Like any OS, IOS must implement a number of basic principles:

* Process Management
* Memory Management
* Device Management

We’ll look specifically at the system memory management. Recent work with OS protected memory.A process x can not access the memory of a process y (Shared Memory, Message Queues, Pipes, Network Connections, …). For the process x process dialogue with it, they will have to use other methods (Shared Memory, Message Queues, Pipes, Network Connections, …). These methods secure processes between them, but nevertheless they work slow. The IOS does not support shared memory, all processes have access to the memory without restrictions.A process is therefore free to interact with one another in writing in the memory of the latter (Buffer Overflow = Crash).There is however a notion of memory R / W and R / W

IOS works with memory pools, the Pool Manager who is responsible.Here, a pool reserved for the procesand a pool reserved for I / O:

Router # show memory
 Head Total (b) Used (b) Free (b) Lowest (b) Largest (b)
 Processor
 653B8C20 155481056 86243592 69237464 68168948 67670028
 I/O
 EE800000 25165824 5269012 19896812 19819968 19871932

Head: beginning the pool
Total: pool size in bytes
Used: current use of the pool in bytes
Free : current free memory pool in bytes
Lowest :free memory historically the lowest in bytes
Largest :The largest contiguous block of free memory

Region Manager : These same pools belong to regions of memory managed by the Region Manager:

Router # show region

Region Manager:
Start End Size (b) Class Media Name
0×0E800000 0×0FFFFFFF iomem 25165824 R / W iomem: (iomem)
0×60000000 243269632 0×6E7FFFFF Room R / W Hand
0×6000F000 0×632FFFFF iText 53415936 R / O main: text
0×63300000 28310784 0×64DFFCFF iData R / W main: data
0×64DFFD00 0×653B8C1F IBSS 6000416 R / W main: bss
0×653B8C20 0×6E7FFFFF 155 481 056 Room R / W main: heap
0×80000000 243269632 0×8E7FFFFF Room R / W main: (main_k0)
0xA0000000 0xAE7FFFFF 243 269 632 Room R / W main: (main_k1)
0xEE800000 0xEFFFFFFF iomem 25165824 R / W iomem

The Processor memory pool is within the area hand heap. This region is part of the region starting in hand 0 × 60000000 and ends at 0 × 6E7FFFFF. The memory pool I / O is the region of iomem 0xEE800000 to 0xEFFFFFFF.

In the hand area are:

# Hand: text: contains the code for IOS R / O (iText)
# main: data: contains initialized variables R / W (iData)
# main: bss: contains uninitialized variables R / W (IBSS)
# main:heap :contains the structures of local standard memory R / W
# iomem : contains the memory devices (memory bus I / O)

It may be noted that some regions are redundant: main (main_k0) hand (main_k1) They all correspond to the same region hand. You can even find iomem two different places: 0 × 0E800000-> 0 × 0FFFFFFF and 0xEE800000-> 0xEFFFFFFF, yet it is the same memory area.

On a Cisco device to another location where you stored a particular type of memory differs.On a type of router you can find memory SRAM iomem, while in others the same area can be found in the DRAM. The Pool Manager defines memory areas regardless of type of memory used (hardware abstraction).

Returning to the Pool Manager.Using the command “show memory processor, we can notice that the memory is divided into blocks:

Router # show memory processor
Processor memory
Address Bytes Prev Next Ref Alloc PC What PrevF NextF
65A817E0 0000000084 65A8175C 65A81864 628215E8 001 ——– ——– Init
65A81864 0000001372 65A817E0 65A81DF0 001 ——– ——– 608E3218 Skinny Socket Server
65A81DF0 0000001156 65A81864 65A822A4 001 ——– ——– 608E3218 Skinny Socket Server

# Address: Start of block
# Bytes: block size
# Prev: address of previous block (linkage)
# Next: Address of next block (chaining)
# Ref: for how many processes this block is used?
# PrevF: previous free block
# NextF: Next free block
# Alloc PC: process that allocated the block
# What: name of the process holding the block

If we had the idea to create a buffer overflow in a storage area, then write more bytes than expected allocated to this memory area, we would end up overwriting the header of the next memory area and thus break the chaining memory IOS.

Unfortunately or not, the IOS constantly checks the structure of its memory and the least inconsistency, forcing a crash. So to succeed without a buffer overflow crash, it must arrange to rewrite a header consistent among the next buffer.

