Why can I traceroute to this IP address, but not ping?Traceroute Over TCP vs UDPIs there ever a scenario where there would be a 0 length response to an ECHO?traceroute many hops with the same ipHow to trace outgoing interfaces?can ping hosts but not gateways (no NAT)ARP table does not store devices responding to a broadcasted ping requesttraceroute and ping behaviour through cisco routerTCP - correlation between ACKs and receive window

Can someone still get the title of "Club Master?"

Can a stolen Android phone with USB debugging enabled have screen lock bypassed?

Uncooked peppers and garlic in olive oil fizzled when opened

Is velocity a valid measure of team and process improvement?

What are the downsides of Hodl Invoices?

Why does Thorin tell Bilbo that he has "keen eyes"?

Echo bracket symbol to terminal

How would a young girl/boy (about 14) who never gets old survive in the 16th century?

Gradients - complex shape - Illustrator

Precious Stone, as Clear as Diamond

C function to check the validity of a date in DD.MM.YYYY format

What does "speed checked" mean?

How does AT-AT deploy troops?

Can the Mending cantrip affix any surface to any other surface?

Where do overtones in a 555 generated square wave come from?

Suspicious connections coming from Firefox (possible malware)

Non-differentiable Lipschitz functions

Are there any spells that aren't on any class's spell list?

Dangers of being sympathetic to the killer

18-month-old kicked out of church nursery

Are effects pedals overkill for acoustic instruments?

How to help my son improve without being discouraging?

How much transparency about runway should I expect from startup employer?

Migrate foreign key type from char to binary - ways to deal with the fallout?

Why can I traceroute to this IP address, but not ping?

Traceroute Over TCP vs UDPIs there ever a scenario where there would be a 0 length response to an ECHO?traceroute many hops with the same ipHow to trace outgoing interfaces?can ping hosts but not gateways (no NAT)ARP table does not store devices responding to a broadcasted ping requesttraceroute and ping behaviour through cisco routerTCP - correlation between ACKs and receive window

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;

I have an IP address and can traceroute to it, but I can not ping.

You see, I can traceroute 43.224.226.50:

dele-MBP:~ ll$ traceroute 43.224.226.50
traceroute to 43.224.226.50 (43.224.226.50), 64 hops max, 52 byte packets
 1 router.asus.com (192.168.2.1) 2.082 ms 1.039 ms 0.924 ms
 2 100.64.0.1 (100.64.0.1) 3.648 ms 3.795 ms 3.955 ms
 3 118.112.212.225 (118.112.212.225) 4.252 ms 4.569 ms 4.168 ms
 4 171.208.203.73 (171.208.203.73) 6.378 ms
 171.208.198.25 (171.208.198.25) 6.943 ms
 171.208.203.61 (171.208.203.61) 7.055 ms
 5 202.97.36.225 (202.97.36.225) 38.149 ms
 202.97.36.221 (202.97.36.221) 39.949 ms
 202.97.36.225 (202.97.36.225) 40.780 ms
 6 202.97.90.158 (202.97.90.158) 37.894 ms
 202.97.94.146 (202.97.94.146) 39.885 ms 39.354 ms
 7 202.97.38.166 (202.97.38.166) 45.324 ms
 202.97.39.149 (202.97.39.149) 40.097 ms
 202.97.94.77 (202.97.94.77) 40.580 ms
 8 202.97.51.118 (202.97.51.118) 374.218 ms
 202.97.27.238 (202.97.27.238) 187.573 ms
 202.97.86.138 (202.97.86.138) 197.524 ms
 9 218.30.53.190 (218.30.53.190) 201.597 ms
 218.30.54.190 (218.30.54.190) 194.194 ms
 218.30.53.190 (218.30.53.190) 204.027 ms
10 182.54.129.91 (182.54.129.91) 220.026 ms 282.360 ms
 et-11-1-5.r01.laxus01.us.bb.bgp.net (182.54.129.38) 185.700 ms
11 182.54.129.91 (182.54.129.91) 229.700 ms 508.509 ms 266.683 ms
12 * 212.95.128.2 (212.95.128.2) 565.161 ms *
13 43.224.226.50 (43.224.226.50) 200.531 ms 201.911 ms 191.566 ms

But I can not ping it:

dele-MBP:~ ll$ ping 43.224.226.50
PING 43.224.226.50 (43.224.226.50): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
Request timeout for icmp_seq 5
Request timeout for icmp_seq 6
Request timeout for icmp_seq 7
Request timeout for icmp_seq 8
Request timeout for icmp_seq 9
Request timeout for icmp_seq 10
Request timeout for icmp_seq 11

If there is a ban on ICMP, traceroute should not work either. What's the reason for it?

I checked the server's firewall is stopped.

edited Jun 6 at 13:30

Peter Mortensen

1555 bronze badges

asked Jun 5 at 7:17

244boy

7581 silver badge14 bronze badges

can it be that the timeout for ping is too restrictive, and it would have been successful, given more lenient time limits? Traceroute gave over 500 ms for some nodes.

– vsz
Jun 7 at 12:21

add a comment
|

I have an IP address and can traceroute to it, but I can not ping.

You see, I can traceroute 43.224.226.50:

dele-MBP:~ ll$ traceroute 43.224.226.50
traceroute to 43.224.226.50 (43.224.226.50), 64 hops max, 52 byte packets
 1 router.asus.com (192.168.2.1) 2.082 ms 1.039 ms 0.924 ms
 2 100.64.0.1 (100.64.0.1) 3.648 ms 3.795 ms 3.955 ms
 3 118.112.212.225 (118.112.212.225) 4.252 ms 4.569 ms 4.168 ms
 4 171.208.203.73 (171.208.203.73) 6.378 ms
 171.208.198.25 (171.208.198.25) 6.943 ms
 171.208.203.61 (171.208.203.61) 7.055 ms
 5 202.97.36.225 (202.97.36.225) 38.149 ms
 202.97.36.221 (202.97.36.221) 39.949 ms
 202.97.36.225 (202.97.36.225) 40.780 ms
 6 202.97.90.158 (202.97.90.158) 37.894 ms
 202.97.94.146 (202.97.94.146) 39.885 ms 39.354 ms
 7 202.97.38.166 (202.97.38.166) 45.324 ms
 202.97.39.149 (202.97.39.149) 40.097 ms
 202.97.94.77 (202.97.94.77) 40.580 ms
 8 202.97.51.118 (202.97.51.118) 374.218 ms
 202.97.27.238 (202.97.27.238) 187.573 ms
 202.97.86.138 (202.97.86.138) 197.524 ms
 9 218.30.53.190 (218.30.53.190) 201.597 ms
 218.30.54.190 (218.30.54.190) 194.194 ms
 218.30.53.190 (218.30.53.190) 204.027 ms
10 182.54.129.91 (182.54.129.91) 220.026 ms 282.360 ms
 et-11-1-5.r01.laxus01.us.bb.bgp.net (182.54.129.38) 185.700 ms
11 182.54.129.91 (182.54.129.91) 229.700 ms 508.509 ms 266.683 ms
12 * 212.95.128.2 (212.95.128.2) 565.161 ms *
13 43.224.226.50 (43.224.226.50) 200.531 ms 201.911 ms 191.566 ms

But I can not ping it:

dele-MBP:~ ll$ ping 43.224.226.50
PING 43.224.226.50 (43.224.226.50): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
Request timeout for icmp_seq 5
Request timeout for icmp_seq 6
Request timeout for icmp_seq 7
Request timeout for icmp_seq 8
Request timeout for icmp_seq 9
Request timeout for icmp_seq 10
Request timeout for icmp_seq 11

If there is a ban on ICMP, traceroute should not work either. What's the reason for it?

I checked the server's firewall is stopped.

edited Jun 6 at 13:30

Peter Mortensen

1555 bronze badges

asked Jun 5 at 7:17

244boy

7581 silver badge14 bronze badges

can it be that the timeout for ping is too restrictive, and it would have been successful, given more lenient time limits? Traceroute gave over 500 ms for some nodes.

– vsz
Jun 7 at 12:21

add a comment
|

I have an IP address and can traceroute to it, but I can not ping.

