This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Time-to-live exceeded - ICMP IPv4 SRC address

0

Hi,

I'm analysing pcap with traceroute and noticed that ICMP packets with Time-to-live exceeded are having under "original" packet that was sent source IP address not NATed i mean private from 192.168. I thought that when host on the internet discards packet then it send TTL exceeded but as source it will see my public address. Are you able to put some light on this?

Thank you

asked 27 Nov '16, 20:30

j202433's gravatar image

j202433
5113
accept rate: 0%


One Answer:

0

Assuming this capture is done on your private address node, the following scenario takes place.

Your private address node sends an ICMP echo towards an internet host. It sees that the address is outside the locally attached network(s), so consults the routing table for the router to use. This is probably your home gateway (including the NAT). The Home Gateway gets the packet, sees that it needs to forward it through the NAT, so applies NATing and forwards the packet (decrementing TTL) to the next router. There the process repeats, without the NAT.

Once the TTL runs out the ICMP TTL-exceeded is send back, indeed addressed to your public address, with the original header with your public address. This gets back to your router, which NATs the packet to your local address. It can do that for both the normal IPv4 header as well as the ICMP TTL-exceeded payload, which it knows is the original header.

So the thing is, your NAT function is ICMP aware, and thus knows how to translate addresses in those type of packets.

If you want to know your public IP address you'll need something like STUN which is specifically designed for this purpose.

answered 27 Nov '16, 21:56

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Thank you.

(29 Nov '16, 01:29) j202433

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(29 Nov '16, 07:38) Jaap ♦