According to the Stevens (TCP/IP Illustrated) the traceroute program sends UDP packets to the destination host with an incremental TTL (1, 2, 3, etc) to get the intermediate hops info from the ICMP TTL EXPIRED messages.
The "destination reached" condition is an ICMP PORT UNREACHABLE message, because traceroute addresses a random port with an high number (that is: unlikely someone is listening there)
So my question is: is there a technical reason (drawbacks, RFCs, etc.) to use UDP packets rather than using, for instance, ICMP echo request messages (with increasing TTL) and use the echo reply answer as the end condition?
I understand that the ICMP echo reply might be filtered out by firewalls or other net devices in the middle, but I guess this can happen also to UDP packets ;)
Many Thanks
Sergio
It's actually the "old" method of doing traceroutes. I guess the main motivation was that sending out plain UDP packets requires no special privileges, as sending ICMP packets does (raw sockets or the equivalent). That's why e.g. ping
is usually setuid to root, which is a big risk security-wise.
Nowadays traceroute
supports ICMP and TCP probe packets as well, so you're more likely can sneak through firewalls, which are more likely than not deployed without consideration. This also means that traceroute
is likely also setuid root on your system. See its man page, especially the part about available methods: http://linux.die.net/man/8/traceroute