You see, I can traceroute 43.224.226.50:

dele-MBP:~ ll$ traceroute 43.224.226.50
traceroute to 43.224.226.50 (43.224.226.50), 64 hops max, 52 byte packets
 1 router.asus.com (192.168.2.1) 2.082 ms 1.039 ms 0.924 ms
 2 100.64.0.1 (100.64.0.1) 3.648 ms 3.795 ms 3.955 ms
 3 118.112.212.225 (118.112.212.225) 4.252 ms 4.569 ms 4.168 ms
 4 171.208.203.73 (171.208.203.73) 6.378 ms
 171.208.198.25 (171.208.198.25) 6.943 ms
 171.208.203.61 (171.208.203.61) 7.055 ms
 5 202.97.36.225 (202.97.36.225) 38.149 ms
 202.97.36.221 (202.97.36.221) 39.949 ms
 202.97.36.225 (202.97.36.225) 40.780 ms
 6 202.97.90.158 (202.97.90.158) 37.894 ms
 202.97.94.146 (202.97.94.146) 39.885 ms 39.354 ms
 7 202.97.38.166 (202.97.38.166) 45.324 ms
 202.97.39.149 (202.97.39.149) 40.097 ms
 202.97.94.77 (202.97.94.77) 40.580 ms
 8 202.97.51.118 (202.97.51.118) 374.218 ms
 202.97.27.238 (202.97.27.238) 187.573 ms
 202.97.86.138 (202.97.86.138) 197.524 ms
 9 218.30.53.190 (218.30.53.190) 201.597 ms
 218.30.54.190 (218.30.54.190) 194.194 ms
 218.30.53.190 (218.30.53.190) 204.027 ms
10 182.54.129.91 (182.54.129.91) 220.026 ms 282.360 ms
 et-11-1-5.r01.laxus01.us.bb.bgp.net (182.54.129.38) 185.700 ms
11 182.54.129.91 (182.54.129.91) 229.700 ms 508.509 ms 266.683 ms
12 * 212.95.128.2 (212.95.128.2) 565.161 ms *
13 43.224.226.50 (43.224.226.50) 200.531 ms 201.911 ms 191.566 ms

But I can not ping it:

dele-MBP:~ ll$ ping 43.224.226.50
PING 43.224.226.50 (43.224.226.50): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
Request timeout for icmp_seq 5
Request timeout for icmp_seq 6
Request timeout for icmp_seq 7
Request timeout for icmp_seq 8
Request timeout for icmp_seq 9
Request timeout for icmp_seq 10
Request timeout for icmp_seq 11

If there is a ban on ICMP, traceroute should not work either. What's the reason for it?

I checked the server's firewall is stopped.

edited Jun 6 at 13:30

Peter Mortensen

1555 bronze badges

asked Jun 5 at 7:17

244boy

7581 silver badge14 bronze badges

I have an IP address and can traceroute to it, but I can not ping.

You see, I can traceroute 43.224.226.50:

dele-MBP:~ ll$ traceroute 43.224.226.50
traceroute to 43.224.226.50 (43.224.226.50), 64 hops max, 52 byte packets
 1 router.asus.com (192.168.2.1) 2.082 ms 1.039 ms 0.924 ms
 2 100.64.0.1 (100.64.0.1) 3.648 ms 3.795 ms 3.955 ms
 3 118.112.212.225 (118.112.212.225) 4.252 ms 4.569 ms 4.168 ms
 4 171.208.203.73 (171.208.203.73) 6.378 ms
 171.208.198.25 (171.208.198.25) 6.943 ms
 171.208.203.61 (171.208.203.61) 7.055 ms
 5 202.97.36.225 (202.97.36.225) 38.149 ms
 202.97.36.221 (202.97.36.221) 39.949 ms
 202.97.36.225 (202.97.36.225) 40.780 ms
 6 202.97.90.158 (202.97.90.158) 37.894 ms
 202.97.94.146 (202.97.94.146) 39.885 ms 39.354 ms
 7 202.97.38.166 (202.97.38.166) 45.324 ms
 202.97.39.149 (202.97.39.149) 40.097 ms
 202.97.94.77 (202.97.94.77) 40.580 ms
 8 202.97.51.118 (202.97.51.118) 374.218 ms
 202.97.27.238 (202.97.27.238) 187.573 ms
 202.97.86.138 (202.97.86.138) 197.524 ms
 9 218.30.53.190 (218.30.53.190) 201.597 ms
 218.30.54.190 (218.30.54.190) 194.194 ms
 218.30.53.190 (218.30.53.190) 204.027 ms
10 182.54.129.91 (182.54.129.91) 220.026 ms 282.360 ms
 et-11-1-5.r01.laxus01.us.bb.bgp.net (182.54.129.38) 185.700 ms
11 182.54.129.91 (182.54.129.91) 229.700 ms 508.509 ms 266.683 ms
12 * 212.95.128.2 (212.95.128.2) 565.161 ms *
13 43.224.226.50 (43.224.226.50) 200.531 ms 201.911 ms 191.566 ms

But I can not ping it:

dele-MBP:~ ll$ ping 43.224.226.50
PING 43.224.226.50 (43.224.226.50): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
Request timeout for icmp_seq 5
Request timeout for icmp_seq 6
Request timeout for icmp_seq 7
Request timeout for icmp_seq 8
Request timeout for icmp_seq 9
Request timeout for icmp_seq 10
Request timeout for icmp_seq 11

If there is a ban on ICMP, traceroute should not work either. What's the reason for it?

I checked the server's firewall is stopped.

ping networking icmp traceroute

edited Jun 6 at 13:30

Peter Mortensen

1555 bronze badges

asked Jun 5 at 7:17

244boy

7581 silver badge14 bronze badges

edited Jun 6 at 13:30

Peter Mortensen

1555 bronze badges

asked Jun 5 at 7:17

244boy

7581 silver badge14 bronze badges

edited Jun 6 at 13:30

Peter Mortensen

1555 bronze badges

edited Jun 6 at 13:30

Peter Mortensen

1555 bronze badges

edited Jun 6 at 13:30

Peter Mortensen

1555 bronze badges

asked Jun 5 at 7:17

244boy

7581 silver badge14 bronze badges

asked Jun 5 at 7:17

244boy

7581 silver badge14 bronze badges

asked Jun 5 at 7:17

244boy

7581 silver badge14 bronze badges

can it be that the timeout for ping is too restrictive, and it would have been successful, given more lenient time limits? Traceroute gave over 500 ms for some nodes.

– vsz
Jun 7 at 12:21

add a comment
|

can it be that the timeout for ping is too restrictive, and it would have been successful, given more lenient time limits? Traceroute gave over 500 ms for some nodes.

– vsz
Jun 7 at 12:21

can it be that the timeout for ping is too restrictive, and it would have been successful, given more lenient time limits? Traceroute gave over 500 ms for some nodes.

– vsz
Jun 7 at 12:21

add a comment
|

7 Answers
7

active

oldest

votes

On a similar question here Luke Savage explained it perfectly:

Traceroute is not a protocol itself, it is an application and the protocols used depends on the implementation your are using. Primarily this is ICMP.

There are two main implementations:

tracert - tracert is a Windows application that utilises ICMP packets with as incrementing TTL field to map the hops to the final destination address.

traceroute - traceroute is a *nix application available on most Linux based systems, including network devices, and on Cisco devices. This uses UDP packets with an incrementing TTL field to map the hops to the final destination.

The difference between these is useful to know as some network now block ICMP by default so both PING and tracert from a Windows machine will fail but a traceroute from a Linux device may still work.

edited Jun 6 at 8:22

Peter Mortensen

1555 bronze badges

answered Jun 5 at 8:04

naïveRSA

6401 silver badge8 bronze badges

2

so, why my server IP can traceroute but not ping?

– 244boy
Jun 5 at 9:25

10

From your shared output I can see that you are using traceroute command and not tracert which got me to think that you are using a Unix or gnu based operating system. In the answer I mentioned you can see that unix based systems are not using ICMP for traceroute. In other words, since PING is using ICMP (which I think is blocked by the system you are trying to reach) and traceroute is using UDP packets with an incrementation method of TTL field (which I think is not blocked at the system you are trying to reach) PING fails but Traceroute succeeds.

– naïveRSA
Jun 5 at 9:41

4

Rather than add a new comment to your post when someone like 244boy suggests an improvement, it would be better to edit your post so that future people reading the answer don't have to read all the comments to get the full answer.

