Housekeeping for traceroute and instant messaging

Gearhead has a little housekeeping to do: To wit, wrapping up the discussion of traceroute (NW, July 12, page 42).

A number of you wrote to argue that traceroute doesn't use Internet Control Message Protocol (ICMP) echo commands as Gearhead claimed. For example, astute and informed reader Michael Borowiec wrote pointing out that the original author of traceroute, Van Jacobson of Lawrence Berkeley Labs, included the following comments in the source code:

"Probe packets are UDP format. We don't want the destination host to process them so the destination port is set to an unlikely value (if some clod on the destination is using that value, it can be changed with the -p flag)."

Borowiec went on to note that, "Probe packets are sent to UDP ports starting at 33434, incrementing by 1 for each hop, up to 30 hops (by default, ending at 33464). Here's the declaration for the starting port number: u_short port = 32768+666; Curious how the author . . . derives the starting port number as 32K plus the number of the Beast!"

This was an interesting observation on the numerological significance of port assignments and how ports are used. And the reader is quite correct: Unix systems do indeed use only UDP packets, and I did neglect to mention this.

It turns out that the use of ICMP echo requests is a Microsoft perversion implemented in the version of traceroute the company calls tracert. Microsoft's reason for the use of ICMP over UDP can only be guessed at, but the theories could probably keep the Justice Department busy for another year or two.

Amazingly brainy reader Allen Robel noted, "What [Microsoft] has done is not bad, just different. The difference is important to know about though, since you may get varied results depending on [whose] implementation you use. For example, differences may be observed when traversing firewalls, or [quality-of-service] capable switches, depending on how these are configured."

Another reader, the excellently informed Ron Atkinson, pointed out that there are some consequences to this difference in how routers respond:

"You'll notice the ones that don't report . . . are the newer routers that connect different backbones. For the past 10 years that I've run TCP/IP, all the routers have always reported back. If you run 'tracert' you'll notice some don't report, but quite often (not always though) the missing routers will report when you do a 'traceroute'."

Atkinson also points out that another reason some routers don't respond is many ISPs configure their routers so ICMP echo requests are a very low priority.

"You might ping a router sometime and have something like 128 msec round-trip, then you ping a computer behind the router and have a 60 msec round-trip," he says.

As if that weren't enough, Atkinson also says that firewalls and packet filters may make routers "nonpingable" from outside the network to prevent hackers from performing denial-of-service attacks.

So there you are, the final clinical details of traceroute. Don't you feel a better person? Fresh like as a mountain spring? OK, so it's been a long week.

Another issue that Gearhead would like to mention is Backspin's recent comment on the instant messaging fracas (NW, Aug. 2, page 54). The column read, "I'd love to see the Internet Engineering Task Force or the World Wide Web Consortium get ultradynamic and get involved."

That made it sound like there's nothing that either group is doing. Actually, the IETF has a proposal on the table (www.ietf.org/html.charters/impp-charter.html, but to be fair to Backspin, it is still a long way from the marketplace.

Route messages instantly to gh@gibbs.com.