TCOM 509: TCP/IP - Internet Protocols: Instructor: Scott T. Tran
TCOM 509: TCP/IP - Internet Protocols: Instructor: Scott T. Tran
TCOM 509: TCP/IP - Internet Protocols: Instructor: Scott T. Tran
2
On-Line Course Info
3
IP Header
4
UDP Header
5
TCP Header
6
Communications Between LAN Hosts
(TCP/IP) Via Wide Area Networks (IP)
7
Chapter 1:
Introduction
Concept of Peer Entities – Logical
Relationships
9
Protocols
10
What does a protocol tell us?
Syntax of a message
what fields does it contain?
in what format?
Semantics of a message
what does a message mean?
for example, not-OK message means receiver got a
corrupted file
Actions to take on receipt of a message
forexample, on receiving not-OK message, retransmit
the entire file
11
The Internet
Standards-based – the TCP/IP protocol suite
An Open System – not linked to a single vendor
US Gov’t research resulted in quite and
extensible set of protocols
Best spent tax money I know of
Evolution from gov’t-orientation to research-
orientation to business-orientation
Why is it so good?
Why did it beat out “OSI Networking”?
Let’s start in on the details…
12
Getting Data from Here to There
IP is a form of packet switching
Data is broken up into discrete chucks and then sent toward
destination
Each packet has to find its own route to the destination. There is no
predetermined path; the decision as to which node to hop to in the
next step is taken only when a node is reached.
Each packet finds its way using the information it carries, such as the
source and destination IP addresses.
Network resources (routers, links) are shared between different data
streams - multiplexing
The phone network: circuit switching
Sender calls receiver and establishes a logical connection
The connection is maintained for the duration of the data flow
Two distinct paradigms
Both have value
The TCP part of TCP/IP provides a logical connection, when necessary
13
Motivation behind OSI Model
14
Motivation behind OSI Model
The goal of an OSI layer is to communicate with its peer layer on
another host.
7 Application 7 Application
6 Presentation 6 Presentation
5 Session 5 Session
4 Transport 4 Transport
3 Network 3 Network
2 Data Link 2 Data Link
1 Physical 1 Physical
7 Application Messages
6 Presentation Messages
5 Session Messages
4 Transport Segments
3 Network Packets or Datagrams
2 Data Link Frames
1 Physical Bits
15
Communication between OSI Layers
7 Application 7 Application
6 Presentation 6 Presentation
5 Session 5 Session
4 Transport 4 Transport
3 Network 3 Network
2 Data Link 2 Data Link
1 Physical 1 Physical
16
Motivation behind OSI Model – Protocol
Functionality
Fragmentation and Reassembly
Breaking up data into pre-defined sized blocks
Encapsulation
Adding control info to data (address, error detection code, etc…)
Connection Control
Providing connection establishment, data transfer, connection termination
Flow Control
Throttling of data rate exchanged between source and destination
Error Control
Error detection
Synchronization
Timeouts, Send state, Receive state. Etc…
Sequencing
Numbering of data blocks (applicable only for connection-oriented mode)
Addressing
Has local and global significance,
Used for routing purposes in IP
Multiplexing
Allowing multiple logical connections to use one physical connections
Mapping of connections from one protocol layer to another
Transmission Services
Security, Priority, Grade of Service
17
The OSI Reference Model
18
Why seven layers?
19
Physical layer
20
Datalink layer
Introduces the notion of a frame
set of bits that belong together
Idle markers tell us that a link is not carrying a frame
Begin and end markers delimit a frame
On a broadcast link (such as Ethernet)
end-system must receive only bits meant for it
need datalink-layer address
also need to decide who gets to speak next
these functions are provided by Medium Access sublayer (MAC)
Some data links also retransmit corrupted packets and
pace the rate at which frames are placed on a link
part of logical link control sublayer
layered over MAC sublayer
21
Datalink layer (contd.)
Datalink layer protocols are the first layer of software
Very dependent on underlying physical link
properties
Usually bundle both physical and datalink layer on
host adaptor card
example: Ethernet
Postal service
mail bag ‘frames’ letters
Internet
a variety of datalink layer protocols
most common is Ethernet
others are FDDI, SONET, HDLC
22
Network layer
23
Network layer (contd.)