– Keeta
Jun 6 at 15:03

@naïveRSA Strictly speaking, traceroute is using ICMP, even if it is sending UDP, namely it expects and evaluates TTL exceeded messages from the hops on the way. A host that blocks all ICMP is a bad idea, but ping will aready fail when ICMP echo requests or replies are blocked at the target host

– Hagen von Eitzen
Jun 7 at 19:54

add a comment
|

To add to @naïveRSA's answer, if there's filtering/firewalling in the path one could also have the situation where an ICMP "echo reply" (ping) packet is blocked, but an ICMP "time exceeded" (tracert) packet is allowed. This would give the same results even when only ICMP (Windows) is used.

In both cases (sender using either UDP or ICMP) the error communication will be ICMP (ie the node replying to a ping or tracer* packet).

edited Jun 6 at 20:35

Lauren Van Sloun

1033 bronze badges

answered Jun 5 at 9:21

Arjan

3113 bronze badges

add a comment
|

Let's look at what happens, shall we?

8.8.8.8 makes a good example, because at least from my location, I can reach it both with traceroute and ping.

First let's try ping 8.8.8.8 and watch what happens:

$ tcpdump -n host 8.8.8.8 or icmp
15:36:51.045994 IP 10.4.27.179 > 8.8.8.8: ICMP echo request, id 7215, seq 0, length 64
15:36:51.062458 IP 8.8.8.8 > 10.4.27.179: ICMP echo reply, id 7215, seq 0, length 64
15:36:52.048350 IP 10.4.27.179 > 8.8.8.8: ICMP echo request, id 7215, seq 1, length 64
15:36:52.073657 IP 8.8.8.8 > 10.4.27.179: ICMP echo reply, id 7215, seq 1, length 64

So ping sends an ICMP echo request, and expects an ICMP echo reply.

Now traceroute -n 8.8.8.8:

15:41:31.803324 IP 10.4.27.179.44838 > 8.8.8.8.33435: UDP, length 24
15:41:31.815184 IP 10.250.32.2 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.815343 IP 10.4.27.179.44838 > 8.8.8.8.33436: UDP, length 24
15:41:31.819654 IP 10.250.32.2 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.819791 IP 10.4.27.179.44838 > 8.8.8.8.33437: UDP, length 24
15:41:31.824609 IP 10.250.32.2 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.824754 IP 10.4.27.179.44838 > 8.8.8.8.33438: UDP, length 24
15:41:31.830506 IP 64.124.23.161 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.830649 IP 10.4.27.179.44838 > 8.8.8.8.33439: UDP, length 24
15:41:31.834469 IP 64.124.23.161 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.834565 IP 10.4.27.179.44838 > 8.8.8.8.33440: UDP, length 24
15:41:31.840962 IP 64.124.23.161 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.841061 IP 10.4.27.179.44838 > 8.8.8.8.33441: UDP, length 24
15:41:31.847440 IP 64.125.26.21 > 10.4.27.179: ICMP time exceeded in-transit, length 148
15:41:31.847634 IP 10.4.27.179.44838 > 8.8.8.8.33442: UDP, length 24
15:41:31.853664 IP 64.125.26.21 > 10.4.27.179: ICMP time exceeded in-transit, length 148
15:41:31.853761 IP 10.4.27.179.44838 > 8.8.8.8.33443: UDP, length 24
15:41:31.859221 IP 64.125.26.21 > 10.4.27.179: ICMP time exceeded in-transit, length 148
15:41:31.859269 IP 10.4.27.179.44838 > 8.8.8.8.33444: UDP, length 24
15:41:31.864149 IP 64.125.31.15 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.864192 IP 10.4.27.179.44838 > 8.8.8.8.33445: UDP, length 24
15:41:31.870843 IP 64.125.31.15 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.870922 IP 10.4.27.179.44838 > 8.8.8.8.33446: UDP, length 24
15:41:31.876200 IP 64.125.31.15 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.876352 IP 10.4.27.179.44838 > 8.8.8.8.33447: UDP, length 24
15:41:31.882148 IP 64.125.13.111 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.882249 IP 10.4.27.179.44838 > 8.8.8.8.33448: UDP, length 24
15:41:31.890076 IP 64.125.13.111 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.890156 IP 10.4.27.179.44838 > 8.8.8.8.33449: UDP, length 24
15:41:31.896100 IP 64.125.13.111 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.896163 IP 10.4.27.179.44838 > 8.8.8.8.33450: UDP, length 24
15:41:31.905037 IP 108.170.242.225 > 10.4.27.179: ICMP time exceeded in-transit, length 60
15:41:31.905235 IP 10.4.27.179.44838 > 8.8.8.8.33451: UDP, length 24
15:41:31.913206 IP 108.170.242.225 > 10.4.27.179: ICMP time exceeded in-transit, length 60
15:41:31.913283 IP 10.4.27.179.44838 > 8.8.8.8.33452: UDP, length 24
15:41:31.923428 IP 108.170.242.241 > 10.4.27.179: ICMP time exceeded in-transit, length 76
15:41:31.923520 IP 10.4.27.179.44838 > 8.8.8.8.33453: UDP, length 24
15:41:31.932266 IP 108.170.237.9 > 10.4.27.179: ICMP time exceeded in-transit, length 60
15:41:31.932441 IP 10.4.27.179.44838 > 8.8.8.8.33454: UDP, length 24
15:41:31.939961 IP 209.85.251.9 > 10.4.27.179: ICMP time exceeded in-transit, length 76
15:41:31.940043 IP 10.4.27.179.44838 > 8.8.8.8.33455: UDP, length 24
15:41:31.947460 IP 108.170.237.21 > 10.4.27.179: ICMP time exceeded in-transit, length 60
15:41:31.947508 IP 10.4.27.179.44838 > 8.8.8.8.33456: UDP, length 24
15:41:31.954824 IP 8.8.8.8 > 10.4.27.179: ICMP 8.8.8.8 udp port 33456 unreachable, length 36
15:41:31.954888 IP 10.4.27.179.44838 > 8.8.8.8.33457: UDP, length 24
15:41:31.963601 IP 8.8.8.8 > 10.4.27.179: ICMP 8.8.8.8 udp port 33457 unreachable, length 36
15:41:31.963671 IP 10.4.27.179.44838 > 8.8.8.8.33458: UDP, length 24
15:41:31.972407 IP 8.8.8.8 > 10.4.27.179: ICMP 8.8.8.8 udp port 33458 unreachable, length 36

So traceroute, at least the implementation I have installed, doesn't send ICMP. Rather, it sends UDP packets.

What's not visible in this trace (though it would be, if I gave tcpdump a -v to increase the verbosity) is that the first probes have a ttl of 1, and then it increments the ttl for later probes. This causes the routers between me and 8.8.8.8 to respond with an ICMP ttl exceeded error, which is how traceroute discovers the routers between here and there.

Eventually the ttl is long enough to make it all the way to 8.8.8.8, and 8.8.8.8 responds with an ICMP port unreachable error, because it has no process listening on UDP port 44838. This is how traceroute knows it's reached the final destination.

If something between here and there is blocking all ICMP, then neither ping nor traceroute will work.

But it's usually not the case that all ICMP is blocked, though it's also not rare. Blocking all ICMP is problematic: for example it breaks path MTU discovery, which relies on an ICMP fragmentation required error. ICMP packets have a type and a code, and responsible network operators will only selectively block some types or codes, those that pose a potential for abuse or disclose particular information.

For example, some hosts won't respond to an ICMP echo request at all, and thus ping will not work. The idea is that by not responding to pings, it's harder for an attacker to discover what hosts exist on the network. In practice this is questionable, since there are other ways to probe for a host. For example, one can send a TCP SYN to port 80 to find webservers.

Many hosts also won't send an ICMP port unreachable error when they get a UDP datagram or a TCP SYN to a port on which they have no process listening, and this breaks traceroute. Again the idea is to make it more difficult for an attacker to map the network, but again this is only a minor frustration for an attacker.

Because traceroute is a program and not any particular protocol, it has other ways of probing. They all rely on incrementing the TTL to discover the routers, but different kinds of probes can be sent which may have more or less of a chance to elicit a response from the endpoint. For example, my man tcpdump lists an -I option to use ICMP echo probes, the same as ping. It also has -T to use TCP SYN probes instead of UDP. If you know a host will respond to ping then -I makes a lot of sense. If you know the host is listening on a particular TCP port, then -T makes sense, perhaps in conjunction with the -p option to select the port.

