Traceroute Protocol Analysis: ICMP vs UDP Implementation in Network Diagnostics and iptables Configuration


1 views

Traceroute implementations vary significantly based on operating systems and historical conventions. The core principle remains the same - it discovers the path to a destination by manipulating the TTL (Time-To-Live) field in IP packets, but the protocol used differs:

  • Traditional UNIX/Linux: Uses UDP packets with high destination ports (33434-33534)
  • Windows (tracert): Uses ICMP Echo Request (Type 8)
  • Modern Linux: Often supports multiple modes (-I for ICMP, -U for UDP)

When you run traceroute www.google.com from a Linux terminal, here's what typically happens:

# Default UDP behavior (traditional)
$ traceroute google.com
traceroute to google.com (142.250.190.46), 30 hops max, 60 byte packets
 1  192.168.1.1 (192.168.1.1)  1.234 ms  1.456 ms  1.678 ms
 2  10.10.10.1 (10.10.10.1)  5.432 ms  5.678 ms  5.901 ms
 ...

# Explicit ICMP mode
$ traceroute -I google.com
traceroute to google.com (142.250.190.46), 30 hops max, 72 byte packets
 1  192.168.1.1 (192.168.1.1)  1.345 ms  1.567 ms  1.789 ms

When configuring iptables for a VPS that needs to allow traceroute diagnostics, you should account for both protocols:

# Allow outgoing traceroute (UDP variant)
iptables -A OUTPUT -p udp --dport 33434:33534 -j ACCEPT

# Allow ICMP Time Exceeded (Type 11) and Destination Unreachable (Type 3)
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

# For Windows-style ICMP traceroute
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

To determine exactly which protocol your traceroute implementation uses:

# Capture traceroute packets with tcpdump
$ sudo tcpdump -ni any "icmp or (udp and portrange 33434-33534)"

# Alternative using Wireshark syntax
$ sudo tshark -i eth0 -f "icmp or udp port 33434-33534"

ICMP Type 30 (Information Request) is largely obsolete and not used in modern traceroute implementations. You might encounter it in very old network equipment documentation.

Major cloud providers often have specific requirements for traceroute to work properly:

  • AWS: Requires security groups to allow ICMP (Types 3, 8, 11)
  • Google Cloud: Needs firewall rules for both ICMP and UDP probes
  • Azure: Network Security Groups must permit the relevant ICMP types

When executing traceroute www.google.com from your Linux terminal, the protocol used depends on your operating system and implementation:

  • Traditional UNIX/Linux: Uses UDP packets (destination port 33434-33534 by default)
  • Windows (tracert): Uses ICMP Echo Request (Type 8)
  • Modern Linux: Often uses ICMP when run with root privileges (-I flag)

UDP-based traceroute workflow:

1. Sends UDP packet with TTL=1 to high port (33434+)
2. First router decrements TTL to 0, responds with ICMP Time Exceeded (Type 11)
3. Process repeats with incrementing TTL until destination reached
4. Destination responds with ICMP Port Unreachable (Type 3)

ICMP-based traceroute workflow:

1. Sends ICMP Echo Request with TTL=1 
2. Each hop returns ICMP Time Exceeded
3. Final destination returns ICMP Echo Reply

For iptables rules handling traceroute traffic, you need to account for both protocols:

# Allow outgoing traceroute (UDP variant)
iptables -A OUTPUT -p udp --dport 33434:33534 -j ACCEPT

# Allow ICMP Time Exceeded (Type 11)
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT

# Allow ICMP Echo Reply if using ICMP traceroute
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT

Linux (UDP default):

$ traceroute -n 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  192.168.1.1  0.312 ms  0.287 ms  0.265 ms
 2  10.0.0.1  5.102 ms  5.075 ms  5.052 ms

Windows (ICMP):

C:\>tracert 8.8.8.8
Tracing route to dns.google [8.8.8.8]
over a maximum of 30 hops:
  1    <1 ms    <1 ms    <1 ms  192.168.1.1
  2     5 ms     4 ms     4 ms  10.0.0.1

Modern traceroute implementations offer protocol selection:

# Force ICMP mode (Linux)
traceroute -I www.google.com

# Force UDP mode (when ICMP is default)
traceroute -U www.google.com

# TCP variant (useful for bypassing firewalls)
traceroute -T -p 80 www.google.com

Understanding these protocol differences is crucial when debugging network connectivity issues or configuring firewall rules that need to permit traceroute diagnostics while maintaining security.