This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Use Wireshark to do a “TCP Trace Route”?

0

Hello...

I have a problem where I cannot connect to a remote server. A Wireshark capture from my (client) end shows my TCP SYN packets receive no response. But, how to tell if the SYN is making it to the server, and being ignored, or... if the SYN gets dropped by a firewall/router, and never arrives at the server???

An ICMP-based TraceRoute is no good, because PINGs are often blocked by firewalls. So, a TraceRoute will tell me how far an ICMP packet gets, but it won't tell me how far my TCP packet gets.

I seem to remember that one can use Wireshark to edit and generate packets. If so, I thought it might not be too hard to create a series of TCP SYN packets, with ever increasing TTL values, to mimic a trace route.

Has anyone done this? If not, does it seem like something that could be done with, perhaps, an hour's worth of effort?

thx, feenyman99

asked 17 Jun '11, 16:47

feenyman99's gravatar image

feenyman99
96222226
accept rate: 25%


One Answer:

1

No, Wireshark does not have the capability to edit or generate packets. Colasoft Packet Builder will do what you want. It allows you to generate TCP packets, to set the SYN bit, to edit the TTL, and then to transmit those packets onto the network.

Does this remote server belong to your organization? If not, the information returned by your TCP traceroute may not be all that helpful. Since you get no response (no SYN/ACK, no RST, no ICMP Destination Unreachable), then something along the path is silently dropping your SYN packet. Your TCP traceroute should get an ICMP Time-to-Live Exceeded in Transit packet back from every device along the path that processes your packet. So, the device that's dropping your packet is likely the one AFTER the last one that responds. Unless you have some knowledge of the remote network, you won't know whether that next device is the server or a firewall or router, especially if NAT is deployed in the remote network.

If the remote server does belong to your organization, it might be quicker to have someone at the remote site do some Wireshark captures.

BTW, it's also possible, although unlikely, that your SYN is getting through, but the SYN/ACK is not getting back.

answered 17 Jun '11, 17:54

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

Jim,

I just downloaded Colasoft - it looks like just what I need. I'll play with that a little later. Awesome thanx!!!

"Does this remote server belong to your organization?"

Yes and No. They belong to my overall organization (LARGE global company), but to a different team, and I'm brand new to this organization, with no technical contacts yet, so, for several reasons, I'd like to gather all the evidence before I go looking for help.

"So, the device that's dropping your packet is likely the one AFTER the last one that responds."

Great point! But, minimally, I can provide evidence that a network component is dropping the SYN, and not the server. This should help get the right team (network vs. server) involved, when I go asking for help. If I can get the network team involved, they should be able to tell me what the next device in the path is, that is dropping the SYN.

THANX for your tool recommendation, and your comments! They are helping me to crystallize my game plan :-)

feenyman99

(18 Jun '11, 05:59) feenyman99

SUCCESS!! I was able to use Colasoft Packet Builder to do a "TCP Trace Route", sending several SYN packets, with increasing TTL. It worked like a charm, and proved that something is dropping my SYN packet before it gets to the server. (It's the same device where the ICMP Traceroute dies.)

Thanx, Jim, for your Colasoft reference - invaluable!!

feenyman99

(18 Jun '11, 20:26) feenyman99

(converted your answers to comments, see the FAQ)

(19 Jun '11, 14:27) SYN-bit ♦♦