Protocol Fundamentals – Traceroute differences between Windows and Linux

My last post about Traceroute got some interesting conversation going on in the comments.

Basically there is quite a big difference in the way in which Windows and Linux handle traceroute. I tested on both Windows 7 and Ubuntu 10.04, but my guess is that all Windows follow the same format as do all *nix’s (please let me know if otherwise though!)

I would recommend reading the above post again quickly to get all the basics out the way before we delve into the differences.

Step-wise, this is what happens on Windows:

The OS send a DNS PTR request to 1.2.2.4.in-addr.arpa to get the hostname for 4.2.2.1
I get a DNS PTR response giving me a hostname
The OS send an ICMP ECHO request with a TTL of 1
I get an ICMP TTL Exceeded packet back from my local router
3 & 4 above happens twice more
The OS send a DNS PTR request to my local router
My local router responds with it’s hostname
The cycle above (3-7) is then repeated with a TTL of 2, then 3 and so on
We finally get to 4.2.2.1 – which sends back an ICMP ECHO reply – Once I get 3 the job is complete.

Ubuntu does this completely differently though. Step-wise this is what’s going on:

The OS immidiately sent 3 UDP packets with a high port number straight to 4.2.2.1 with a TTL of 1
The local router responded with 3X ICMP TTL Exceeded message
The above (1 & 2) is then repeated until we get to 4.2.2.1
4.2.2.1 does not generate a ICMP ECHO reply as an ECHO request was not sent. Rather we get 3 ICMP Code 3 (Port unreachable) replies
The OS now throws out 7 DNS PTR request specifically to each IP it determined in the path from above (Including 4.2.2.1 iself!)
As soon as all the replies come, the job is complete.

The main differences are that Windows will send a DNS PTR request from the start, then send ICMP ECHO requests. At each hop it’ll send a DNS PTR request and then move onto the next hop. Linux starts with sending UDP packets to a high port number straight away. When it finally gets to the last hop it’ll then send out a mass DNS PTR request to every hop in the path that it has determined.