If ICMP sent UDP packets instead (as in Unix/Linux), would the IP protocol number still be 01 for the probe packets? If not, what would it be? asked 14 Oct '16, 15:31 shark less |
One Answer:
First of all ICMP is a protocol not an application. Traceroute is the application. So if traceroute uses UDP (depends on the implementation), the protocol number will be 17 for UDP. answered 14 Oct '16, 15:39 Christian_R showing 5 of 10 show 5 more comments |
Thanks Cristian_R I am not sure that I gave you enough back ground information to understand what I am asking. I am working on a school Wire Shark project and this questions comes out of the blue, here is more background: The next part focuses on using the Traceroute program to resolve the path a packet takes from source to destination. Carefully note that Traceroute is implemented in different ways in the Unix/Linux, MacOS, and Windows operating systems. Namely, in Unix/Linux, the source sends a series of UDP packets to the target destination using an unlikely destination port number. Meanwhile in Windows the source sends a series of ICMP packets to the target destination. For both operating systems, the program sends the first packet with a time-to-live field TTL=1, the second packet with TTL=2, and so on. All path routers decrement these TTL values, and when an arriving packet has a TTL=1, the router sends an ICMP error packet back to the source. The question remains: If ICMP sent UDP packets instead (as in Unix/Linux), would the IP protocol number still be 01 for the probe packets? If not, what would it be?
Thanks Again
Posting as a Comment to @Christian_R's answer was the correct way. Posting as your own Answer was not.
Together with your other Question, it seems to me that you are supposed to start capturing by Wireshark, start traceroute on the same computer and find answers to some questions in that capture, whereas you choose post these questions here instead. If so, what is your reason not to run Wireshark and ask here? Because if you do capture the traffic generated by traceroute, the answers are instantly visible in the capture. Is your nickname the explanation?
sindy No, the nickname is off the top of my head when I found the site. I am running Microsoft OS and the question is about Linux, the question is from the professor as if I should know...hoping others with more experience and Linux might know what he is asking.
OK, so you're actually not sharkless but linuxless. Same thing here - I would have to log to some linux machine remotely to be able to find the answer in a real capture.
But in fact you are really supposed to know: the professor has told you that linux is sending UDP packets as probes when doing traceroute, so the translation of the original question (after fixing the typo),
is
If you didn't know from the lessons what the protocol number for UDP was, you could find it using Wireshark on Windows - run the capture, visit any web page you haven't visited during the past day to avoid DNS resolution to be cached, and you'll capture a DNS query and response which are UDP.
Does it make sense to you now?
Thanks for the correction, still is there a standard answer for this question? The question is asked as if there is...
Yes, there is, the one provided by @Christian_R at the very beginning... "IP protocol number representing UDP is 17". So if you want it literally, the answer tuple to the original question tuple is "no; 17". But knowing the correct answer without understanding why it is correct is not really helpful, believe me :-)
Thanks Sindy, I do not understand why, can you shed some light...
So I think @sindy is right, maybe you did´t understand your own question. The IP protocol number for ICMP is 1. The IP protocol number for UDP is 17. So if UDP is used, the IP protocol number will be 17.
The Time To Life exceeded packet is in all cases an ICMP packet with the IP protocol number of 1.
The UDP probe sent by
traceroute
looks like this:Frame 3610: 52 bytes on wire (416 bits), 52 bytes captured (416 bits) Ethernet II, Src: IbmCorp_bd:45:58 (00:14:5e:bd:45:58), Dst: CiscoInc_8f:f1:ae (00:1b:0c:8f:f1:ae) Internet Protocol Version 4, Src: 10.22.9.54, Dst: 77.75.77.39 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) Total Length: 38 Identification: 0xebf0 (60400) Flags: 0x00 Fragment offset: 0 Time to live: 1 Protocol: UDP (17) <------------------------ Header checksum: 0x2019 [validation disabled] [Header checksum status: Unverified] Source: 10.22.9.54 Destination: 77.75.77.39 [Source GeoIP: Unknown] [Destination GeoIP: Unknown] User Datagram Protocol, Src Port: 32784, Dst Port: 33435 Data (10 bytes)
The
icmp
response to it looks as follows:Frame 3612: 70 bytes on wire (560 bits), 70 bytes captured (560 bits) Ethernet II, Src: CiscoInc_8f:f1:ae (00:1b:0c:8f:f1:ae), Dst: IbmCorp_bd:45:58 (00:14:5e:bd:45:58) Internet Protocol Version 4, Src: 10.22.9.254, Dst: 10.22.9.54 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT) Total Length: 56 Identification: 0xe377 (58231) Flags: 0x00 Fragment offset: 0 Time to live: 255 Protocol: ICMP (1) <------------------------ Header checksum: 0xb02d [validation disabled] [Header checksum status: Unverified] Source: 10.22.9.254 Destination: 10.22.9.54 Internet Control Message Protocol Type: 11 (Time-to-live exceeded) Code: 0 (Time to live exceeded in transit) Checksum: 0x54e1 [correct] [Checksum Status: Good] Internet Protocol Version 4, Src: 10.22.9.54, Dst: 77.75.77.39 User Datagram Protocol, Src Port: 32784, Dst Port: 33435
Thanks all...I did not understand the question at first (miss worded)and after the question was corrected I still struggled until Christian made it clear by posting examples of both UDP and ICMP. Again Thanks All!