如何识别traceroute包?

时间:2016-03-07 08:08:45

标签: c networking wireshark pcap traceroute

我正在使用C并使用pcap库来分析包含在执行traceroute期间发送/接收的数据包的上限文件。我遇到的问题是识别从traceroute发送/接收的数据包,因为上限文件也包含其他数据包。

在尝试确定任何给定数据包是否来自traceroute时,是否有任何特定标准可以检查?或者这不可能吗?

非常感谢您提供的任何帮助/建议。

2 个答案:

答案 0 :(得分:2)

$ man traceroute

TRACEROUTE(8)             BSD System Manager's Manual            TRACEROUTE(8)

NAME
     traceroute -- print the route packets take to network host

    ...


     -I      Use ICMP ECHO instead of UDP datagrams.  (A synonym for "-P
             icmp"). 

    ...


     This program attempts to trace the route an IP packet would follow to   
     some internet host by launching UDP probe packets with a small ttl (time
     to live) then listening for an ICMP "time exceeded" reply from a gateway.
     We start our probes with a ttl of one and increase by one until we get an
     ICMP "port unreachable" (which means we got to "host") or hit a max 
     (which defaults to net.inet.ip.ttl hops & can be changed with the -m
     flag).  Three probes (changed with -q flag) are sent at each ttl setting
     and a line is printed showing the ttl, address of the gateway and round
     trip time of each probe.  If the probe answers come from different gate-
     ways, the address of each responding system will be printed.  If there is
     no response within a 5 sec. timeout interval (changed with the -w flag),
     a "*" is printed for that probe.

     We don't want the destination host to process the UDP probe packets so
     the destination port is set to an unlikely value (if some clod on the  
     destination is using that value, it can be changed with the -p flag).

因此,默认情况下,traceroute数据包是发送到某个随机端口的UDP数据包;这使他们有点难以区别于其他流量。

如果某人使用-I选项,它将使用ICMP ECHO数据包,这些数据包更容易与其他流量区分开来,尽管不容易区分,例如来自“ping”命令。

可以尝试寻找小TTL的数据包。

答案 1 :(得分:0)

程序traceroute通过发送带有递增IP TTL字段的UDP / ICMP数据包来工作。与典型应用程序发送的内容(我的64位)相比,这些IP TTL字段通常非常小。

因此,如果使用

过滤器捕获

ip.ttl< 20

您可能会收到这些数据包(您可以调整上述过滤器中的数字),请记住,如果您靠近运行traceroute程序的主机,您甚至可以通过" ip.ttl< 5"