The best answers are voted up and rise to the top. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? Learn more. Why can I ping an IP address but not 'traceroute' it? Ask Question. Asked 10 years, 6 months ago. Active 1 year, 7 months ago. Viewed k times. I can ping an IP address, but I can't traceroute it. How could this be? Improve this question. Peter Mortensen LanceBaynes LanceBaynes 3, 19 19 gold badges 60 60 silver badges 90 90 bronze badges.
What's the output from the traceroute? I presume the poster redacted the IP so that we don't try to hack his machine. Add a comment. Active Oldest Votes. Improve this answer.
Tzarium Tzarium 6 6 silver badges 5 5 bronze badges. Manachi: brew install tcptraceroute — iolsmit. Manchi: read the manpage If there is a ban on ICMP, traceroute should not work either. What's the reason for it?
On a similar question here Luke Savage explained it perfectly:. Traceroute is not a protocol itself, it is an application and the protocols used depends on the implementation your are using. Primarily this is ICMP.
The difference between these is useful to know as some network now block ICMP by default so both PING and tracert from a Windows machine will fail but a traceroute from a Linux device may still work. From your shared output I can see that you are using traceroute command and not tracert which got me to think that you are using a Unix or GNU based operating system.
Rather, it sends UDP packets. What's not visible in this trace though it would be, if I gave tcpdump a -v to increase the verbosity is that the first probes have a ttl of 1, and then it increments the ttl for later probes. This causes the routers between me and 8. Eventually the ttl is long enough to make it all the way to 8. This is how traceroute knows it's reached the final destination.
If something between here and there is blocking all ICMP, then neither ping nor traceroute will work. But it's usually not the case that all ICMP is blocked, though it's also not rare. ICMP packets have a type and a code, and responsible network operators will only selectively block some types or codes, those that pose a potential for abuse or disclose particular information. For example, some hosts won't respond to an ICMP echo request at all, and thus ping will not work.
The idea is that by not responding to pings, it's harder for an attacker to discover what hosts exist on the network.
In practice this is questionable, since there are other ways to probe for a host. Again the idea is to make it more difficult for an attacker to map the network, but again this is only a minor frustration for an attacker. Because traceroute is a program and not any particular protocol, it has other ways of probing. They all rely on incrementing the TTL to discover the routers, but different kinds of probes can be sent which may have more or less of a chance to elicit a response from the endpoint.
If you know a host will respond to ping then -I makes a lot of sense. If you know the host is listening on a particular TCP port, then -T makes sense, perhaps in conjunction with the -p option to select the port.
Unfortunately these options may require root or special capabilities, so UDP makes a fair default. In fact a similar tool, tracepath , has this to say in its man page:.
It traces path to destination discovering MTU along this path. It uses UDP port port or some random port. It is similar to traceroute, only does not require superuser privileges and has no fancy options. Note that your ping can likely also reach the host unless perhaps you have a very smart firewall blocking ICMP ping traffic somewhere , the host just does not reply.
X Tracing route to myserver. X] over a maximum of 30 hops:. Trace complete. The routers with IPs Further investigation showed that the issue was set off by an unstable network link that caused frequent routing recalculations. The constant activity eventually corrupted the routing tables of one of the routers.
Essentially, if nothing is blocking your traceroute packets, then the last visible router of an incomplete trace is either the last good router on the path or the last router with a valid return path to the server that issued the traceroute.
The traceroute command is a very handy tool when troubleshooting network connectivity problems. Understanding it is crucial for every network administrator. Is your server not living up to its potential? Order a server from us with promo code A humble company with the heart of a small business, and the staffing of a large one. We are able to meet your needs with personalized, always available support. Advanced Network Troubleshooting: Using traceroute. The first router on the path recognizes that the TTL already exceeded and drops the packet.
The first hop reads this packet, decrements its TTL to 0 and forwards it to the hop on the path. Second router then does the same actions as in step 3. This continues until the final or target server is reached. The delay could be caused by one of the following: A router on the path is not sending back the ICMP time-exceeded messages.
A router or firewall in the path is blocking the ICMP time-exceeded messages. The target IP address is not responding.
N, or! P The host, network, or protocol is not reachable. A An administrator-imposed setting is blocking the, which means that either a router Access Control List ACL or firewall is in the way. S The source route has failed as traceroute attempts to use a certain path. Was this answer helpful? Yes No.
0コメント