How does TCP Ping or Traceroute Work?
I believe you are referring to these utilities:
http://www.vdberg.org/~richard/tcpping.html
http://michael.toren.net/code/tcptraceroute/
Since tcpping requires tcptraceroute, I'll start with tcptraceroute.
The author of tcptraceroute states that unlike a traditional traceroute, "By sending out TCP SYN packets instead of UDP or ICMP ECHO packets, tcptraceroute is able to bypass the most common firewall filters."
Further: It is worth noting that tcptraceroute never completely establishes a TCP connection with the destination host.
So, tcptraceroute does not measure the time it takes to complete the three-way handshake because that never happens. It measures the time from the initial SYN to the SYN/ACK. This is sometimes referred to as a half-open connection scan.
From the nmap manpage:
This technique is often referred to as half-open scanning,
because you don’t open a full TCP connection. You send a SYN
packet, as if you are going to open a real connection and then
wait for a response. A SYN/ACK indicates the port is listening
(open), while a RST (reset) is indicative of a non-listener. If
no response is received after several retransmissions, the port
is marked as filtered. The port is also marked filtered if an
ICMP unreachable error (type 3, code 1,2, 3, 9, 10, or 13) is
received.
As to your packet size question, the above description also has the answer. Since tcptraceroute sends a standard SYN packet, it should be a small packet, perhaps 64 bytes.
GeorgeU
Updated on September 18, 2022Comments
-
GeorgeU over 1 year
How does the tcp ping or traceroute work? Does it take in account just the time it takes to establis the TCP handshake?
Also in ICMP ping you can specify the packet size, can this be achieved in TCP ping?
-
Philip almost 13 yearsI don't know anyone that runs a tcp echo server; perhaps you mean UDP?
-
GeorgeU almost 13 yearsMy understanding is that there are tools that do this without the ECHO. What they do is they send a SYN packet to the router on port 80 and wait for the ACK. I just want to confirm this is what it is... here is a commercial tool netscantools.com/nstpro_ping.html
-
-
Orbling almost 13 years+1 But it does not have to send three, that is arbitrary and controllable, and it sends ICMP packets not UDP as a rule.
-
GeorgeU almost 13 yearsThe question is not about the traditional traceroute which utilizes ICMP, or the UDP alternate. It is specifcally for Traceroute that relies on TCP packets.
-
Spiff almost 13 years@Orbling the original Unix traceroute, and all Un*x-like traceroutes to this day by default send UDP packets out, and get ICMP time exceeded packets back. You might be thinking of a nonstandard implementation of traceroute, such as Microsoft's "tracert".