[Contents] [Prev] [Next] [Index] [Report an Error]

Traceroute

Traceroute is a tool for displaying the route that packets take to a network host. It uses the IP TTL field to trigger ICMP time-exceeded messages from routers or gateways. It sends UDP datagrams to destination ports that are believed to be not in use; destination ports are numbered using the formula: + nhops – 1. The default base port is 33434. To support traceroute through the firewall, two types of traffic must be passed through:

  1. UDP probe packets (UDP destination port > 33000, IP TTL< 30)
  2. ICMP response packets (ICMP type time-exceeded)

When NAT is applied, the IP address and port within the ICMP error packet also need to be changed.

Support of stateful firewall and NAT services requires you to configure the Traceroute ALG for UDP destination port 33434 to 33450. In addition, you can configure the TTL threshold to prevent UDP flood attacks with large TTL values.

[Contents] [Prev] [Next] [Index] [Report an Error]

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.