 kernels, will
not be detected. For some target hosts, it may be necessary to use
\-\-dnat in conjunction with \-\-track\-port. See the examples.txt file for
examples.
.B
.IP \-\-no-dnat
.br
Enable DNAT detection for the purposes of correctly identifying ICMP
time-exceeded messages that match up with outbound probe packets, but
do not display messages when a DNAT transition is observed. This is
the default behavior.
.B
.IP \-\-no-dnat-strict
.br
Do not perform any DNAT detection whatsoever. No attempt will be made
match up ICMP time-exceeded messages with outbound probe packets, and
when tracerouting through a NAT device which does not rewrite the IP
addresses of the IP packets quoted in ICMP time-exceeded messages, some
hops along the path may appear to be unresponsive. This option should
not be needed in the vast majority of cases, but may be utilized if
it is suspected that the DNAT detection code is misidentifying ICMP
time-exceeded messages.
.SH EXAMPLES
Please see the
.I examples.txt
file included in the
.B tcptraceroute
distribution for a few real world examples.
.P
To trace the path to a web server listening for connections on port 80:
.P
.RS
.B tcptraceroute webserver
.RE
.P
To trace the path to a mail server listening for connections on port 25:
.P
.RS
.B tcptraceroute mailserver 25
.RE
.SH BUGS
No error checking is performed on the source address specified by the \-s
flag, and it is therefore possible for
.B
tcptraceroute
to send out TCP SYN packets for which it has no chance of seeing a response
to.
.SH AUTHOR
Michael C. Toren <[email protected]>
.SH AVAILABILITY
For updates, please see:
.br
.RS
http://michael.toren.net/code/tcptraceroute/
.RE
.SH "SEE ALSO"
.IR traceroute (8),
.IR ping (8),
.IR nmap (1)