Every Internet user has heard the word “IP” at least once. When answering the question about the reality of hacker attacks, we cited the standard threat: “We will find you by your IP address!” “IP” is a colloquial simplified form of the expression “IP address”. It in turn is an abbreviation of the term Internet Protocol Address. Simply put, IP is the numbering of a device connected to the Internet. It doesn’t have to be a computer - a router also has its own IP, a device with which several computers connect to the Internet at the same time.

It turns out that all devices connected to the Internet are counted? Yes. Moreover, the number of these devices is finite. It cannot be more than 2 to the 32nd power - according to the current IP v.4 numbering plan. Available rooms are now running out. And therefore, the next version of numbering is being actively implemented - IP v.6., in which the number of addresses has been increased to 2 to the 128th power. You can't just get an IP. Your ISP gives it to you when you connect to the Internet. He, in turn, receives a quota for a certain number of IP addresses in an organization called RIPE. This is a public organization, its name is an abbreviation for the French expression “Réseaux IP Européens”, the office is located in Amsterdam. RIPE distributes IP in Europe and Russia. Relevant public organizations similar to RIPE control the distribution of IP addresses in America, Asia and Africa. Any Russian provider who wants to connect their clients to the Internet must enter into an agreement with RIPE for the use of a certain number of IP addresses and pay regularly for them.

Answering the question about computer security, we have already said that it is not so easy to actually “calculate by IP address”. The fact is that an IP address is something like a SIM card with a mobile phone number - you can receive it, give it away, give it as a gift, etc. We have already talked about proxy servers and “gray” IPs that can mask the true computer ip. In fact, it masks the IP of the computers and the router connected to it - it assigns them new IP addresses, and your provider “sees” only the IP of the router on its network and cannot penetrate “further.” But a mobile phone has not only a phone number, but also an identification number for a specific device - IMEI. Devices connected to the Internet also have an analog IMEI. It is called MAC address (from the English Media Access Control - media access control). And here everything is getting serious. If the IP can be “gray”, hidden, false, dynamic and God knows what else, then the MAC address no longer allows any tricks. In fact, this is not even the number of the computer, but the network card that is installed in this computer and with the help of which the computer connects to the Internet. If, for example, your network card is built into the motherboard and has several outputs (ports) for connecting to the Network, then each of these ports will have its own MAC address. This is approximately the same as a tee - one device with three sockets. And each of them is numbered.

The same applies to all other devices that connect to the Internet - modems and routers. Each of them can have multiple IP addresses and only one MAC address per network port. And if the IP address is given to you by your provider, then each device already has a MAC address initially - it is often written right on the box. The MAC address can be clearly associated with the corresponding IP address. For example, many providers do this to make it difficult for a hypothetical attacker to connect to your home network, where several computers are connected to the Internet via a router. It's like trying to insert your SIM card into a device in which the IMEI is strictly tied to one specific, owner's SIM card.

If the provider does not bind the MAC address to the IP address in this way, then an attacker, if he somehow finds out your IP, can simply register it in his Internet connection settings. And thus he will access the Internet on your behalf (however, he will be able to do this only when your computer is either turned off or disconnected from the Internet). In fact, it’s stealing your traffic. With unlimited, this is, of course, not so tragic. But still, you must admit, it’s a shame if someone uses an expensive tariff for free, for which you paid your hard-earned money.

How is the MAC address strictly bound to the IP address? This is done by a switch installed in your entrance - it is to this device that the wire from your computer runs. These switches can be simple or complex. Complex ones bind the MAC address to an IP, simple ones do not. Now that we have introduced how the numbers of devices connected to the Internet are determined, let's talk about how their availability is determined. First of all, this is done using ping. This is the name of a special program (utility) for checking communications on a network. This is also the name of the level of delay during the exchange of signals (IP packets) between computers connected to the network. The lower the ping, the better the connection. And vice versa.

And the signal delay level is called this because the process of exchanging IP packets between computers is reminiscent of the movement of a ball in table tennis. Your computer sent an IP packet - ping. The computer you are connecting to received your IP packet and sent it back to your computer - pong. Ping can also be compared to sending a letter by mail (regular, not email) with notification of receipt. The person to whom you wrote, having received the letter at his post office, signed the receipt, and after some time you received this receipt at your post office - thus, we can say, you carried out a postal ping. In general, ping is a connection test. There is a ping - there is a connection. No ping - no connection. Or there is a connection, but the device we are trying to communicate with is faulty.

