ICMP, Ping, and Traceroute – What I wish I was taught (2020)

Tip for tracerouters ... use mtr instead<p>brew install mtr<p>Try tapping &#x27;d&#x27; twice to enable a stripchart<p>? for help<p><pre><code> My traceroute [v0.95] xxxxxxxx.local (172.16.0.2) -&gt; news.ycombinator.com (50.1122022-07-27T23:37 Keys: Help Display mode Restart statistics Order of fields quit Packets Pings Host Loss% Snt Last Avg Best Wrst StDev 1. 172.16.0.1 0.0% 14 15.4 17.6 14.1 20.5 2.2 2. (waiting for reply) 3. 162.158.164.5 14.3% 14 34.4 71.1 16.5 145.4 47.3 4. 198.41.160.6 0.0% 14 32.9 36.0 30.2 43.9 3.4 5. 198.41.140.95 0.0% 14 61.9 45.0 35.3 64.7 9.8 6. 99.83.70.192 0.0% 14 40.7 36.7 33.1 49.6 4.4 7. 150.222.214.101 0.0% 14 36.6 41.3 34.7 58.1 6.2 8. 52.95.52.29 0.0% 14 41.6 40.0 35.1 51.1 4.2 9. (waiting for reply)</code></pre>

I&#x27;m interested in the topic so skimmed the whole thing but it&#x27;s all just basics. Most people won&#x27;t know them all, but so FYI: skip the lengthy article if you know how traceroute and ARP and ICMP work in general, what the difference is between connection times out and connection refused, and why sometimes traceroute returns more than one host for a given hop.

&gt; Further, the system that replies with a Destination host unreachable is the system which doesn’t have a path to the requested network - so you immediately know where to start looking.<p>No, that&#x27;s &quot;Destination net unreachable&quot;. Destination host unreachable means it didn&#x27;t get an ARP response so it doesn&#x27;t know the MAC address of the system with that IP.

Another thing that can be useful is to use tcpdump on the other side to see if the stuff sent to e.g. a TCP port is actually received:<p><pre><code> tcpdump -i any src port 5432 or dst port 5432 </code></pre> If it <i>is</i> now received you know you need to investigate on your receiving side, if it is <i>not</i>, the problem might be firewall or network.

Great article, I learned more about these daily-use tools.<p>An easy trick I use a lot is host OS identification via ICMP. A TTL of around 64 is Linux, ~128 is windows.

I love these types of practical approaches to networking. At least for me, I think it&#x27;s the clearest way to learn about these things (rather than just read about them). Would have certainly made my university networkings course much more clear!<p>That&#x27;s what made Crafting Interpreters[0] so compelling to me. Does anyone know any similar resources for networking?<p>[0] <a href="https:&#x2F;&#x2F;craftinginterpreters.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;craftinginterpreters.com&#x2F;</a>

ping and traceroute used to be very useful tools. Then for a period of time -- maybe still ongoing -- sysadmins and some network security folks decided that by blocking ALL ICMP at their network edge, they were increasing security. (Wrong!) As a result, you get hanging traceroutes with one or two hops left and you can&#x27;t use ping to verify a host is online. Worse, blocking all ICMP breaks things like MTU discovery along the path. Recently I have seen admins coming to their senses and unblocking ICMP, but it&#x27;s still an old rule-of-thumb held by many.

Once cool trick that most people don&#x27;t know is that you can also ping IP addresses in octal, hex, and integer!<p><a href="https:&#x2F;&#x2F;ma.ttias.be&#x2F;silly-little-ip-tricks&#x2F;" rel="nofollow">https:&#x2F;&#x2F;ma.ttias.be&#x2F;silly-little-ip-tricks&#x2F;</a><p><pre><code> &gt;ping 0x08080808 Pinging 8.8.8.8 with 32 bytes of data: Reply from 8.8.8.8: bytes=32 time=4ms TTL=58 Reply from 8.8.8.8: bytes=32 time=4ms TTL=58 Reply from 8.8.8.8: bytes=32 time=4ms TTL=58 Reply from 8.8.8.8: bytes=32 time=4ms TTL=58</code></pre>

Another useful tool, <i>fping</i> - <a href="https:&#x2F;&#x2F;linux.die.net&#x2F;man&#x2F;8&#x2F;fping" rel="nofollow">https:&#x2F;&#x2F;linux.die.net&#x2F;man&#x2F;8&#x2F;fping</a>

Another common basic test for at-least windows clients that you should also add to the beginning is when you run a ping test and has the reply of your own host IP. I don’t know how many times I’ve had systems admins or engineers come to me saying there’s a network is but there NIC port is misconfigured. This usually happens due to two NICs being configured or they something else tuned incorrectly with vlan tagging at the nic under properties or the vswitch is incorrectly configured.

So maybe I misunderstood the article, but I would expect that (assuming my router is on 192.168.0.123) that<p><pre><code> ping 192.168.0.123 </code></pre> followed by<p><pre><code> arp -a 192.168.0.123 </code></pre> should tell me the MAC address of the router. But instead I get &quot;No ARP entries found.&quot; - what&#x27;s going on here?

You can use nmap for checking presence of the host, open ports and the OS machine running.<p>This tool has great documentation, see <a href="https:&#x2F;&#x2F;nmap.org&#x2F;book&#x2F;intro.html" rel="nofollow">https:&#x2F;&#x2F;nmap.org&#x2F;book&#x2F;intro.html</a> for more details

<a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Layer_four_traceroute" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Layer_four_traceroute</a>

Telnet to the port sometime establishes connectivity too.