Interesting Traces - Wrong Router Response from Traceroute

Blue Bar separator

traceroute to (, 30 hops max, 40 byte packets
 1 (  26 ms  5 ms  7 ms
 2  *  *  *
On the face of it the above output from traceroute is not very interesting. BUT the system that this was captured on has an IP address of with a default gateway of No other routes are defined, so why is the first hop coming from and not

A trace taken with VOS's packet_monitor shows the UDP packet go out from the interface with a TTL of 1 (VOS uses UDP packets for traceroute) and the response come back from The TTL of the response is ff so we know that this is the first hop.

10:50:46.001 Xmit Ether Dst 00:09:7c:8d:ab:60  Src 00:00:a8:8f:83:67 Type 0800 (IP)                                                                         
IP   Ver/HL 45, ToS  0, Len   28, ID    1, Flg/Frg    0, TTL  1,  Prtl 11
          Cksum  3635, Src c0a8d20a, Dst 0a73e669                             
UDP from to Cksum 0000, 20. data bytes.                                                                      

10:50:46.003 Rcvd Ether Dst 00:00:a8:8f:83:67  Src 00:09:7c:8d:ab:60 Type 0800  (IP)    
IP   Ver/HL 45, ToS c0, Len   38, ID 47e4, Flg/Frg    0, TTL ff,  Prtl  1      
          Cksum  d5f9, Src 0a730001, Dst c0a8d20a
ICMP from to		time excdd                            
The key is to look at the destination MAC address of the UDP packet and the source MAC address of the ICMP packet. Even though the default route has an IP address of and the reply is coming from the MAC addresses are the same. It turns out that the router has a address on both networks and is reponding with the IP address.

Blue Bar separator
This page was last modified on 06-09-17
mailbox Send comments and suggestions