Re: traceroute

Discussion in 'Cisco' started by Walter Roberson, Jan 11, 2005.

  1. In article <>,
    Vikram <> wrote:
    :I have noticed that by increasing the packet size on the traceroute
    :eek:ptions, an intermediate catalyst switch/router ( L2/L3) drops the
    :packet. Do you have any idea why this might be the case? there are no
    :firewall implemented on the catalyst switch, which also acts as a

    If by 'catalyst' you refer to Cisco Catalyst line of switches,
    then this question would have been better put to .
    I have cross-posted this reply to there and set follow-ups to there.

    Question: are you using unix 'traceroute', or Windows 'tracert' ?
    unix 'traceroute' uses udp packets; Windows 'tracert' uses icmp
    packets. If you are using Windows 'tracert' then what you might
    be running into is that on some of Cisco's equipment, they have
    put in a feature that drops icmp packets which are of length 1000
    or higher, as part of denial-of-service protection. There is no
    way to change the limit or disable it on Cisco PIX firewalls;
    I do not know about CatOS or IOS.

    Another possibility is that the magic length is -exactly- 92 bytes
    and you are using Windows 'tracert'. If 92 byte packets fail
    [including the layer 2 and layer 3 information] but 91 and 93 succeed,
    then someone has enabled Natchi Worm Mitigation on the Catalyst.
    This is not implimented by firewall features: it is implimented by
    an access-list applied to an interface.

    If the above does not solve the problem, then please indicate
    which switch model you are using, which OS (CatOS on the switch blade
    and IOS on the router module? Hybrid? Native?), which OS version(s),
    which feature sets if you are using IOS; also please clarify which
    kind of traceroute you are using and what packet size it breaks at.
    vi -- think of it as practice for the ROGUE Olympics!
    Walter Roberson, Jan 11, 2005
    1. Advertisements

  2. Walter Roberson

    Vikram Guest

    Hi Walter,

    Thanks for your response.

    Sorry that I did not include some of the details of the scenario. I am
    doing traceroute from a netapp filer, the filer allows to traceroute
    upto packet size of 65495.

    The catalyst switch that I am talking about is a 6509 L2/L3 switch, it
    runs both CatOS (7.4.3) and IOS(12.1.2E)

    In case it happens to be a protection for denial of service, is there
    any way I could verify that?

    The destination host that I am trying to traceroute is a Redhat 7.3
    Linux box.

    Vikram, Jan 11, 2005
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. xantos
    Oct 16, 2003
  2. Haitham Genedy

    Repeated AS in the traceroute results

    Haitham Genedy, Jan 1, 2004, in forum: Cisco
    Barry Margolin
    Jan 1, 2004
  3. Hsun

    Access list for traceroute

    Hsun, Jan 31, 2004, in forum: Cisco
    Barry Margolin
    Jan 31, 2004
  4. Captain

    stopping traceroute...

    Captain, May 6, 2004, in forum: Cisco
    Kevin Widner
    May 11, 2004
  5. Kevin Widner
    Kevin Widner
    Aug 11, 2004

Share This Page