Unfortunately these options may require root or special capabilities, so UDP makes a fair default. In fact a similar tool, tracepath, has this to say in its man page:

DESCRIPTION

It traces path to destination discovering MTU along this path. It uses UDP port port or some random port.
It is similar to traceroute, only does not require superuser privileges and has no fancy options.

answered Jun 6 at 22:59

Phil Frost

2011 silver badge3 bronze badges

add a comment
|

TLDR; pings can be blocked (ICMP block) on a remote host but traceroute can still find the route to it using standard network routing UDP or TCP/IP (any protocol really; ref https://networkengineering.stackexchange.com/a/36509/58968). Note that your ping can likely also reach the host (unless perhaps you have a very smart firewall blocking ICMP ping traffic somewhere), the host just does not reply.

edited Jun 5 at 23:30

answered Jun 5 at 23:24

Roel Van de Paar

1214 bronze badges

add a comment
|

Linux using UDP instead of ICMP for traceroute, the firewall didn't block that UDP port

answered Jun 7 at 20:09

farshad khazaee

add a comment
|

You can install nmap (insecure.org) and use nping with either UDP or TCP and any port. Works great on networks with ping blocked outbound.

To ping a web server
nping --tcp -p 80,443

To ping a time server
nping --udp -p 123

https://nmap.org/book/nping-man.html

answered Jun 12 at 1:57

Michael Hubbard

add a comment
|

A brief answer to your question is that the ping utility relies on the ICMP protocol which is sometimes blocked at the network firewall or the firewall on the device itself. The most common reason why network admins block ICMP is to prevent "scanning" of the network which they consider to be a security concern. The traceroute utility on Linux uses UDP, a completely different protocol, which in this case in not blocked by the network admins. UDP has a variety of uses and blocking this would cause many things to be unusable on a network. The type of ICMP 'control message' needed by ping is a subset of a protocol which means blocking that type of ICMP packet causes less problem on a network and is therefore more likely to be blocked than UDP.

edited Jun 19 at 21:14

answered Jun 7 at 18:10

Cybernaut

11 bronze badge

add a comment
|

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "496"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);

);

draft saved

draft discarded

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f59610%2fwhy-can-i-traceroute-to-this-ip-address-but-not-ping%23new-answer', 'question_page');

);

Post as a guest

Name

Required, but never shown

7 Answers
7

active

oldest

votes

7 Answers
7

active

oldest

votes

On a similar question here Luke Savage explained it perfectly:

Traceroute is not a protocol itself, it is an application and the protocols used depends on the implementation your are using. Primarily this is ICMP.

There are two main implementations:

tracert - tracert is a Windows application that utilises ICMP packets with as incrementing TTL field to map the hops to the final destination address.

traceroute - traceroute is a *nix application available on most Linux based systems, including network devices, and on Cisco devices. This uses UDP packets with an incrementing TTL field to map the hops to the final destination.

The difference between these is useful to know as some network now block ICMP by default so both PING and tracert from a Windows machine will fail but a traceroute from a Linux device may still work.

edited Jun 6 at 8:22

Peter Mortensen

1555 bronze badges

answered Jun 5 at 8:04

naïveRSA

6401 silver badge8 bronze badges

2

so, why my server IP can traceroute but not ping?

– 244boy
Jun 5 at 9:25

10

From your shared output I can see that you are using traceroute command and not tracert which got me to think that you are using a Unix or gnu based operating system. In the answer I mentioned you can see that unix based systems are not using ICMP for traceroute. In other words, since PING is using ICMP (which I think is blocked by the system you are trying to reach) and traceroute is using UDP packets with an incrementation method of TTL field (which I think is not blocked at the system you are trying to reach) PING fails but Traceroute succeeds.

– naïveRSA
Jun 5 at 9:41

4

Rather than add a new comment to your post when someone like 244boy suggests an improvement, it would be better to edit your post so that future people reading the answer don't have to read all the comments to get the full answer.

– Keeta
Jun 6 at 15:03

@naïveRSA Strictly speaking, traceroute is using ICMP, even if it is sending UDP, namely it expects and evaluates TTL exceeded messages from the hops on the way. A host that blocks all ICMP is a bad idea, but ping will aready fail when ICMP echo requests or replies are blocked at the target host

– Hagen von Eitzen
Jun 7 at 19:54

add a comment
|

On a similar question here Luke Savage explained it perfectly:

Traceroute is not a protocol itself, it is an application and the protocols used depends on the implementation your are using. Primarily this is ICMP.

There are two main implementations:

tracert - tracert is a Windows application that utilises ICMP packets with as incrementing TTL field to map the hops to the final destination address.

traceroute - traceroute is a *nix application available on most Linux based systems, including network devices, and on Cisco devices. This uses UDP packets with an incrementing TTL field to map the hops to the final destination.

The difference between these is useful to know as some network now block ICMP by default so both PING and tracert from a Windows machine will fail but a traceroute from a Linux device may still work.

edited Jun 6 at 8:22

Peter Mortensen

1555 bronze badges

answered Jun 5 at 8:04

naïveRSA

6401 silver badge8 bronze badges

2

so, why my server IP can traceroute but not ping?

– 244boy
Jun 5 at 9:25

10

From your shared output I can see that you are using traceroute command and not tracert which got me to think that you are using a Unix or gnu based operating system. In the answer I mentioned you can see that unix based systems are not using ICMP for traceroute. In other words, since PING is using ICMP (which I think is blocked by the system you are trying to reach) and traceroute is using UDP packets with an incrementation method of TTL field (which I think is not blocked at the system you are trying to reach) PING fails but Traceroute succeeds.

– naïveRSA
Jun 5 at 9:41

4

Rather than add a new comment to your post when someone like 244boy suggests an improvement, it would be better to edit your post so that future people reading the answer don't have to read all the comments to get the full answer.

– Keeta
Jun 6 at 15:03

@naïveRSA Strictly speaking, traceroute is using ICMP, even if it is sending UDP, namely it expects and evaluates TTL exceeded messages from the hops on the way. A host that blocks all ICMP is a bad idea, but ping will aready fail when ICMP echo requests or replies are blocked at the target host

– Hagen von Eitzen
Jun 7 at 19:54

add a comment
|

On a similar question here Luke Savage explained it perfectly:

Traceroute is not a protocol itself, it is an application and the protocols used depends on the implementation your are using. Primarily this is ICMP.

There are two main implementations:

tracert - tracert is a Windows application that utilises ICMP packets with as incrementing TTL field to map the hops to the final destination address.

traceroute - traceroute is a *nix application available on most Linux based systems, including network devices, and on Cisco devices. This uses UDP packets with an incrementing TTL field to map the hops to the final destination.

The difference between these is useful to know as some network now block ICMP by default so both PING and tracert from a Windows machine will fail but a traceroute from a Linux device may still work.

edited Jun 6 at 8:22

Peter Mortensen

1555 bronze badges

answered Jun 5 at 8:04

naïveRSA

6401 silver badge8 bronze badges

On a similar question here Luke Savage explained it perfectly:

Traceroute is not a protocol itself, it is an application and the protocols used depends on the implementation your are using. Primarily this is ICMP.

There are two main implementations:

tracert - tracert is a Windows application that utilises ICMP packets with as incrementing TTL field to map the hops to the final destination address.

traceroute - traceroute is a *nix application available on most Linux based systems, including network devices, and on Cisco devices. This uses UDP packets with an incrementing TTL field to map the hops to the final destination.

The difference between these is useful to know as some network now block ICMP by default so both PING and tracert from a Windows machine will fail but a traceroute from a Linux device may still work.

edited Jun 6 at 8:22

Peter Mortensen

1555 bronze badges

answered Jun 5 at 8:04

naïveRSA

6401 silver badge8 bronze badges

edited Jun 6 at 8:22

Peter Mortensen

1555 bronze badges

edited Jun 6 at 8:22

Peter Mortensen

1555 bronze badges

edited Jun 6 at 8:22

Peter Mortensen

1555 bronze badges

answered Jun 5 at 8:04

naïveRSA

6401 silver badge8 bronze badges

answered Jun 5 at 8:04

naïveRSA

6401 silver badge8 bronze badges

answered Jun 5 at 8:04

naïveRSA

6401 silver badge8 bronze badges

2

so, why my server IP can traceroute but not ping?

– 244boy
Jun 5 at 9:25

10

From your shared output I can see that you are using traceroute command and not tracert which got me to think that you are using a Unix or gnu based operating system. In the answer I mentioned you can see that unix based systems are not using ICMP for traceroute. In other words, since PING is using ICMP (which I think is blocked by the system you are trying to reach) and traceroute is using UDP packets with an incrementation method of TTL field (which I think is not blocked at the system you are trying to reach) PING fails but Traceroute succeeds.