At intermediate systems
participates in routing protocol to create routing
tables
responsible for forwarding packets
scheduling the transmission order of packets
choosing which packets to drop
24
Two types of network layers
In datagram (connection-less) networks
provides both routing and data forwarding
Ex: Internet using IP protocol
In connection-oriented networks
we distinguish between data plane and control plane
data plane only forwards and schedules data (touches every
byte)
control plane responsible for routing, call-establishment,
call-teardown (doesn’t touch data bytes)
Ex: TCP protocol running over IP
25
Network layer
Postal network
set up internal routing tables
forward letters from source to destination
static routing
multiple qualities of service
Internet
network layer is provided by Internet Protocol
found in all end-systems and intermediate systems
segmentation and reassembly
packet-forwarding, routing, scheduling
unique IP addresses
can be layered over anything, but only best-effort service
26
Transport layer - TCP
27
Transport Layer - TCP
28
Transport Layer (TCP) – Relationships with
Other Layers Below
Process-to-process delivery
29
Transport Layer Addressing
Addresses
•Data link layer MAC address
•Network layer IP address
•Transport layer Port number (choose among multiple
processes running on destination host)
30
Transport layer (contd.)
31
Transport layer (contd.)
Postal system
doesn’t have a transport layer
implemented, if at all, by customers
detect lost letters (how?) and retransmit
them
Internet
two popular protocols are TCP and UDP
TCP provides error control, flow control,
multiplexing
UDP provides only multiplexing
32
Session layer
Not common
Provides full-duplex service, expedited data
delivery, and session synchronization
Duplex
if transport layer is simplex, concatenates two transport
endpoints together
Expedited data delivery
allows some messages to skip ahead in end-system
queues, by using a separate low-delay transport layer
endpoint
Synchronization
allows users to place marks in data stream and to roll back
to a pre-specified mark
33
Example
Postal network
suppose a company has separate shipping and
receiving clerks
chief clerk can manage both to provide abstraction of
a duplex service
chief clerk may also send some messages using a
courier (expedited service)
chief clerk can arrange to have a set of messages
either delivered all at once, or not at all
Internet
doesn’t have a standard session layer
34
Presentation layer
Unlike other layers which deal with headers,
presentation layer touches the application data
Hides data representation differences between
applications
e.g. endian-ness
Can also encrypt data
Usually ad hoc
Postal network
translator translates contents before giving it to chief clerk
Internet
no standard presentation layer
only defines network byte order for 2- and 4-byte integers
35
Application layer
The set of applications that use the network
Doesn’t provide services to any other layer
Postal network
the person who uses the postal system
suppose manager wants to send a set of recall letters
translator translates letters going abroad
chief clerk sends some priority mail, and some by regular
mail
mail clerk sends a message, retransmits if not acked
postal system computes a route and forwards the letters
datalink layer: letters carried by planes, trains,
automobiles
physical layer: the letter itself
36
OSI Reference Model vs. TCP/IP
Protocol Stack
OSI TCP / IP
Application (Layer7)
Application
Presentation (Layer6)
Session (Layer 5)
Transport (Layer 4) Transport
Network (Layer 3) Internet
Data Link (Layer 2)
Subnet
Physical (Layer 1)
37
Layering and Encapsulation
38
Why Layering Required For Networking?
A system that is too complex to comprehend in
its entirety.
39
Why Need Encapsulation?
Allows
management of complexity and
change within layers
40
41
42
What is a Router?
A specialized computer
Interconnects multiple physical
networks
Allows construction of a LOGICAL
network topology that is independent
from the PHYSICAL networks
Notation
Show-and-tell
43
How does a router's forwarding logic
differ from a bridge's forwarding logic?
1. Packet Filtering: A router examines only those data packets specifically addressed to it, as opposed to a
bridge, which reads the destination address of every data packet on the LAN to which it is attached.
2. Route Determination: A bridge checks the frame's data-link protocol for source as well as destination
address. It then checks its table of known local nodes. The destination address is compared with the contents
of the known local nodes in order to determine whether the frame should be allowed to cross the bridge or not
whether the destination is local or not). The bridge does not determine the path; it merely allows or disallows
the packet to cross. Destination routes must be obtained through other network devices, such as the
originating workstation for source routing bridges. Bridges are thus sometimes known as "forward if
not local" devices.
Routers actually maintain dynamic tables of "best routes", which depend on network conditions. Based the
latest traffic conditions, the router chooses the best path for the data packet to reach its destination, and
sends the data packet on its way. After reading the network layer destination address and the protocol of the
network layer data, the router consults its routing tables in order to determine the best path on which to
forward this data packet. Having found the best path, the router has the ability to repackage the data packet
as required for the chosen delivery route. For example, if the packet were to be sent out over an X.25 packet-
switched network, the router would encapsulate the packet in an X.25-compliant envelope.