And if there is no ping, then in order to find out where the connection was broken, we need a trace. A trace is the route along which the signal (IP packet) passes from your computer to the computer with which you are connecting (or want to connect). Roughly speaking, to the server on which the site you need is located. If we return to the mail analogy, a trace is when you ask your recipient to send you back the envelope in which you sent the letter. This envelope will bear the stamps of the postal institutions through which the letter passed. Each stamp shows the date it was placed. And, therefore, by carefully studying the stamps, you can find out how long it took the letter to travel from one communication center to another. And understand where it moved faster, where it moved slower, where there were delays. From the point of view of Internet technologies, this whole process is called a trace route - multiple pings of all nodes. We said that the path along which the signal travels from your computer to the computer on which the site you are loading is located can be very tortuous, answering the very first question: “How does the indicated Internet speed differ from the real one? "

But that was a theory. But in practice, these winding paths look like a long chain of wires that stretch from your computer (or router) to a distribution device (switch) installed in the entrance of your house, from which wires again go to another switch, from which wires again stretch to the next switch and so on. This is what the Internet really looks like. And in order to determine which wire or switch from this great variety has failed and caused the problem that prevents you from loading your favorite site, a trace is used.

The tracert command is used to launch a diagnostic utility that determines the route of traffic on the network. This program is present in most modern operating systems. The utility is used mainly for testing and identifying problem areas in the network.

What does the tracert command check?

Tracert sends requests to the destination similar to Noticing that the user has typed the tracert command, Windows sends specially marked packets, which, upon reaching the first gateway, are returned back to the user's computer. In this case, the received data contains information about the node that returned it. After this, the next request is sent, the body of which already contains an instruction to let the previous gateway pass it.

Sequential sending of packets allows you to obtain the complete route of information from the user’s computer to any node on the Internet or local network. Thus, the tracert command becomes an essential tool in diagnosing problems, allowing you to identify the area where packets are being lost.

Running the tracert command on Windows

Once at the command line, you need to enter tracert domen.ru, where instead of domen.ru you can specify any domain name or IP address. This will launch the utility with standard parameters.

Tracert Command Options

Launched by an experienced user, the tracert command contains a description of the keys. It can be called by simply typing the tracert command with the -? parameter.

Here is a brief description of the parameters that the tracert command supports:

• -h specifies the maximum number of hops that can be made when searching for an end node.
• -d prevents the command from attempting to resolve the intermediate gateway IP address into a name.
• -j allows the utility to freely search for a route through a list of nodes. A maximum of 9 routers can be specified.
• -w is used to specify the time to wait for a response to a request from the node. If no response is received, an asterisk will be displayed. Specified in milliseconds.

By default, the maximum number of jumps is limited to 30, and the waiting time is limited to 4 seconds.

Analogue in Linux

Users have access to a utility with broader functionality than the tracert command. It's called traceroute. This application differs from its Windows counterpart in the presence of various modes, which are set using parameters.

Tracing using ICMP is started using the tracertroute command with the -I switch. Please note that you will need administrator rights to perform this operation. With standard settings on most distributions, any user can run the tracertroute command. In this case, UDP packets will be used; you can also force the utility to use them using the -U parameter.

Asterisks in route output

Very often, the tracert command or its analogue for Linux in a number of places displays asterisks instead of information about the node’s response. This should not be considered a mistake. This means only one thing: a particular router did not respond to a request within a given period of time. There is nothing wrong with this, since there can be quite a lot of reasons. One of them is the installation of firewalls or other security measures that block the passage of certain packets.

What should you know about route tracing?

Tracert is a command that is very important when diagnosing network problems. However, it is worth considering that it is quite easy to make a mistake when looking at the output of the tracert command. Therefore, you should not use route tracing as the only means of troubleshooting.

Another reason that tracing can only indirectly indicate a problem is the difference in the routes of packets on the Internet in different directions. As a rule, a packet sent by a user goes through the same nodes to the server, and a packet sent back goes through a completely different way.

The packet delays that appear in the output of tracert or traceroute have nothing to do with the delays for transit packets. This is due to the specifics of their processing on the router. Therefore, to navigate them, you need to be able to correctly read the command output, which is quite difficult.

MTR utility

The MTR program is available in versions for most operating systems. The principle of its operation is very similar to the tracer (traceroute) command. It polls a given node for a certain period of time, while allowing changes in delays to be recorded.

The Windows version of the utility is called WinMTR and is distributed free of charge.

The user is given the opportunity to work with a graphical interface in which it is necessary to specify the IP address or domain of the destination host and start collecting statistics. Typically, a minimum of 100 packets must be sent for analysis.

Linux users will also have to install MTR additionally from the repositories. These operating systems usually use the console version of the utility. The user has access to various parameters that allow him to set the number of packets to be sent, writing a report to a file, and timeout. Also, the Linux version can use specific ports or TCP packets for testing.

What should I send to my ISP to diagnose network problems?

It is usually best to send the output of the tracert (traceroute), ping, and MTR utility report to the server administrator or ISP. You can, of course, try to get by with only the latter, but the more information is provided, the easier it is for a specialist to find and fix the problem.