– naïveRSA
Jun 5 at 9:41

4

Rather than add a new comment to your post when someone like 244boy suggests an improvement, it would be better to edit your post so that future people reading the answer don't have to read all the comments to get the full answer.

– Keeta
Jun 6 at 15:03

@naïveRSA Strictly speaking, traceroute is using ICMP, even if it is sending UDP, namely it expects and evaluates TTL exceeded messages from the hops on the way. A host that blocks all ICMP is a bad idea, but ping will aready fail when ICMP echo requests or replies are blocked at the target host

– Hagen von Eitzen
Jun 7 at 19:54

add a comment
|

2

so, why my server IP can traceroute but not ping?

– 244boy
Jun 5 at 9:25

10

From your shared output I can see that you are using traceroute command and not tracert which got me to think that you are using a Unix or gnu based operating system. In the answer I mentioned you can see that unix based systems are not using ICMP for traceroute. In other words, since PING is using ICMP (which I think is blocked by the system you are trying to reach) and traceroute is using UDP packets with an incrementation method of TTL field (which I think is not blocked at the system you are trying to reach) PING fails but Traceroute succeeds.

– naïveRSA
Jun 5 at 9:41

4

Rather than add a new comment to your post when someone like 244boy suggests an improvement, it would be better to edit your post so that future people reading the answer don't have to read all the comments to get the full answer.

– Keeta
Jun 6 at 15:03

@naïveRSA Strictly speaking, traceroute is using ICMP, even if it is sending UDP, namely it expects and evaluates TTL exceeded messages from the hops on the way. A host that blocks all ICMP is a bad idea, but ping will aready fail when ICMP echo requests or replies are blocked at the target host

– Hagen von Eitzen
Jun 7 at 19:54

so, why my server IP can traceroute but not ping?

– 244boy
Jun 5 at 9:25

From your shared output I can see that you are using traceroute command and not tracert which got me to think that you are using a Unix or gnu based operating system. In the answer I mentioned you can see that unix based systems are not using ICMP for traceroute. In other words, since PING is using ICMP (which I think is blocked by the system you are trying to reach) and traceroute is using UDP packets with an incrementation method of TTL field (which I think is not blocked at the system you are trying to reach) PING fails but Traceroute succeeds.

– naïveRSA
Jun 5 at 9:41

Rather than add a new comment to your post when someone like 244boy suggests an improvement, it would be better to edit your post so that future people reading the answer don't have to read all the comments to get the full answer.

– Keeta
Jun 6 at 15:03

@naïveRSA Strictly speaking, traceroute is using ICMP, even if it is sending UDP, namely it expects and evaluates TTL exceeded messages from the hops on the way. A host that blocks all ICMP is a bad idea, but ping will aready fail when ICMP echo requests or replies are blocked at the target host

– Hagen von Eitzen
Jun 7 at 19:54

add a comment
|

In both cases (sender using either UDP or ICMP) the error communication will be ICMP (ie the node replying to a ping or tracer* packet).

edited Jun 6 at 20:35

Lauren Van Sloun

1033 bronze badges

answered Jun 5 at 9:21

Arjan

3113 bronze badges

add a comment
|

In both cases (sender using either UDP or ICMP) the error communication will be ICMP (ie the node replying to a ping or tracer* packet).

edited Jun 6 at 20:35

Lauren Van Sloun

1033 bronze badges

answered Jun 5 at 9:21

Arjan

3113 bronze badges

add a comment
|

In both cases (sender using either UDP or ICMP) the error communication will be ICMP (ie the node replying to a ping or tracer* packet).

edited Jun 6 at 20:35

Lauren Van Sloun

1033 bronze badges

answered Jun 5 at 9:21

Arjan

3113 bronze badges

In both cases (sender using either UDP or ICMP) the error communication will be ICMP (ie the node replying to a ping or tracer* packet).

edited Jun 6 at 20:35

Lauren Van Sloun

1033 bronze badges

answered Jun 5 at 9:21

Arjan

3113 bronze badges

edited Jun 6 at 20:35

Lauren Van Sloun

1033 bronze badges

edited Jun 6 at 20:35

Lauren Van Sloun

1033 bronze badges

edited Jun 6 at 20:35

Lauren Van Sloun

1033 bronze badges

answered Jun 5 at 9:21

Arjan

3113 bronze badges

answered Jun 5 at 9:21

Arjan

3113 bronze badges

answered Jun 5 at 9:21

Arjan

3113 bronze badges

add a comment
|

Let's look at what happens, shall we?

8.8.8.8 makes a good example, because at least from my location, I can reach it both with traceroute and ping.

First let's try ping 8.8.8.8 and watch what happens:

$ tcpdump -n host 8.8.8.8 or icmp
15:36:51.045994 IP 10.4.27.179 > 8.8.8.8: ICMP echo request, id 7215, seq 0, length 64
15:36:51.062458 IP 8.8.8.8 > 10.4.27.179: ICMP echo reply, id 7215, seq 0, length 64
15:36:52.048350 IP 10.4.27.179 > 8.8.8.8: ICMP echo request, id 7215, seq 1, length 64
15:36:52.073657 IP 8.8.8.8 > 10.4.27.179: ICMP echo reply, id 7215, seq 1, length 64

So ping sends an ICMP echo request, and expects an ICMP echo reply.

Now traceroute -n 8.8.8.8:

15:41:31.803324 IP 10.4.27.179.44838 > 8.8.8.8.33435: UDP, length 24
15:41:31.815184 IP 10.250.32.2 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.815343 IP 10.4.27.179.44838 > 8.8.8.8.33436: UDP, length 24
15:41:31.819654 IP 10.250.32.2 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.819791 IP 10.4.27.179.44838 > 8.8.8.8.33437: UDP, length 24
15:41:31.824609 IP 10.250.32.2 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.824754 IP 10.4.27.179.44838 > 8.8.8.8.33438: UDP, length 24
15:41:31.830506 IP 64.124.23.161 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.830649 IP 10.4.27.179.44838 > 8.8.8.8.33439: UDP, length 24
15:41:31.834469 IP 64.124.23.161 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.834565 IP 10.4.27.179.44838 > 8.8.8.8.33440: UDP, length 24
15:41:31.840962 IP 64.124.23.161 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.841061 IP 10.4.27.179.44838 > 8.8.8.8.33441: UDP, length 24
15:41:31.847440 IP 64.125.26.21 > 10.4.27.179: ICMP time exceeded in-transit, length 148
15:41:31.847634 IP 10.4.27.179.44838 > 8.8.8.8.33442: UDP, length 24
15:41:31.853664 IP 64.125.26.21 > 10.4.27.179: ICMP time exceeded in-transit, length 148
15:41:31.853761 IP 10.4.27.179.44838 > 8.8.8.8.33443: UDP, length 24
15:41:31.859221 IP 64.125.26.21 > 10.4.27.179: ICMP time exceeded in-transit, length 148
15:41:31.859269 IP 10.4.27.179.44838 > 8.8.8.8.33444: UDP, length 24
15:41:31.864149 IP 64.125.31.15 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.864192 IP 10.4.27.179.44838 > 8.8.8.8.33445: UDP, length 24
15:41:31.870843 IP 64.125.31.15 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.870922 IP 10.4.27.179.44838 > 8.8.8.8.33446: UDP, length 24
15:41:31.876200 IP 64.125.31.15 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.876352 IP 10.4.27.179.44838 > 8.8.8.8.33447: UDP, length 24
15:41:31.882148 IP 64.125.13.111 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.882249 IP 10.4.27.179.44838 > 8.8.8.8.33448: UDP, length 24
15:41:31.890076 IP 64.125.13.111 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.890156 IP 10.4.27.179.44838 > 8.8.8.8.33449: UDP, length 24
15:41:31.896100 IP 64.125.13.111 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.896163 IP 10.4.27.179.44838 > 8.8.8.8.33450: UDP, length 24
15:41:31.905037 IP 108.170.242.225 > 10.4.27.179: ICMP time exceeded in-transit, length 60
15:41:31.905235 IP 10.4.27.179.44838 > 8.8.8.8.33451: UDP, length 24
15:41:31.913206 IP 108.170.242.225 > 10.4.27.179: ICMP time exceeded in-transit, length 60
15:41:31.913283 IP 10.4.27.179.44838 > 8.8.8.8.33452: UDP, length 24
15:41:31.923428 IP 108.170.242.241 > 10.4.27.179: ICMP time exceeded in-transit, length 76
15:41:31.923520 IP 10.4.27.179.44838 > 8.8.8.8.33453: UDP, length 24
15:41:31.932266 IP 108.170.237.9 > 10.4.27.179: ICMP time exceeded in-transit, length 60
15:41:31.932441 IP 10.4.27.179.44838 > 8.8.8.8.33454: UDP, length 24
15:41:31.939961 IP 209.85.251.9 > 10.4.27.179: ICMP time exceeded in-transit, length 76
15:41:31.940043 IP 10.4.27.179.44838 > 8.8.8.8.33455: UDP, length 24
15:41:31.947460 IP 108.170.237.21 > 10.4.27.179: ICMP time exceeded in-transit, length 60
15:41:31.947508 IP 10.4.27.179.44838 > 8.8.8.8.33456: UDP, length 24
15:41:31.954824 IP 8.8.8.8 > 10.4.27.179: ICMP 8.8.8.8 udp port 33456 unreachable, length 36
15:41:31.954888 IP 10.4.27.179.44838 > 8.8.8.8.33457: UDP, length 24
15:41:31.963601 IP 8.8.8.8 > 10.4.27.179: ICMP 8.8.8.8 udp port 33457 unreachable, length 36
15:41:31.963671 IP 10.4.27.179.44838 > 8.8.8.8.33458: UDP, length 24
15:41:31.972407 IP 8.8.8.8 > 10.4.27.179: ICMP 8.8.8.8 udp port 33458 unreachable, length 36