3. Routing Logic: A bridge reads the destination address of each data frame on a LAN, decides whether the
address is local or remote (on the other side of the bridge), and only allows those data frames with non-local
destination addresses to cross the bridge. A router is more discriminating. The router first confirms the
existence of the destination address as well as the latest information on available network paths to reach that
destination. Unlike a bridge, which merely allows access to the internetwork (forward-if-not-local logic), a
router specifically addresses the data packet to a distant router. However, before a router actually releases a
data packet on to the internetwork, is confirms the existence of the destination address to which the data
packet is bound. Only once the router is satisfies with the viability of the destination address as well as with
the quality of the intended path, will it release the packaged packet. The router's meticulous processing is
known as "forward if proven remote" logic.
44
TCP/IP Protocol Suite Layers
45
TCP/IP Layering
46
Multiplexing and Demultiplexing
47
The Client-Server Model
Two
hosts interact in a predefined
manner
One side is the client – it wants information
One side is the server – it provides the
information
EX: WWW – web browser is the client,
website is the server
A host is not “locked down” to be only a
client or only a server
Multiple client and server programs can be
running on a single host at the same time
48
Client/Server on the same LAN
49
Client/Server on two different LANs
50
Service Addresses: Port Numbering
Port numbers are “Layer 4” addresses
(TCP or UDP in the TCP/IP suite)
They allow multiple services on a single
host to have unique addresses
E.g.,one host can be running servers for
FTP, HTTP, and telnet
Each service listens on it’s own port
51
How Do You Get a Port Number?
Standards and Standards Processes
The Internet Engineering Task Force (IETF)
most directly controls the development of
standards for the TCP/IP protocol suite
Those standards are called Requests for
Comment (RFCs)
Relatively collegial process
Different from IEEE, ITU, ANSI, etc.
http://www.ietf.org
http://www.rfc-editor.org
See section 1.11, pp. 14-15
Some of these RFCs have been updated
52
IP Protocol and Its Associated Upper
Layer: IP Protocol Numbers
http://www.iana.org/assignments/protocol-numbers
55
Loopback Interfaces
Special logical IP address (127.0.0.1)
Any IP traffic sent to loopback interface must not appear on any network
Used to allow a client and a server on the same host to communicate with
each other using TCP/IP
56
Maximum Transmission Unit (MTU)
57
Chapter 3:
IP: Internet Protocol
IP Header
59
60
61
62
IP Fragmentation & Reassembly
63
IP Fragmentation and Reassembly
The data of the long packet is divided into two portions on a 8 byte (64 bit) boundary.
All packets which have a more fragments (MF) flag set, must have an integral multiple
of 8 bytes, but those that do not have this flag set need not do.
If we call the number of 8 byte blocks in the first portion NFB (for Number of Fragment
Blocks). The first portion of the data is placed in the first new IP packet, and the total
length field is set to the length of the FIRST IP packet. The more-fragments flag (MF)
is set to one.
The second portion of the data is placed in the second new IP packet, and the total
length field is set to the length of the SECOND packet. The more-fragments flag (MF)
carries the same value as the long packet. The fragment offset field of the second new
IP is set to the value of that field in the long IP packet plus the NFB.
65
IP Addresses in TCP/IP Model
66
Addressing, Numbering, and
Notation
Computers care about BINARY
On/off, hi/low, signal/no signal, etc.
Humans care about DECIMAL
IP addresses are truly 32-bit unsigned integers,
represented in dotted-decimal (a.k.a. dotted-quad) for
our convenience
Electrical Engineers care about HEXADECIMAL
Neither computer nor human?
Compact representation of binary info
Often used for Layer 2 (hardware) addresses
YOU need to care about ALL 3
Discuss some examples here…
67
Bit Positions and Their Values
68
IP Address Classes
69
IP Address Class Ranges
70
Address Class Characteristics
A 8 24 127 16,777,216
B 16 16 16,384 65,536
C 24 8 2,097,152 256
71
IP addressing: the last word...
72
Subnetting -
To divide the standard classful host-number field into two parts - the subnet-number
and the host-number on that subnet.