October 4, 2011 at 02:50

Traceroute: about the ability to read output

• Network technologies

• Why are there asterisks after node X in the traceroute?
• The service does not work, and the traceroute breaks on node X - does this mean the problem is in node X?
• Why do the same traceroutes on Windows and Unix show different results?
• Why does the traceroute show long delays on a certain node?
• Why does the traceroute show “gray” addresses when tracing over the Internet?
• Why does the router respond to the traceroute with a different address than I want?
• Why does the traceroute show some “different” domain names?
• Why does the traceroute output generally differ from what is intuitively expected more often than we would like?

Network engineers and administrators in their relationships with traceroutes fall into two categories: those who regularly ask themselves and those around them these questions and those who hesitate to answer them.

This topic Not provides answers to the above questions. Or almost not. But he suggests thinking about whether they need to be asked at all, and if so, when and to whom.

Regarding the relationship with tracerouting, Richard Steenbergen made a report at the NANOG-47 conference (2009), the abstracts of which I recommend for study by all interested parties. A Practical Guide to (Correctly) Troubleshooting with Traceroute (PDF, 222 KB) (in English, of course).

I won’t retell the details here (those who wish can read them), I’ll just dwell on a set of arguments and conclusions that would be good to keep in mind before calling for help with the cry “my trace shows that...”

Everything stated below (and above) is my personal point of view. The topic was written under the influence of this presentation, but is neither a retelling of it, nor, God forbid, a translation. You may even be able to find discrepancies in it with this topic. At the very least, you shouldn’t attribute certain statements to Richard after reading them from me, but without checking his report.

Some facts (without going into detail)

• The delay of a packet passing through the network consists of several factors: serialization, buffering, distribution. Each of the factors is more complex than you think.
• The latency that a traceroute shows you is even more complex: routers treat packets addressed to themselves completely differently than transit packets. This circumstance leads to the specific nature of the delay values ​​that the traceroute shows us. It does not follow from this that you cannot be guided by them, but you need to be able to read them.
• Traffic on the Internet almost always takes different paths from client to server and from server to client. The traceroute always shows the total delay in both directions, and the trace - only in one direction.
• Specifying the source address to the traceroute on a device with several interfaces (router) does not affect the choice of the interface from which requests will be sent. And it influences the choice reverse the path along which responses are transmitted. Their trace is not visible in the output, but this way you can measure the difference in latency for parallel return routes.
• Using L3 balancing somewhere on Internet backbones will likely cause different packets within the same trace to take different paths. This behavior leads to a conclusion that is difficult to interpret, and not everyone can read it correctly.
• When responding to a trace route, modern routers do not comply with the requirements of clause 4.3.2.4 of RFC1812, which requires setting the source IP address of ICMP responses equal to the address of the outgoing interface. Instead, they set it equal to the address of the interface on which the traceroute request was received (packet with TTL=1). However, if it were the other way around, reading the traceroute output would be much more difficult.
• The presence of MPLS switching within backbone networks (nowadays this is the case with any self-respecting large provider) leads to a counterintuitive way of transmitting responses to the traceroute and an even less obvious way to calculate delays.

Some of the most important takeaways (with my own creative thinking)

• Trace routing is not as simple as it seems; you need to know how to use it. And to do this you need to understand how it works.
• Most administrators and service engineers, not to mention ordinary users, do not understand and do not know how. This state of affairs very often leads to false alarms, incorrect diagnosis, etc.
• Trace route is different. The standard utilities tracert in Windows and traceroute in Linux are implemented differently and can give different results. Windows sends ICMP, and Linux sends UDP, firewalls along the trace path may have different filtering settings for different protocols.
• Interpreting trace results requires experience and intelligence. It happens that important conclusions can be drawn only by guesswork, relying on indirect data, while others - not at all unambiguously, but only with an accuracy of “most likely”.

Total

If you are a client

Do not bother technical support of providers, integrators, corporate help desk vendors, etc. with traceroute findings, unless you are absolutely sure of the answer to the question “why do I interpret the trace this way?” At best, you will simply be ignored or sent away. At worst, you can convince inexperienced support staff that your incorrect version is correct, as a result of which they will go digging for a problem in the wrong place.

If you don’t see any problems with the service (everything is working), but you don’t like something in the traceroute output, think carefully before raising the alarm. It is extremely likely that you are simply interpreting the output incorrectly. It is very rare that you can judge the presence of a problem from one traceroute. And if there really is a problem, it’s usually easier to demonstrate it without a traceroute.

If you are a performer

Never be fooled by someone else's interpretation of the traceroute output. Think with your own head (your cap is always welcome). In general, if a message about a problem begins with a traceroute output, this is a sure sign that before doing anything, the information presented below must be triple-checked personally.