So traceroute, at least the implementation I have installed, doesn't send ICMP. Rather, it sends UDP packets.

If something between here and there is blocking all ICMP, then neither ping nor traceroute will work.

Unfortunately these options may require root or special capabilities, so UDP makes a fair default. In fact a similar tool, tracepath, has this to say in its man page:

DESCRIPTION

It traces path to destination discovering MTU along this path. It uses UDP port port or some random port.
It is similar to traceroute, only does not require superuser privileges and has no fancy options.

answered Jun 6 at 22:59

Phil Frost

2011 silver badge3 bronze badges

add a comment
|

Let's look at what happens, shall we?

8.8.8.8 makes a good example, because at least from my location, I can reach it both with traceroute and ping.

First let's try ping 8.8.8.8 and watch what happens:

$ tcpdump -n host 8.8.8.8 or icmp
15:36:51.045994 IP 10.4.27.179 > 8.8.8.8: ICMP echo request, id 7215, seq 0, length 64
15:36:51.062458 IP 8.8.8.8 > 10.4.27.179: ICMP echo reply, id 7215, seq 0, length 64
15:36:52.048350 IP 10.4.27.179 > 8.8.8.8: ICMP echo request, id 7215, seq 1, length 64
15:36:52.073657 IP 8.8.8.8 > 10.4.27.179: ICMP echo reply, id 7215, seq 1, length 64

So ping sends an ICMP echo request, and expects an ICMP echo reply.

Now traceroute -n 8.8.8.8:

15:41:31.803324 IP 10.4.27.179.44838 > 8.8.8.8.33435: UDP, length 24
15:41:31.815184 IP 10.250.32.2 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.815343 IP 10.4.27.179.44838 > 8.8.8.8.33436: UDP, length 24
15:41:31.819654 IP 10.250.32.2 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.819791 IP 10.4.27.179.44838 > 8.8.8.8.33437: UDP, length 24
15:41:31.824609 IP 10.250.32.2 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.824754 IP 10.4.27.179.44838 > 8.8.8.8.33438: UDP, length 24
15:41:31.830506 IP 64.124.23.161 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.830649 IP 10.4.27.179.44838 > 8.8.8.8.33439: UDP, length 24
15:41:31.834469 IP 64.124.23.161 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.834565 IP 10.4.27.179.44838 > 8.8.8.8.33440: UDP, length 24
15:41:31.840962 IP 64.124.23.161 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.841061 IP 10.4.27.179.44838 > 8.8.8.8.33441: UDP, length 24
15:41:31.847440 IP 64.125.26.21 > 10.4.27.179: ICMP time exceeded in-transit, length 148
15:41:31.847634 IP 10.4.27.179.44838 > 8.8.8.8.33442: UDP, length 24
15:41:31.853664 IP 64.125.26.21 > 10.4.27.179: ICMP time exceeded in-transit, length 148
15:41:31.853761 IP 10.4.27.179.44838 > 8.8.8.8.33443: UDP, length 24
15:41:31.859221 IP 64.125.26.21 > 10.4.27.179: ICMP time exceeded in-transit, length 148
15:41:31.859269 IP 10.4.27.179.44838 > 8.8.8.8.33444: UDP, length 24
15:41:31.864149 IP 64.125.31.15 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.864192 IP 10.4.27.179.44838 > 8.8.8.8.33445: UDP, length 24
15:41:31.870843 IP 64.125.31.15 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.870922 IP 10.4.27.179.44838 > 8.8.8.8.33446: UDP, length 24
15:41:31.876200 IP 64.125.31.15 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.876352 IP 10.4.27.179.44838 > 8.8.8.8.33447: UDP, length 24
15:41:31.882148 IP 64.125.13.111 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.882249 IP 10.4.27.179.44838 > 8.8.8.8.33448: UDP, length 24
15:41:31.890076 IP 64.125.13.111 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.890156 IP 10.4.27.179.44838 > 8.8.8.8.33449: UDP, length 24
15:41:31.896100 IP 64.125.13.111 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.896163 IP 10.4.27.179.44838 > 8.8.8.8.33450: UDP, length 24
15:41:31.905037 IP 108.170.242.225 > 10.4.27.179: ICMP time exceeded in-transit, length 60
15:41:31.905235 IP 10.4.27.179.44838 > 8.8.8.8.33451: UDP, length 24
15:41:31.913206 IP 108.170.242.225 > 10.4.27.179: ICMP time exceeded in-transit, length 60
15:41:31.913283 IP 10.4.27.179.44838 > 8.8.8.8.33452: UDP, length 24
15:41:31.923428 IP 108.170.242.241 > 10.4.27.179: ICMP time exceeded in-transit, length 76
15:41:31.923520 IP 10.4.27.179.44838 > 8.8.8.8.33453: UDP, length 24
15:41:31.932266 IP 108.170.237.9 > 10.4.27.179: ICMP time exceeded in-transit, length 60
15:41:31.932441 IP 10.4.27.179.44838 > 8.8.8.8.33454: UDP, length 24
15:41:31.939961 IP 209.85.251.9 > 10.4.27.179: ICMP time exceeded in-transit, length 76
15:41:31.940043 IP 10.4.27.179.44838 > 8.8.8.8.33455: UDP, length 24
15:41:31.947460 IP 108.170.237.21 > 10.4.27.179: ICMP time exceeded in-transit, length 60
15:41:31.947508 IP 10.4.27.179.44838 > 8.8.8.8.33456: UDP, length 24
15:41:31.954824 IP 8.8.8.8 > 10.4.27.179: ICMP 8.8.8.8 udp port 33456 unreachable, length 36
15:41:31.954888 IP 10.4.27.179.44838 > 8.8.8.8.33457: UDP, length 24
15:41:31.963601 IP 8.8.8.8 > 10.4.27.179: ICMP 8.8.8.8 udp port 33457 unreachable, length 36
15:41:31.963671 IP 10.4.27.179.44838 > 8.8.8.8.33458: UDP, length 24
15:41:31.972407 IP 8.8.8.8 > 10.4.27.179: ICMP 8.8.8.8 udp port 33458 unreachable, length 36

So traceroute, at least the implementation I have installed, doesn't send ICMP. Rather, it sends UDP packets.

If something between here and there is blocking all ICMP, then neither ping nor traceroute will work.

Unfortunately these options may require root or special capabilities, so UDP makes a fair default. In fact a similar tool, tracepath, has this to say in its man page:

DESCRIPTION

It traces path to destination discovering MTU along this path. It uses UDP port port or some random port.
It is similar to traceroute, only does not require superuser privileges and has no fancy options.

answered Jun 6 at 22:59

Phil Frost

2011 silver badge3 bronze badges

add a comment
|

Let's look at what happens, shall we?

8.8.8.8 makes a good example, because at least from my location, I can reach it both with traceroute and ping.