Motivation:
Efficient use of available network addresses
Flexibility in planning network growth and design
Capability to contain broadcast traffic (ARP, RARP, etc…)
Subnets under local administrative control
Mechanism:
Define/assign a subnet mask for addresses in a network that has been sub-netted
Subnet mask tells router which octets of an IP address to pay attention to when comparing the
destination address of a packet to its routing table entries
A subnet mask identifies the subnet field of network addresses
Correct routing requires that all subnets of a network be physically contiguous. In other words,
the network must be set up such that it does not require traffic between any two subnets to
cross another network
Most implementations require that all subnets of a network have the same number of subnet
bits.
Example
73
Arrangement of Subnets
74
How To Calculate Subnet Address with a Given
Subnet Mask
75
Example Subnet Masks
76
Using Subnet Masks
77
Supernetting – CIDR and VLSM
Motivation: Address issues with current IP Address Depletion
78
Requirements for Deploying CIDR or
VLSM
Thesuccessful deployment of VLSM has three
prerequisites:
The routing protocols must carry extended network
prefix information with each route advertisement.
79
Comparing CIDR to VLSM
80
Classless Interdomain Routing (CIDR)
With subnet addressing, we can have higher flexibility
within a domain/AS
81
Classless Interdomain Routing (CIDR)
Changes to routing table
Each entry must specify a 32-bit mask together with the 32-bit
IP address
Use longest prefix match to find a suitable entry
E.g. a packet with destination IP addr: 205.100.1.2, and the routing
has two entries as
205.100.0.0/22 and 205.100.0.0/20.
Both entries match the destination IP addr, which one should be
chosen? Ans: Choose the one with longest matched bits
205.100.0.0/22 = 11001101.01100100.00000000.00000000
205.100.0.0/20 = 11001101.01100100.00000000.00000000
205.100.1.2 = 11001101.01100100.00000001.00000010
Longest match
82
Classless Interdomain Routing (CIDR)
Advantages:
An organization can “buy” the number of IPs
according to its needs (not confined to 256,
66048, 16908288)
Reduce routing table size significantly as multiple
“continuous” networks following the same route
can be combined to form a single routing entry
E.g.original 4 entries for destinations as
137.188.0.0, 137.189.0.0, 137.190.0.0,137.191.0.0
Now, we can combine them into one entry of
137.188.0.0/14
83
An Example of How CIDR Is Used
84
CIDR: Partitioning of IP addresses
85
CIDR Hierarchical addressing: route
aggregation
Hierarchical addressing allows efficient advertisement of routing
information: “Fly-by-night-ISP requests that all datagrams whose first
20 address bits match 200.23.16.0/20. The world doesn’t know that
within this there are 8 other orgs. each with their own networks.
Organization 0
200.23.16.0/23
Organization 1
“Send me anything
200.23.18.0/23 with addresses
Organization 2 beginning
200.23.20.0/23 . Fly-By-Night-ISP 200.23.16.0/20”
.
. . Internet
.
Organization 7 .
200.23.30.0/23
“Send me anything
ISPs-R-Us
with addresses
beginning
199.31.0.0/16”
86
Hierarchical addressing: more specific
routes
Suppose Org. 1 dislikes Fly-by-night-ISP’s service and wants to move to
ISPs-R-Us? Org.1 keeps its addresses in 200.23.18.0/23 but now
ISPs-R-Us advertises 200.23.18.0/23.
“Send me anything
Organization 2
with addresses
200.23.20.0/23 . Fly-By-Night-ISP
. beginning
. . 200.23.16.0/20” Internet
.
Organization 7 .
200.23.30.0/23
ISPs-R-Us “Send me anything
with addresses
beginning 199.31.0.0/16
Organization 1
or 200.23.18.0/23”
200.23.18.0/23
87
Supernetting – VLSM
In 1987, RFC 1009 specified how a subnetted network could
use more than one subnet mask. When an IP network is
assigned more than one subnet mask, it is considered a network
with (VLSM) since the extended network prefixes have different
lengths.
Allows RECURSIVE division of a network prefix (subnets of
subnets)
Allows detailed structure of routing info for one subnet group to
be hidden from routers in another subnet group
VLSM is different than CIDR because the recursion is performed
on the address space previously assigned to an org. and is
INVISIBLE to the global Internet
88
VLSM Design Considerations
89
An Example of How VLSM Is Used
Recursive Division
90
IP Design Considerations
91
IP Futures
In addition to Stevens’ observations:
IP version 6
IPSec
MPLS
IP Multicast
These aren’t really futures anymore; they’re
here today
Thinkabout what you’d like to cover in
last week
Time permitting
I’m leaning toward IPSec
92
IPv4 addressing - Summary
93
Chapter 4:
ARP: Address Resolution
Protocol
95
Multiplexing and Demultiplexing
96
TCP/IP suite: ARP
Maps IPv4 addresses to MAC addresses.