Chunk Manager

When we allocate memory for a process (malloc), The Pool Manager is an area of free memory and assigns it to a process.The Pool Manager is therefore a table of blocks of contiguous memory. When a process frees a memory area (free), the Pool Manager tries to concatenate the newly released memory area with its neighbors. Despite this fragmentation is unavoidable concatenation.An extremely fragmented memory can lead to errors malloc “% SYS-2-MALLOCFAIL. The Chunk Manager will help address these concerns by allocating more memory to intelligently process.

The Chunk Manager is responsible for the allocation of Chunk.A chunk contains a finite number of blocks of equal size. If we use all the blocks present in a Chunk, Chunk Manager allocates the new space (Sibling). If no more blocks of the “Sibling” is used, it is released “Freed / Trimmed.
When the process frees a block, it does in its chunk. So there is more fragmentation between different processes.

Here’s how to configure authentication keys for each router participating in the EIGRP routing process:

R1 # conf t
R1(config)# key chain EIGRP-KEYS
R1(config-keychain)# key 1
R1 (config-keychain-key) # key-string cisco

A2 # conf t
R2 (config) # key chain EIGRP-KEYS
R2 (config-keychain) key # 1
R2 (config-keychain-key) # key-string cisco

Key verification

R1 # show key chain
Key-chain EIGRP-KEYS:
key 1 - text “cisco”
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]

Now that our keys are configured in the router, you must apply to each interface on which you want to authenticate.

R1 # conf t
R1 (config) # interface serial 1 / 0
! ip authentication key-chain eigrp as_number key_chain_label.
R1(config-if)# ip authentication key-chain eigrp 1 EIGRP-KEYS
! The following command sends a MD5 Hash keys instead of sending in the clear .. is more secure.
R1 (config-if) # ip authentication mode eigrp 1 md5

R2# conf
R2(config)# interface serial 1/0
R2(config-if)# ip authentication key-chain eigrp 1 EIGRP-KEYS
R2(config-if)# ip authentication mode eigrp 1 md5

Small configuration check:

R1 # show ip interface detail eigrp
Xmit Queue Mean Pacing Time Multicast Pending
Interface Peers Un / Reliable SRTT Un / Reliable Flow Timer Routes
Se0/0/0 1 0 / 0 4 0 / 12 50 0
Hello interval is 5 sec
A / reliable MCAST: 0 / 0 Un / reliable ucasts: 10/28
MCAST exceptions: 0 CR packets: 0 ACKs suppressed: 5
Retransmissions sent: 0 Out-of-sequence rcvd: 0
Authentication IS mode md5 key-chain is “EIGRP-KEYS”
Use unicast
And a little debugging to see the authentication packets arrive on interface:
R1 # debug eigrp packets
EIGRP Packets debugging Is On
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
*Oct 4 16:10:51.090: EIGRP: Sending HELLO on Serial0/0/1
* October 4 16:10:51.090: AS 1, Flags 0×0, Seq 0 / 0 idbQ 0 / 0 iidbQ a / Rely 0 / 0
* October 4 16:10:51.190: EIGRP: received packet with MD5 authentication, key id = 1
*Oct 4 16:10:51.190: EIGRP: Received HELLO on Serial0/0/1 nbr 172.16.13.3
* October 4 16:10:51.190: AS 1 Flags 0×0, Seq 0 / 0 idbQ 0 / 0 iidbQ a / Rely 0 / 0 peerQ a / Rely 0 / 0
* October 4 16:10:51.854: EIGRP: received packet with MD5 authentication, key id = 1
*Oct 4 16:10:51.854: EIGRP: Received HELLO on FastEthernet0/0 nbr 10.1.1.2
* October 4 16:10:51.854: AS 1, Flags 0×0, Seq 0 / 0 idbQ 0 / 0 iidbQ a / Rely 0 / 0 peerQ a / Rely 0 / 0
* October 4 16:10:53.046: EIGRP: received packet with MD5 authentication, key id = 1

EIGRP Timers

We can see the Hello timers here:

R1 # show ip eigrp interfaces detail
IP-EIGRP interfaces for process 1
Xmit Queue Mean Pacing Time Multicast Pending
Interface Peers Un / Reliable SRTT Un / Reliable Flow Timer Routes
Se0/0/0 1 0 / 0 17 10 / 380 448 0
Hello interval is 5 sec
Next xmit serial
Un/reliable mcasts: 0/0 Un/reliable ucasts: 17/37 A /
MCAST exceptions: 0 CR packets: 0 ACKs suppressed: 6
Retransmissions sent: 0 Out-of-sequence rcvd: 0
Authentication IS mode md5 key-chain is “EIGRP-KEYS”
Use unicast

By default, the HELLO timers are 5 seconds, and the HOLD-TIME 15.
But we’ll see how to change them.

