My last post about Traceroute over here: http://mellowd.co.uk/ccie/?p=609 – got some interesting conversation going on in the comments.

Basically there is quite a big difference in the way in which Windows and Linux handle traceroute. I tested on both Windows 7 and Ubuntu 10.04, but my guess is that all Windows follow the same format as do all *nix’s (please let me know if otherwise though!)

I would recommend reading the above post again quickly to get all the basics out the way before we delve into the differences.

Step-wise, this is what happens on Windows:

  1. The OS send a DNS PTR request to 1.2.2.4.in-addr.arpa to get the hostname for 4.2.2.1
  2. I get a DNS PTR response giving me a hostname
  3. The OS send an ICMP ECHO request with a TTL of 1
  4. I get an ICMP TTL Exceeded packet back from my local router
  5. 3 & 4 above happens twice more
  6. The OS send a DNS PTR request to my local router
  7. My local router responds with it’s hostname
  8. The cycle above (3-7) is then repeated with a TTL of 2, then 3 and so on
  9. We finally get to 4.2.2.1 – which sends back an ICMP ECHO reply – Once I get 3 the job is complete.

Ubuntu does this completely differently though. Step-wise this is what’s going on:

  1. The OS immidiately sent 3 UDP packets with a high port number straight to 4.2.2.1 with a TTL of 1
  2. The local router responded with 3X ICMP TTL Exceeded message
  3. The above (1 & 2) is then repeated until we get to 4.2.2.1
  4. 4.2.2.1 does not generate a ICMP ECHO reply as an ECHO request was not sent. Rather we get 3 ICMP Code 3 (Port unreachable) replies
  5. The OS now throws out 7 DNS PTR request specifically to each IP it determined in the path from above (Including 4.2.2.1 iself!)
  6. As soon as all the replies come, the job is complete.

The main differences are that Windows will send a DNS PTR request from the start, then send ICMP ECHO requests. At each hop it’ll send a DNS PTR request and then move onto the next hop.
Linux starts with sending UDP packets to a high port number straight away. When it finally gets to the last hop it’ll then send out a mass DNS PTR request to every hop in the path that it has determined.

flattr badge large Protocol fundamentals – Traceroute differences between Windows and Linux

9 Responses to “Protocol fundamentals – Traceroute differences between Windows and Linux”

  1. Pradeep Chhetri says:

    nice observation..

  2. Daniel says:

    Nice, was thinking about write about it myself :) The only reason for this behaviour that I could find is that an old RFC stated that ICMP packets should not get a reply with another ICMP packet because it could lead to a never ending stream of ICMP packets. This was later changed to ICMP error packets should not get an ICMP error packet back. This is the reason for the behaviour in Linux as far as I can tell but I’m not sure.

  3. pakdee says:

    Wonder why the result of traceroute in ubuntu differ from tracert in windows.
    eg.
    ubuntu: traceroute http://www.google.com
    myPC 0.060ms
    10.300.30.2 1.342ms
    10.300.30.2 1.388ms
    http://www.google.com 1.006ms

    windows: tracert http://www.google.com
    myPC 0.060ms
    10.300.30.2 1.342ms
    http://www.google.com 1.006ms

  4. Darren says:

    *nix style traceroutes will generally show multiple paths because of the way the traffic is sent. Windows type traceroutes only show a single path

  5. pakdee says:

    So which is more accurate?.

  6. Darren says:

    Both are accurate. Both give you the information that traceroute is supposed to give

  7. Matthew Fisher says:

    There is a subtle difference between tracert in XP (and earlier windows systems) and Windows 7. On XP, the first hop (my router/modem) always fails to resolve, whereas on Windows 7 it resolves correctly. I’m not sufficiently technical to understand why…

  8. Darren says:

    Matthew, run wireshark and check the outgoing packets on both versions of windows

  9. hacker says:

    http://www.tech-faq.com/how-unix-and-windows-traceroutes-differ.html

    this is exactly what some one want when he ask this question.

Leave a Reply

© 2009-2014 Darren O'Connor All Rights Reserved