An ARP request is a local broadcast.
ARP broadcasts are not propagated through
routers.
Entries in the ARP table are deleted when a
timeout expires.
Several scenarios exist:
You know the IP address to send to and you need the
corresponding MAC address (ARP)
You know your MAC address and you need to know your IP
address (RARP)
You’re hiding physical networks (Proxy ARP)
You need to verify that your IP address isn’t being used by
another host (Gratuitous ARP)
97
98
Packet Delivery on a single LAN
99
Use of ARP - Packet Delivery across
multiple LANs
100
The Purpose of ARP
101
An Example:
ARP with TFTP
102
ARP Frame Format
103
ARP Notes
ARPgenerally only occurs on a single
physical network
ARPrequest is a layer 2 broadcast, and
routers block these broadcasts by default
ARPis designed to work for protocols
other than IP
A generic solution
Some other protocols (e.g., IPX) were
designed such that they don’t need ARP
104
More ARP Notes
Dynamic nature of ARP is very flexible
MAC addresses tend to stay the same, but
IP addresses can change (e.g., DHCP,
change in logical structure of IP network)
Sometimes MAC addresses can change (e.g.,
change a broken NIC, administratively
change MAC address)
ARP allows for dynamic (re-)mapping
105
Notes on Proxy ARP
Also known as “promiscuous ARP”
Accommodates older TCP/IP stacks. A technique by which a router replies to an
Address Resolution Protocol (ARP) request from a host on behalf of the ARP
target host.
Proxy ARP (Address Resolution Protocol) is a technique by which a network host
answers to the ARP queries for the network address that it does not have
configured on the receiving interface. Proxying ARP requests on behalf of another
host effectively directs all LAN traffic destined for that host to the proxying
host/router. The "captured" traffic is then typically routed to the destination host
via another interface or via a tunnel.
When you see same MAC address in ARP cache for 2 different IP addresses,
that’s a hint that Proxy ARP is being used
Proxy ARP can create DoS attacks on networks if misconfigured. For example a
misconfigured router with proxy ARP has the ability to receive packets destined
for other hosts (as it gives its own MAC address in response to ARP requests for
other hosts/routers), but may not have the ability to correctly forward these
packets on to their final destination, thus blackholing the traffic.
106
Uses of Gratuitous ARP
107
Issues With ARP
Weak Security
a bogus host can issue a gratuitous ARP and
change cache entries on other router’s
cache table
a bogus host can send replies giving its own
hardware address (instead of the target) –
re-directing traffic
Broadcasting can be expensive
excessive use of bandwidth
CPU costs
108
Chapter 5:
RARP: Reverse Address
Resolution Protocol
What is RARP For?
A workstation without a hard drive
(e.g., diskless workstation, X-terminal,
“thin client”) may have no means to
“remember” an IP address
However, it will have a NIC that has a
MAC address burned-in on an EEPROM
RARP allows this host to broadcast and
request it’s IP address
A RARP Server must be configured on the
local subnet to assign this particular MAC
address with a unique IP address
110
Issues with RARP
More difficult to implement than ARP
ARP is needed for basic IP communications
and requires no configuration (mostly)
RARP config normally resides in a static text
file
Coordination between multiple RARP
servers requires that those text files are
always in sync
Improvements over RARP
BOOTP
DHCP – most commonly used today
111
TCP/IP suite: DHCP vs. RARP
112
TCP/IP suite: DHCP vs. RARP
113
TCP/IP suite: DHCP
114
TCP/IP suite: DHCP
115
TCP/IP suite: DHCP vs. RARP
116
DHCP: Dynamic Host Configuration Protocol
DHCP overview:
host broadcasts “DHCP discover” msg
DHCP server responds with “DHCP offer” msg
host requests IP address: “DHCP request” msg
DHCP server sends address: “DHCP ack” msg
117
DHCP client-server scenario
118
TCP/IP suite: DHCP vs. RARP
119
Chapter 6:
ICMP: Internet Control
Message Protocol
Where ICMP in The TCP/IP Layering
121
What is ICMP?