R1 # conf t
R1 (config) # interface serial 1 / 0
! Change the value of intervals between HELLO to 2 seconds
R1 (config-if) # ip hello-interval eigrp 1 February
! Change the value of hold-time to 8 seconds
R1 (config-if) # ip hold-time eigrp 1 August
R2 # conf t
R2 (config) # interface serial 1 / 0
R2 (config-if) # ip hello-interval eigrp 1 February
R2 (config-if) # ip hold-time eigrp 1 August

Early check our changes:

R1 # show ip eigrp interfaces detail a serial 1 / 0
IP-EIGRP interfaces for process 1
Xmit Queue Mean Pacing Time Multicast Pending
Interface Peers Un / Reliable SRTT Un / Reliable Flow Timer Routes
Se0/0/0 1 0 / 0 0 17 10 / 380 448
Hello interval is 2 sec
Next xmit serial
A / reliable MCAST: 0 / 0 Un / reliable ucasts: 17/37
MCAST exceptions: 0 CR packets: 0 ACKs suppressed: 6
Retransmissions sent: 0 Out-of-sequence rcvd: 0
Authentication IS mode md5 key-chain is “EIGRP-KEYS”
Use unicast

R1 # show ip eigrp Neighbors
IP-EIGRP Neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
Se0/0/0 172.16.12.2 0 6 01:23:39 17 2280 0 73

Especially with the release 6.x, were introduced to the IOS commands common but has been maintained compatibility with older equivalent.

As in any multiuser OS, there are regular and privileged users (enabled). It becomes the root of a Pix with:
Pix> enable
Pix# The prompt changes from> to #
From here you enter configuration mode:
configure terminal
You save the configuration in memory resident (NVRAM, FLASH…) with:
write memory
It displays the current configuration:
write terminal or show running-config
You can view the log messages (to be activated configuration may remain in a local buffer (occupying memory), or logged on syslog remote server) with:
show logging

You can use ? the orhelp to get the lists of commands and command options available. You can exit the configuration mode with exit or quit.
Commands can be abbreviated (e.g., conf term).

If you need to set large configuration changes, you should make a complete list of a previously written text (with syntax checked).
The dates configuration settings are immediately active, but until you save the configuration with a write mem are lost upon reboot.

After configuring the commands that change the status of the engine Pix alias, access-list, conduit, global, nat, outbound, static, you must give the command (in the Enable mode, not in configuration):
clear xlate
Note that this resets all translazioni (NAT and PAT) are currently managed by Pix and can terminate connections to the PIX is handling.
Like all commands can have clear results radicals, which should be used carefully.

Diagnostic Commands

show cpusage Minimum information on the CPU time used
show memory The total memory and free
show processes The processes running on the system
show routing The routing table
show running-configDisplays the current configuration, on recent versions of PixOS not write term use. PROFIT!
show startup-config View conf stored in memory resident. First it was show configure
show local-host Information on connections and XLATE (Tables natting). PROFIT!
show traffic View info on current network traffic
show version Displays the version of Pix and other system data. PROFIT!
show xlate See tables natting current
show tech-support Executes various commands diagnostic (as such) to create a text to send to technical support in case of failures (or to be examined to know the status of a system). PROFIT!

DTE and DCE

Router DTE, DCE is the FR-switch at the provider.

Local Management Interface LMI

• runs between DTE and DCE
• Allocation of the DLCI DTE possible
• Keepalives
• LMI types: Cisco, ANSI, Q933a
• Auto Sensing from IOS 11.2

Topologies

• Hub and spoke
• Full mesh [requires n (n-1) / 2 links]
• Partial mesh

In “hub and spoke” and “partial mesh” proposes “to split horizon”. Solution: subinterfaces.

Terms

Basic Configuration
Encapsulation: Cisco or IETF

(Config) # int int
(Config-if) # encapsulation frame-relay
(Config-if) # interface subint point-to-point
(Config-subif) # ip address ip addr mask
(Config-subif) # frame-relay interface-dlci dlci

or

(Config) # int int
(Config-if) # encapsulation frame-relay
(Config-if) # interface subint multipoint
(Config-subif) # ip address ipaddr mask
(Config-subif) # frame-relay map ip ipaddr dlci

The “frame-relay map” of the local and remote IP DLCI is specified.

Router # show frame-relay pvc

PVC status and statistics.

Router # show frame-relay lmi
Router # debug frame-relay lmi

LMI info

Router # show frame-relay map

Traffic Shaping
German: Traffic control

FR-DTE to overload messages from the network to respond to opportunity.

