From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ie0-x22e.google.com (ie-in-x022e.1e100.net [IPv6:2607:f8b0:4001:c03::22e]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 09B6221F0B3 for ; Mon, 4 Feb 2013 08:37:41 -0800 (PST) Received: by mail-ie0-f174.google.com with SMTP id k10so5979070iea.33 for ; Mon, 04 Feb 2013 08:37:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=xxGbicO+onvMN/Q5D11WRVFEGAryko3Dm+YkmFzEBMU=; b=k2B46YbbO5Tit9mDM8wwRGURGh15zx6kVGp+8VgcSEMksi63GP7Y9PRlAJ5yfk3bRi lAnNzLm6Jxy4L6gfhWCimxd6uCvBEGK8CXTL0K5vUonHRPifvRyXBnO5wqomtmLr+vnb NRWXXZS7F0zQLiO4UPnkzZhpsryNI2So9KHwUb2XZkgarIlL3ljEnj4CfH1KdLU9HI4b zVIPPjqkzbKdbh82CCbqn8d4V6KgFIVjIhXKTee64V8x6gixhl5o5XMbzZijSC0fPkW1 R2PJWE9yZOsrlr9AXxyjNagLOcuNZgdxpMYd6QFsduiZShY+uMoszFIPaVnOMthJJdyB LMvQ== MIME-Version: 1.0 X-Received: by 10.50.88.136 with SMTP id bg8mr7488370igb.96.1359995861120; Mon, 04 Feb 2013 08:37:41 -0800 (PST) Received: by 10.64.135.39 with HTTP; Mon, 4 Feb 2013 08:37:41 -0800 (PST) In-Reply-To: References: Date: Mon, 4 Feb 2013 08:37:41 -0800 Message-ID: From: Dave Taht To: Maciej Soltysiak Content-Type: multipart/alternative; boundary=e89a8f235a1732b79904d4e8b6e5 Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] ping icmp ttl exceeded X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Feb 2013 16:37:42 -0000 --e89a8f235a1732b79904d4e8b6e5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On Mon, Feb 4, 2013 at 6:17 AM, Maciej Soltysiak wrot= e: > On Mon, Feb 4, 2013 at 8:41 AM, Dave Taht wrote: > >> Heh. I turned out I'd left mtr running in another window... > > Yeah, exactly. Decreasing TTLs suggest traceroute tools :-) > Well in this case I've still been chasing the crc bug I'd encountered and some problems with the double nat I'm still dealing with. I'd got pdsh up and had been issuing commands like pdsh -a -l root 'fping -C 2 -q 8.8.8.8' (which -a finds all routers in /etc/genders, and simultaneously as possible executes the ping command) So I thought maybe I'd done an infinite ping or there was a real routing problem for the 5 minutes after I'd written that email. This btw, is so far as I know, is now the worlds most complex, meshed, and nfq_codeled wifi/ethernet network. snmp is up too, but I struggle to get useful information out of minstrel and codel's drop stats as yet. I think adding better kernel support for the latter would be nice (some sort of netlink message containing the dropped packet and why) The longest path through it: http://pastebin.com/kWAXJS6d (pdsh is also very useful for things like 'opkg update; opkg install something', when a network gets this large and complex) I can certainly see why being able to specify a route was very important in the early protocol design of the imps and ip, and am kind of sorry it proved problematic in terms of security. > > As Ketan noted, it's best to decode what's in the ICMP TTL exceeded > payload to see what packet triggered this. > > traceroute uses ICMP ECHO REQUEST > tracepath uses UDP > tcptraceroute uses TCP SYN (this tools is actually usefull to check if > your packets go different routes depending on the port they're going to, > e.g. detecting a transparent proxy which shows up for port 80, but not fo= r > others) > > There are other tools which could be used to do the same with different > types of packets, say, crafting a fake ICMP ECHO REPLY to see how good at > being stateful are the firewalls on the path. > > Regards, > Maciej > > --=20 Dave T=E4ht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html --e89a8f235a1732b79904d4e8b6e5 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

On Mon, Feb 4, 2013 at 6:17 AM, Maciej S= oltysiak <maciej@soltysiak.com> wrote:
On Mon, Feb 4, 2013 at 8:41 AM= , Dave Taht <dave.taht@gmail.com> wrote:
Heh. I turned out I'd left mtr ru= nning in another window...
Yeah, exactly. Decreasing TTLs suggest traceroute tools :-)

Well in this case I've still been chasing = the crc bug I'd encountered and some problems with the double nat I'= ;m still dealing with. I'd got pdsh up and had been issuing commands li= ke

pdsh -a -l root 'fping -C 2 -q 8.8.8.8'

(which -a finds = all routers in /etc/genders, and simultaneously as possible executes the pi= ng command)

So I thought maybe I'd done an infinite ping or ther= e was a real routing problem for the 5 minutes after I'd written that e= mail.

This btw, is so far as I know, is now the worlds most complex, meshed, = and nfq_codeled wifi/ethernet network. snmp is up too, but I struggle to ge= t useful information out of minstrel and codel's drop stats as yet. I t= hink adding better kernel support for the latter would be nice (some sort o= f netlink message containing the dropped packet and why)

The longest path through it:

http://pastebin.com/kWAXJS6d

(pdsh is also very useful for= things like 'opkg update; opkg install something',
when a netwo= rk gets this large and complex)

I can certainly see why being able to specify a route was very importan= t in the early protocol design of the imps and ip, and am kind of sorry it = proved problematic in terms of security.

=A0
=A0
As Ketan noted, it's best to decode what's in the ICMP TTL exc= eeded payload to see what packet triggered this.
=A0
traceroute uses ICMP ECHO REQUEST
tracepath uses UDP
tcptraceroute uses TCP SYN (this tools is actually usefull to check if= your packets go different routes depending on the port they're going t= o, e.g. detecting a transparent proxy which shows up for port 80, but not f= or others)
=A0
There are other tools which could be used to do the same with differen= t types of packets, say, crafting a fake ICMP ECHO REPLY to see how good at= being stateful are the firewalls on the path.
=A0
Regards,
Maciej
=A0



--
Dave T=E4ht

Fixi= ng bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.ht= ml=20 --e89a8f235a1732b79904d4e8b6e5--