How does TCP Ping or Traceroute Work?

tcp ping networking icmp

14,369

I believe you are referring to these utilities:

http://www.vdberg.org/~richard/tcpping.html

http://michael.toren.net/code/tcptraceroute/

Since tcpping requires tcptraceroute, I'll start with tcptraceroute.

The author of tcptraceroute states that unlike a traditional traceroute, "By sending out TCP SYN packets instead of UDP or ICMP ECHO packets, tcptraceroute is able to bypass the most common firewall filters."

Further: It is worth noting that tcptraceroute never completely establishes a TCP connection with the destination host.

So, tcptraceroute does not measure the time it takes to complete the three-way handshake because that never happens. It measures the time from the initial SYN to the SYN/ACK. This is sometimes referred to as a half-open connection scan.

From the nmap manpage:

          This technique is often referred to as half-open scanning,
          because you don’t open a full TCP connection. You send a SYN
          packet, as if you are going to open a real connection and then
          wait for a response. A SYN/ACK indicates the port is listening
          (open), while a RST (reset) is indicative of a non-listener. If
          no response is received after several retransmissions, the port
          is marked as filtered. The port is also marked filtered if an
          ICMP unreachable error (type 3, code 1,2, 3, 9, 10, or 13) is
          received.

As to your packet size question, the above description also has the answer. Since tcptraceroute sends a standard SYN packet, it should be a small packet, perhaps 64 bytes.

14,369

Author by

GeorgeU

Updated on September 18, 2022

Comments

GeorgeU over 1 year

How does the tcp ping or traceroute work? Does it take in account just the time it takes to establis the TCP handshake?

Also in ICMP ping you can specify the packet size, can this be achieved in TCP ping?
- Philip almost 13 years
  
  I don't know anyone that runs a tcp echo server; perhaps you mean UDP?
- GeorgeU almost 13 years
  
  My understanding is that there are tools that do this without the ECHO. What they do is they send a SYN packet to the router on port 80 and wait for the ACK. I just want to confirm this is what it is... here is a commercial tool netscantools.com/nstpro_ping.html
Orbling almost 13 years

+1 But it does not have to send three, that is arbitrary and controllable, and it sends ICMP packets not UDP as a rule.
GeorgeU almost 13 years

The question is not about the traditional traceroute which utilizes ICMP, or the UDP alternate. It is specifcally for Traceroute that relies on TCP packets.
Spiff almost 13 years

@Orbling the original Unix traceroute, and all Un*x-like traceroutes to this day by default send UDP packets out, and get ICMP time exceeded packets back. You might be thinking of a nonstandard implementation of traceroute, such as Microsoft's "tracert".