Interesting Traces - Wrong Router Response from Traceroute

Blue Bar separator


traceroute 10.115.230.105
traceroute to 10.115.230.105 (10.115.230.105), 30 hops max, 40 byte packets
 1  10.115.0.1 (10.115.0.1)  26 ms  5 ms  7 ms
 2  *  *  *
On the face of it the above output from traceroute is not very interesting. BUT the system that this was captured on has an IP address of 192.168.210.10 with a default gateway of 192.168.210.250. No other routes are defined, so why is the first hop coming from 10.115.0.1 and not 192.168.210.250?

A trace taken with VOS's packet_monitor shows the UDP packet go out from the interface with a TTL of 1 (VOS uses UDP packets for traceroute) and the response come back from 10.115.0.1. The TTL of the response is ff so we know that this is the first hop.

10:50:46.001 Xmit Ether Dst 00:09:7c:8d:ab:60  Src 00:00:a8:8f:83:67 Type 0800 (IP)                                                                         
IP   Ver/HL 45, ToS  0, Len   28, ID    1, Flg/Frg    0, TTL  1,  Prtl 11
          Cksum  3635, Src c0a8d20a, Dst 0a73e669                             
UDP from 192.168.210.10.52041 to 10.115.230.105.33435 Cksum 0000, 20. data bytes.                                                                      

10:50:46.003 Rcvd Ether Dst 00:00:a8:8f:83:67  Src 00:09:7c:8d:ab:60 Type 0800  (IP)    
IP   Ver/HL 45, ToS c0, Len   38, ID 47e4, Flg/Frg    0, TTL ff,  Prtl  1      
          Cksum  d5f9, Src 0a730001, Dst c0a8d20a
ICMP from 10.115.0.1 to 192.168.210.10		time excdd                            
The key is to look at the destination MAC address of the UDP packet and the source MAC address of the ICMP packet. Even though the default route has an IP address of 192.168.210.250 and the reply is coming from 10.115.0.1 the MAC addresses are the same. It turns out that the router has a address on both networks and is reponding with the 10.115.0.1 IP address.

Blue Bar separator
This page was last modified on 06-09-17
mailbox Send comments and suggestions
to ndav1@cox.net