Solved: Traceroute implementation on Cisco IOS and Linux versus Windows

Mitrixsen · ‎03-06-2025

Hello, everyone.

From my understanding, on Cisco IOS and Linux, the Traceroute implementation is as follows:

1. The device sends UDP packets with a default destination port of 33434 that increments with each UDP packet that is sent. The first packet has a TTL of 1, the second one has a TTL of 2, and so on. The devices in the path respond with an ICMP TTL Exceeded message.

2. When the destination finally receives the packet, it responds with an ICMP Destination Unreachable message with the code set to 3 which indicates that the port is unreachable.

And on Windows, it works the following way:

1. The device sends ICMP Echo Request packets. The first packet has a TTL of 1, the second one has a TTL of 2, and so on. The devices in the path respond with an ICMP TTL Exceeded message.

2. When the destination finally receives the packet, it responds with an ICMP Echo Reply.

My question is, is there any reason why there are different implementations of traceroute? Does one work any better of offer any advantages over the other one? Destination unreachable packets, TTL Exceeded packets, and even ping packets can be easily filtered by an ACL or a firewall, so I cannot really think of one offering any advantage over the other one.

Thank you.

David

M02@rt37 · ‎03-06-2025

Hello @Mitrixsen

Interesting to see other advices here.

Windows' approach with ICMP-based is simpler and Win. users are typically more familiar with ping/ICMP as a diagnostic tool...

Also, both ICMP and udp packets can be filtered by ACL or FW. However, UDP (especially with high port numbers) is less likely to be filtered compared to ICMP echo-request packets, since many security policies focus on blocking ICMP for security reasons...instead of rate limited this...another debate lol

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

Joseph W. Doherty · ‎03-06-2025

Laugh, David, what exam are you studying for where this is likely to be a question?

Joking aside, it's a good question. Unfortunately, not one that I know the definitive answer for, as in the goals of the software developers. However my conjectures are:

The basic ICMP variant likely took the least development effort, uses the least bandwidth, and sort of is the closet to a barebones ICMP app for this purpose

The UDP variant probably more likely not to be filtered, in transit, or possibly not ignored on destination host (remember some consider any ICMP as just an attack vector). The UDP variant more likely for all its packets to transit the same path if multiple path available, as those packets would be considered part of a "flow". (The latter, might be considered good or bad, depends on what you're hoping to "discover".)

PS:

Almost all the above was composed an hour ago, but had an interruption. I only mention this, because it appears M02@rt37 and I, independently, hit many of the same points, so we must both be correct. ; )