Read Richard's presentation. Use a traceroute with caution as the main tool for troubleshooting: it is very easy to make a mistake in interpretation, and the information is often not enough for clear conclusions. Always compare the traceroute readings with other available data, and if possible, use it only as additional or rough information.

If you have ever contacted your Internet provider or technical forums with complaints about unstable connections, you are probably already familiar with the “tracert” command. Support specialists often ask users to run it on the command line and report the result. This helps them determine the source of the problem.

Maybe you were even surprised how an incomprehensible set of characters can help solve network problems? What do these numbers, columns and rows mean? If you want to learn how to use and understand tracert as well as professionals, this article is for you.

Purpose and application of Tracert in practice

T racert- not just some abstract command that the command line understands, but a full-fledged program. More precisely, a service console (without a window interface) Windows application designed to determine the path along which network packets are sent from one node to another. The application name is derived from “trace route”, which means “route tracing”.

The Tracert program is a native component of Windows (installed on the computer along with the OS), its executable file – TRACERT.exe, is permanently located in the %windir%/system32 folder.

To make it easier to understand how the tracer works, let’s imagine a network packet as a regular package that you sent by mail to a neighboring city. On its way to the addressee (final node), the package makes several stops at sorting points (intermediate nodes), where it is registered and sent on. You, as the sender, knowing the postal track number of the parcel, can monitor its movement on special websites. If the shipment is not delivered on time, you will easily find out at what stage of the journey it was lost.

Tracert works in a similar way. Only it provides information about not postal, but online shipments.

Notice the similarities between these entries:

Tracing is used as one of the tools for comprehensive diagnosis of network failures. So, with its help you can determine:

• At what level does the blocking of an inaccessible web resource occur: at the home network level (packets are not sent beyond the gateway), within the provider’s network or outside it.
• Where packets go astray from the correct route. For example, the reason that instead of the requested message may be a malicious program on the user’s computer or a redirection from some network node.
• Is the web resource what it claims to be?

How tracing works

As you know, the application is launched and executed in the Windows command line. Most often it is used without additional parameters. The command to trace the route to the desired web resource looks like this:

tracertsite_url or IP_site. For example, tracert Mts.ru,tracert 91.216.147.50

The answer will be something like this:

Below I will explain what these numbers and entries mean, but first, to make it clear, let’s look at the principle of operation of the tracer.

Once you enter the above instruction in the command line and press Enter, the application will send a series of three ICMP packets to the specified web resource. One of the service fields of each packet indicates the TTL value - the number of permissible transmissions between network nodes or, as they say, the “lifetime” of the request. When a shipment moves from router to router, the TTL value decreases by one. When it reaches zero, forwarding stops, the packet is discarded, and the sending computer receives an ICMP notification about it.

The TTL value of the first batch of ICMP requests is 1. The first node to which it arrives will subtract one from this value. Since the “lifetime” of the packets becomes zero, they will be thrown “to the dustbin of history”, and the sender will receive a response “letter” indicating the name and IP address of this node.

The TTL value of the second batch will be equal to two (the response will be received from the second node), the third – three, etc. Sending with the TTL increasing by 1 will continue until the data is received by the recipient.

How to read the trace result

Let's return to analyzing the Tracert output. My request to the Yandex.ru website made 16 jumps - passed through 15 “transshipment points” and reached the final goal with the sixteenth step. The sequence numbers of the jumps are displayed in a column surrounded by a red frame. By default, their maximum number is 30.

The second, third and fourth columns contain RTT values ​​- the time elapsed from the moment the request was sent until the response was received (as you remember, the batch consists of three packets). The smaller it is, the faster the transfer occurs. If it is more than 4 seconds, the timeout interval is considered exceeded.

The last column is the names and addresses of the intermediate and final nodes.

Asterisks instead of values ​​do not always indicate the unavailability or malfunction of a network device (as some sources say). Most often, this is simply a setting that does not allow ICMP response messages to be sent (measures to protect a website from DDoS attacks). If your request reaches the endpoint safely in a reasonable time, there is nothing to worry about.

The reason for failure to deliver ICMP packets (if the request never reaches the recipient) may be the inoperability (disconnection or malfunction) of the network device or the security policy (this action is blocked by the network administrator).

Tracert parameters

If you run the tracert command without specifying a web resource, the console will display help information about the launch parameters or, as they are called, application keys.

The keys are written separated by a space after the command before the name of the website if you need to change something in the standard settings. For example:

Tracert –w 1000yandex.ru, which means: trace the route to yandex.ru with a response timeout of 1000 ms.

Below is a list of parameters with their meanings.

You see, everything turned out to be simpler than it seemed. By the way, there are still a lot of such useful gizmos in the bins of Windows. I will definitely tell you about them next time too. I hope it will be useful.

Also on the site:

What secrets will the Tracert team help you learn? updated: December 5, 2016 by: Johnny Mnemonic