Everyprotocol suite needs mechanisms
for control and error messaging
Phone network to end user: dial tone,
ringing tone, etc. (note: in-band)
Phone network between switches: SS7
network for call management (note: out-of-
band)
ICMP is the set of messages that handle
basic control and error messaging for
the TCP/IP protocol suite
122
ICMP Message Types
123
Key ICMP Uses
Time Stamp
Ping
Traceroute
Source Quench
Indication that flow control needs to be activated at
the source
MTU size determination
ICMP Destination Unreachability
Can be used to detect malicious port scanning
activity
124
125
ICMP Message Transport in IP
126
ICMP Message Format
127
ICMP Timestamp
128
Round Trip Time (RTT) Concept
129
Chapter 7:
ping
What is ping?
Uses ICMP Echo Request and Reply
Tests
reachability – make sure that the
network connection is in tact
Don’t
use it for fine-grained
measurements of network performance
131
ICMP packets used for ping
132
133
Ping output
134
Ping with IP Options: Record Route
135
ping with Record Route
136
ICMP Source Quench
137
MTU Size Determination
138
ICMP Destination Unreachability
139
ICMP Port Unreachable – Example msg
140
ICMP Port Unreachable - Format
141
Chapter 8:
traceroute
IP Routing Processes
The IP routing processes on all nodes involved in the delivery of an IP packet includes: the sending host, the intermediate routers, and the
destination host.
IP on the Router - When a packet is received at a router, the packet is passed to IP. IP on the router does the following:
IP verifies the IP header checksum.
If the IP header checksum fails, the IP packet is discarded without notification to the user. This is known as a silent discard .
IP verifies whether the destination IP address in the IP datagram corresponds to an IP address assigned to a router interface.
If so, the router processes the IP datagram as the destination host (see step 3 in the following "IP on the Destination Host" section).
If the destination IP address is not the router, IP decreases the time-to-live (TTL) by 1.
If the TTL is 0, the router discards the packet and sends an ICMP Time Expired-TTL Expired message to the sender.
If the TTL is 1 or greater, IP updates the TTL field and calculates a new IP header checksum.
IP checks its routing table for the best route to the destination IP address in the IP datagram.
If no route is found, the router discards the packet and sends an ICMP Destination Unreachable-Network Unreachable message to the sender.
Based on the best route found, IP determines the forwarding IP address and the interface to be used for forwarding the packet.
IP hands the packet, the forwarding IP address, and the interface to ARP, and then ARP forwards the packet to the appropriate MAC address.
This entire process is repeated at each router in the path between the source and destination host.
IP on the Destination Host - When a packet is received at the destination host, it is passed up to IP. IP on the destination host does the following:
IP verifies the IP header checksum.
If the IP header checksum fails, the IP packet is silently discarded.
IP verifies that the destination IP address in the IP datagram corresponds to an IP address assigned to the host.
If the destination IP address is not assigned to the host, the IP packet is silently discarded.
Based on the IP protocol field, IP passes the IP datagram without the IP header to the appropriate upper-level protocol.
If the protocol does not exist, ICMP sends a Destination Unreachable-Protocol Unreachable message back to the sender.
For TCP and UDP packets, the destination port is checked and the TCP segment or UDP header is processed.
If no application exists for the UDP port number, ICMP sends a Destination Unreachable-Port Unreachable message back to the sender. If no application exists
for the TCP port number, TCP sends a Connection Reset segment back to the sender.
143
What is traceroute?
A program ported to just about anything
with a TCP/IP stack
Shows the path packets take across the
network
Takes advantage of the ICMP “time
exceeded” message
“tracert” in Windows products
144
How Traceroute Works
Traceroute creates an UDP packet with the time to live (TTL) in the IP Header set to 1 and
addresses the packets set to the destination computer's IP address
The computer on which the messages die because the time to live expired (somewhere
between the Source and Destination hosts ) sends back ICMP Time Exceeded (ICMP Type
'11') responses. These messages indicate to the soure that the traceroute messages have
not yet reached the destination host
The source increments the TTL in the IP Header by one, then repeats steps the previous six
steps (creates 3 packets, sets the Time to Live to the next highest number, starts a timer,
transmits the packets, waits for a response). This process is repeated until the packets reach
the destination computer which the source host is tracing the route to.
When the ICMP message reaches the destination computer, the UDP layer will get to
process it and will find out that the UDP port specified is invalid which will trigger an ICMP
Port Unreachable message back to the source host.
The Port Unreachable error message indicates to traceroute that the destination has been
reached.
145
ICMP time exceeded message
146
How to read traceroute output
147
148