First let's try ping 8.8.8.8 and watch what happens:

$ tcpdump -n host 8.8.8.8 or icmp
15:36:51.045994 IP 10.4.27.179 > 8.8.8.8: ICMP echo request, id 7215, seq 0, length 64
15:36:51.062458 IP 8.8.8.8 > 10.4.27.179: ICMP echo reply, id 7215, seq 0, length 64
15:36:52.048350 IP 10.4.27.179 > 8.8.8.8: ICMP echo request, id 7215, seq 1, length 64
15:36:52.073657 IP 8.8.8.8 > 10.4.27.179: ICMP echo reply, id 7215, seq 1, length 64

So ping sends an ICMP echo request, and expects an ICMP echo reply.

Now traceroute -n 8.8.8.8:

15:41:31.803324 IP 10.4.27.179.44838 > 8.8.8.8.33435: UDP, length 24
15:41:31.815184 IP 10.250.32.2 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.815343 IP 10.4.27.179.44838 > 8.8.8.8.33436: UDP, length 24
15:41:31.819654 IP 10.250.32.2 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.819791 IP 10.4.27.179.44838 > 8.8.8.8.33437: UDP, length 24
15:41:31.824609 IP 10.250.32.2 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.824754 IP 10.4.27.179.44838 > 8.8.8.8.33438: UDP, length 24
15:41:31.830506 IP 64.124.23.161 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.830649 IP 10.4.27.179.44838 > 8.8.8.8.33439: UDP, length 24
15:41:31.834469 IP 64.124.23.161 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.834565 IP 10.4.27.179.44838 > 8.8.8.8.33440: UDP, length 24
15:41:31.840962 IP 64.124.23.161 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.841061 IP 10.4.27.179.44838 > 8.8.8.8.33441: UDP, length 24
15:41:31.847440 IP 64.125.26.21 > 10.4.27.179: ICMP time exceeded in-transit, length 148
15:41:31.847634 IP 10.4.27.179.44838 > 8.8.8.8.33442: UDP, length 24
15:41:31.853664 IP 64.125.26.21 > 10.4.27.179: ICMP time exceeded in-transit, length 148
15:41:31.853761 IP 10.4.27.179.44838 > 8.8.8.8.33443: UDP, length 24
15:41:31.859221 IP 64.125.26.21 > 10.4.27.179: ICMP time exceeded in-transit, length 148
15:41:31.859269 IP 10.4.27.179.44838 > 8.8.8.8.33444: UDP, length 24
15:41:31.864149 IP 64.125.31.15 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.864192 IP 10.4.27.179.44838 > 8.8.8.8.33445: UDP, length 24
15:41:31.870843 IP 64.125.31.15 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.870922 IP 10.4.27.179.44838 > 8.8.8.8.33446: UDP, length 24
15:41:31.876200 IP 64.125.31.15 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.876352 IP 10.4.27.179.44838 > 8.8.8.8.33447: UDP, length 24
15:41:31.882148 IP 64.125.13.111 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.882249 IP 10.4.27.179.44838 > 8.8.8.8.33448: UDP, length 24
15:41:31.890076 IP 64.125.13.111 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.890156 IP 10.4.27.179.44838 > 8.8.8.8.33449: UDP, length 24
15:41:31.896100 IP 64.125.13.111 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.896163 IP 10.4.27.179.44838 > 8.8.8.8.33450: UDP, length 24
15:41:31.905037 IP 108.170.242.225 > 10.4.27.179: ICMP time exceeded in-transit, length 60
15:41:31.905235 IP 10.4.27.179.44838 > 8.8.8.8.33451: UDP, length 24
15:41:31.913206 IP 108.170.242.225 > 10.4.27.179: ICMP time exceeded in-transit, length 60
15:41:31.913283 IP 10.4.27.179.44838 > 8.8.8.8.33452: UDP, length 24
15:41:31.923428 IP 108.170.242.241 > 10.4.27.179: ICMP time exceeded in-transit, length 76
15:41:31.923520 IP 10.4.27.179.44838 > 8.8.8.8.33453: UDP, length 24
15:41:31.932266 IP 108.170.237.9 > 10.4.27.179: ICMP time exceeded in-transit, length 60
15:41:31.932441 IP 10.4.27.179.44838 > 8.8.8.8.33454: UDP, length 24
15:41:31.939961 IP 209.85.251.9 > 10.4.27.179: ICMP time exceeded in-transit, length 76
15:41:31.940043 IP 10.4.27.179.44838 > 8.8.8.8.33455: UDP, length 24
15:41:31.947460 IP 108.170.237.21 > 10.4.27.179: ICMP time exceeded in-transit, length 60
15:41:31.947508 IP 10.4.27.179.44838 > 8.8.8.8.33456: UDP, length 24
15:41:31.954824 IP 8.8.8.8 > 10.4.27.179: ICMP 8.8.8.8 udp port 33456 unreachable, length 36
15:41:31.954888 IP 10.4.27.179.44838 > 8.8.8.8.33457: UDP, length 24
15:41:31.963601 IP 8.8.8.8 > 10.4.27.179: ICMP 8.8.8.8 udp port 33457 unreachable, length 36
15:41:31.963671 IP 10.4.27.179.44838 > 8.8.8.8.33458: UDP, length 24
15:41:31.972407 IP 8.8.8.8 > 10.4.27.179: ICMP 8.8.8.8 udp port 33458 unreachable, length 36

So traceroute, at least the implementation I have installed, doesn't send ICMP. Rather, it sends UDP packets.

If something between here and there is blocking all ICMP, then neither ping nor traceroute will work.

Unfortunately these options may require root or special capabilities, so UDP makes a fair default. In fact a similar tool, tracepath, has this to say in its man page:

DESCRIPTION

It traces path to destination discovering MTU along this path. It uses UDP port port or some random port.
It is similar to traceroute, only does not require superuser privileges and has no fancy options.

answered Jun 6 at 22:59

Phil Frost

2011 silver badge3 bronze badges

Let's look at what happens, shall we?

8.8.8.8 makes a good example, because at least from my location, I can reach it both with traceroute and ping.

First let's try ping 8.8.8.8 and watch what happens:

$ tcpdump -n host 8.8.8.8 or icmp
15:36:51.045994 IP 10.4.27.179 > 8.8.8.8: ICMP echo request, id 7215, seq 0, length 64
15:36:51.062458 IP 8.8.8.8 > 10.4.27.179: ICMP echo reply, id 7215, seq 0, length 64
15:36:52.048350 IP 10.4.27.179 > 8.8.8.8: ICMP echo request, id 7215, seq 1, length 64
15:36:52.073657 IP 8.8.8.8 > 10.4.27.179: ICMP echo reply, id 7215, seq 1, length 64

So ping sends an ICMP echo request, and expects an ICMP echo reply.

Now traceroute -n 8.8.8.8:

