UNIX System Administration Handbook - Evi Nemeth [372]
# ping -s 1500 cuinfo.cornell.edu
Use the ping command with the following caveats in mind. First, it is hard to distinguish the failure of a network from the failure of a server with only the ping command. A failed ping just tells you that something is wrong.
Second, a ping does not guarantee much about the target machine’s state. Echo request packets are handled within the IP protocol stack and do not require a server process to be running on the probed host. A response guarantees only that a machine is powered on and has not experienced a kernel panic. You’ll need higher-level methods to verify the availability of individual services such as HTTP and DNS.
20.3 TRACEROUTE: TRACE IP PACKETS
traceroute, written by Van Jacobson, lets you discover the sequence of gateways that an IP packet travels through to reach its destination. Almost all modern operating systems come with some version of traceroute.
The syntax is simply
traceroute hostname
There are a variety of options, most of which are not important in daily use. As usual, the hostname can be specified either symbolically or numerically. The output is simply a list of hosts, starting with the first gateway and ending at the destination.
For example, a traceroute from the host jaguar to the host drevil produces the following output:
% traceroute drevil
traceroute to drevil (192.225.55.137), 30 hops max, 38 byte packets
1 xor-gw2 (192.108.21.254) 0.840 ms 0.693 ms 0.671 ms
2 xor-gw4 (192.225.56.10) 4.642 ms 4.582 ms 4.674 ms
3 drevil (192.225.55.137) 7.959 ms 5.949 ms 5.908 ms
From this output we can tell that jaguar is exactly three hops away from drevil, and we can see which gateways are involved in the connection. The round trip time for each gateway is also shown—three samples for each hop are measured and displayed. A typical traceroute between Internet hosts can include ten or twenty hops.
traceroute works by setting the time-to-live (TTL, actually “hop count to live”) field of an outbound packet to an artificially low number. As packets arrive at a gateway, their TTL is decreased. When a gateway decreases the TTL to 0, it discards the packet and sends an ICMP “time exceeded” message back to the originating host.
The first few traceroute packets have their TTL set to 1. The first gateway to see such a packet (xor-gw2 in this case) determines that the TTL has been exceeded and notifies jaguar of the dropped packet by sending back an ICMP message. The sender’s IP address in the header of the error packet identifies the gateway; traceroute looks up this address in DNS to find the gateway’s hostname.
See page 442 for more information about reverse DNS lookups.
To identify the second-hop gateway, a second round of packets with TTL fields set to 2 are sent out. The first gateway routes the packets and decreases their TTL by 1. At the second gateway, the packets are then dropped and ICMP error messages generated as before. This process continues until the TTL is equal to the number of hops to the destination host and the packets reach their destination successfully.
Most routers send their ICMP messages from the interface “closest” to your host. If you run traceroute backwards from the destination host, you will probably see different IP addresses being used to identify the same set of routers.
Since traceroute sends three packets for each value of the TTL field, you may sometimes observe an interesting artifact. If an intervening gateway multiplexes traffic across several routes, the packets might be returned by different hosts; in this case, traceroute simply prints them all.
Let’s look at a more interesting example from a host at colorado.edu to xor.com:
rupertsberg% traceroute xor.com
traceroute: Warning: xor.com has multiple addresses; using 192.225.33.1
traceroute to xor.com (192.225.33.1), 30 hops max, 40 byte packets
1 cs-gw3-faculty.cs.colorado.edu (128.138.236.3)