15:41:31.803324 IP 10.4.27.179.44838 > 8.8.8.8.33435: UDP, length 24
15:41:31.815184 IP 10.250.32.2 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.815343 IP 10.4.27.179.44838 > 8.8.8.8.33436: UDP, length 24
15:41:31.819654 IP 10.250.32.2 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.819791 IP 10.4.27.179.44838 > 8.8.8.8.33437: UDP, length 24
15:41:31.824609 IP 10.250.32.2 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.824754 IP 10.4.27.179.44838 > 8.8.8.8.33438: UDP, length 24
15:41:31.830506 IP 64.124.23.161 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.830649 IP 10.4.27.179.44838 > 8.8.8.8.33439: UDP, length 24
15:41:31.834469 IP 64.124.23.161 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.834565 IP 10.4.27.179.44838 > 8.8.8.8.33440: UDP, length 24
15:41:31.840962 IP 64.124.23.161 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.841061 IP 10.4.27.179.44838 > 8.8.8.8.33441: UDP, length 24
15:41:31.847440 IP 64.125.26.21 > 10.4.27.179: ICMP time exceeded in-transit, length 148
15:41:31.847634 IP 10.4.27.179.44838 > 8.8.8.8.33442: UDP, length 24
15:41:31.853664 IP 64.125.26.21 > 10.4.27.179: ICMP time exceeded in-transit, length 148
15:41:31.853761 IP 10.4.27.179.44838 > 8.8.8.8.33443: UDP, length 24
15:41:31.859221 IP 64.125.26.21 > 10.4.27.179: ICMP time exceeded in-transit, length 148
15:41:31.859269 IP 10.4.27.179.44838 > 8.8.8.8.33444: UDP, length 24
15:41:31.864149 IP 64.125.31.15 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.864192 IP 10.4.27.179.44838 > 8.8.8.8.33445: UDP, length 24
15:41:31.870843 IP 64.125.31.15 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.870922 IP 10.4.27.179.44838 > 8.8.8.8.33446: UDP, length 24
15:41:31.876200 IP 64.125.31.15 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.876352 IP 10.4.27.179.44838 > 8.8.8.8.33447: UDP, length 24
15:41:31.882148 IP 64.125.13.111 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.882249 IP 10.4.27.179.44838 > 8.8.8.8.33448: UDP, length 24
15:41:31.890076 IP 64.125.13.111 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.890156 IP 10.4.27.179.44838 > 8.8.8.8.33449: UDP, length 24
15:41:31.896100 IP 64.125.13.111 > 10.4.27.179: ICMP time exceeded in-transit, length 36
15:41:31.896163 IP 10.4.27.179.44838 > 8.8.8.8.33450: UDP, length 24
15:41:31.905037 IP 108.170.242.225 > 10.4.27.179: ICMP time exceeded in-transit, length 60
15:41:31.905235 IP 10.4.27.179.44838 > 8.8.8.8.33451: UDP, length 24
15:41:31.913206 IP 108.170.242.225 > 10.4.27.179: ICMP time exceeded in-transit, length 60
15:41:31.913283 IP 10.4.27.179.44838 > 8.8.8.8.33452: UDP, length 24
15:41:31.923428 IP 108.170.242.241 > 10.4.27.179: ICMP time exceeded in-transit, length 76
15:41:31.923520 IP 10.4.27.179.44838 > 8.8.8.8.33453: UDP, length 24
15:41:31.932266 IP 108.170.237.9 > 10.4.27.179: ICMP time exceeded in-transit, length 60
15:41:31.932441 IP 10.4.27.179.44838 > 8.8.8.8.33454: UDP, length 24
15:41:31.939961 IP 209.85.251.9 > 10.4.27.179: ICMP time exceeded in-transit, length 76
15:41:31.940043 IP 10.4.27.179.44838 > 8.8.8.8.33455: UDP, length 24
15:41:31.947460 IP 108.170.237.21 > 10.4.27.179: ICMP time exceeded in-transit, length 60
15:41:31.947508 IP 10.4.27.179.44838 > 8.8.8.8.33456: UDP, length 24
15:41:31.954824 IP 8.8.8.8 > 10.4.27.179: ICMP 8.8.8.8 udp port 33456 unreachable, length 36
15:41:31.954888 IP 10.4.27.179.44838 > 8.8.8.8.33457: UDP, length 24
15:41:31.963601 IP 8.8.8.8 > 10.4.27.179: ICMP 8.8.8.8 udp port 33457 unreachable, length 36
15:41:31.963671 IP 10.4.27.179.44838 > 8.8.8.8.33458: UDP, length 24
15:41:31.972407 IP 8.8.8.8 > 10.4.27.179: ICMP 8.8.8.8 udp port 33458 unreachable, length 36

So traceroute, at least the implementation I have installed, doesn't send ICMP. Rather, it sends UDP packets.

If something between here and there is blocking all ICMP, then neither ping nor traceroute will work.

Unfortunately these options may require root or special capabilities, so UDP makes a fair default. In fact a similar tool, tracepath, has this to say in its man page:

DESCRIPTION

It traces path to destination discovering MTU along this path. It uses UDP port port or some random port.
It is similar to traceroute, only does not require superuser privileges and has no fancy options.

answered Jun 6 at 22:59

Phil Frost

2011 silver badge3 bronze badges

answered Jun 6 at 22:59

Phil Frost

2011 silver badge3 bronze badges

answered Jun 6 at 22:59

Phil Frost

2011 silver badge3 bronze badges

answered Jun 6 at 22:59

Phil Frost

2011 silver badge3 bronze badges

add a comment
|

edited Jun 5 at 23:30

answered Jun 5 at 23:24

Roel Van de Paar

1214 bronze badges

add a comment
|

edited Jun 5 at 23:30

answered Jun 5 at 23:24

Roel Van de Paar

1214 bronze badges

add a comment
|

edited Jun 5 at 23:30

answered Jun 5 at 23:24

Roel Van de Paar

1214 bronze badges

edited Jun 5 at 23:30

answered Jun 5 at 23:24

Roel Van de Paar

1214 bronze badges

edited Jun 5 at 23:30

answered Jun 5 at 23:24

Roel Van de Paar

1214 bronze badges

answered Jun 5 at 23:24

Roel Van de Paar

1214 bronze badges

answered Jun 5 at 23:24

Roel Van de Paar

1214 bronze badges

add a comment
|

Linux using UDP instead of ICMP for traceroute, the firewall didn't block that UDP port

answered Jun 7 at 20:09

farshad khazaee

add a comment
|

Linux using UDP instead of ICMP for traceroute, the firewall didn't block that UDP port

answered Jun 7 at 20:09

farshad khazaee

add a comment
|

Linux using UDP instead of ICMP for traceroute, the firewall didn't block that UDP port

answered Jun 7 at 20:09

farshad khazaee

Linux using UDP instead of ICMP for traceroute, the firewall didn't block that UDP port

answered Jun 7 at 20:09

farshad khazaee

answered Jun 7 at 20:09

farshad khazaee

answered Jun 7 at 20:09

farshad khazaee

answered Jun 7 at 20:09

farshad khazaee

add a comment
|

You can install nmap (insecure.org) and use nping with either UDP or TCP and any port. Works great on networks with ping blocked outbound.

To ping a web server
nping --tcp -p 80,443

To ping a time server
nping --udp -p 123

https://nmap.org/book/nping-man.html

answered Jun 12 at 1:57

Michael Hubbard

add a comment
|

You can install nmap (insecure.org) and use nping with either UDP or TCP and any port. Works great on networks with ping blocked outbound.

To ping a web server
nping --tcp -p 80,443

To ping a time server
nping --udp -p 123

https://nmap.org/book/nping-man.html

answered Jun 12 at 1:57

Michael Hubbard

add a comment
|

You can install nmap (insecure.org) and use nping with either UDP or TCP and any port. Works great on networks with ping blocked outbound.

To ping a web server
nping --tcp -p 80,443

To ping a time server
nping --udp -p 123

https://nmap.org/book/nping-man.html

answered Jun 12 at 1:57

Michael Hubbard

You can install nmap (insecure.org) and use nping with either UDP or TCP and any port. Works great on networks with ping blocked outbound.

To ping a web server
nping --tcp -p 80,443

To ping a time server
nping --udp -p 123

https://nmap.org/book/nping-man.html

answered Jun 12 at 1:57

Michael Hubbard

answered Jun 12 at 1:57

Michael Hubbard

answered Jun 12 at 1:57

Michael Hubbard

answered Jun 12 at 1:57

Michael Hubbard

add a comment
|

edited Jun 19 at 21:14

answered Jun 7 at 18:10

Cybernaut

11 bronze badge

add a comment
|

edited Jun 19 at 21:14

answered Jun 7 at 18:10

Cybernaut

11 bronze badge

add a comment
|

edited Jun 19 at 21:14

answered Jun 7 at 18:10

Cybernaut

11 bronze badge

edited Jun 19 at 21:14

answered Jun 7 at 18:10

Cybernaut

11 bronze badge

edited Jun 19 at 21:14

answered Jun 7 at 18:10

Cybernaut

11 bronze badge

answered Jun 7 at 18:10

Cybernaut

11 bronze badge

answered Jun 7 at 18:10

Cybernaut

11 bronze badge

add a comment
|

draft saved

draft discarded

Thanks for contributing an answer to Network Engineering Stack Exchange!

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Bsrgvty

7 Answers
7

DESCRIPTION

Your Answer

Post as a guest

7 Answers
7

7 Answers
7

DESCRIPTION

DESCRIPTION

DESCRIPTION

DESCRIPTION

Post as a guest

Popular posts from this blog

Tamil (spriik) Luke uk diar | Nawigatjuun

7 Answers 7

DESCRIPTION

Your Answer

Sign up or log in

Post as a guest

Post as a guest

7 Answers 7

7 Answers 7

DESCRIPTION

DESCRIPTION

DESCRIPTION

DESCRIPTION

Sign up or log in

Post as a guest

Post as a guest

Sign up or log in

Post as a guest

Sign up or log in

Post as a guest

Sign up or log in

Post as a guest

Popular posts from this blog

Tamil (spriik) Luke uk diar | Nawigatjuun

7 Answers
7

7 Answers
7

7 Answers
7