ECN vs. ICN
Frame Relay implements an explicit overload notification (ECN) with the FECN and BECN bits. It will overload the already signaled before frames are dropped.

In implicit message overload (ICN, like TCP), the overload only noticed when frames have been discarded (no ACK).

Configuration
Without a response to BECN (only indication of the CIR)
(Config) # map-class frame-relay name
(Config-map-class) # frame-relay traffic-rate average [peak]

With response to BECN
The router thereby reducing the transmission rate at 25 percent each BECN MinCIR achieved is up.

(Config) # map-class frame-relay name
(Config-map-class) # frame-relay adaptive-shaping BECN
(Config-map-class) # frame-relay cir [in | out] bits
(Config-map-class) # frame-relay bc [in | out] bits
(Config-map-class) # frame-relay be [in | out] bits
(Config-map-class) # frame-relay mincir [in | out] bits

and then on the interface:

(Config) # int int
(Config-if) # encapsulation frame-relay
(Config-if) # frame-relay traffic-shaping
(Config-if) # int subint point-to-point
(Config-subif) # frame-relay interface-dlci dlci
(Config-fr-dlci) # class name

or

(Config) # int int
(Config-if) # encapsulation frame-relay
(Config-if) # frame-relay traffic-shaping
(Config-if) # frame-relay classname

Check again

Router # show frame-relay pvc

Cisco allows the admin with Dynamic ARP Inspection (DAI) to ward off such attacks.

Dynamic ARP Inspection Setup

ARP Inspection must be enabled globally. Thereafter, individual or untrusted interface is set up as trusted.

ip arp inspection vlan 1
!
interface FastEthernet0 / 1
description Edge Port
no ip arp inspection trust
ip arp inspection limit rate 10
!
interface GigabitEthernet0 / 1
description Uplink
ip arp inspection trust

In the following example, the (relatively small) rate-limit on fa0 / 1 was exceeded.

04:03:43:% LINK-3-UPDOWN: Interface FastEthernet0 / 1, changed state to up
04:03:46:% SW_DAI-4-PACKET_RATE_EXCEEDED: 2 packets received in 469 milliseconds on Fa0 / 1
04:03:46:% PM-4-ERR_DISABLE: arp-inspection error detected on Fa0 / 1, Fa0 / 1 putting in err-disable state
04:03:48:% LINK-3-UPDOWN: Interface FastEthernet0 / 1, changed state to down

An attempted MITM attack is:

04:18:16:% SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0 / 1,
vlan first ([0010.a48b.42a7/192.168.1.120/00d0.58b1.9600/192.168.1.104/04: 18:16 UTC Mon Mar 1 1993])
04:18:16:% SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0 / 1,
vlan first ([0010.a48b.42a7/192.168.1.104/0010.6c00.1159/192.168.1.120/04: 18:16 UTC Mon Mar 1 1993])

Use dynamic ARP Inspection (DAI) around to protect the network against ARP Spoofing.

In violation of a defined traffic rules can be filtered (violation protect or restrict) or the interface will be disabled (shutdown violation).

Port Security Setup

Port Security is configured on the interface.

interface FastEthernet0 / 1
switchport mode access
switchport port-security


Without further parameter is the number of allowable MAC addresses on a set and the Violation Action on shutdown.

Port Security is to limit the number of connected devices (MAC addresses) per switch port. This allows the installation of “wild” Edge switches to prevent ports quite effective.

True security is port security, but difficult to achieve with and the administrative work is very high.

The term QoS (an acronym for “Quality of Service”) means the ability to provide service (such as a communication medium) which meets requirements of response time and bandwidth.

Applied to packet switching networks (based networks using routers) for QoS is the ability to be able to guarantee an acceptable level of packet loss, defined by contract, for a given use (VoIP, video conferencing, etc…).

Indeed, unlike circuit-switched networks, such as switched telephone networks, where a communication circuit is dedicated for the duration of the communication, it is impossible to predict Internet path taken by individual packets.

Thus, there is no guarantee that a communication requiring regularity of flow can take place without hindrance. Therefore there are mechanisms, called QoS mechanisms, to differentiate different network flows and reserve a portion of bandwidth for those requiring a continuous, without breaks.

Service Levels

The term service level defines the level of demand for the ability of a network to provide a service point to point or end to end with a given traffic. It generally defines three levels of QoS:

1. Best effort, providing no differentiation between flows and networks allowing no guarantee. This level of service is also sometimes called Lack of QoS.
2. Differentiated service or soft QoS, to define priority levels to different network flows without providing strict guarantees.
3. Guaranteed service or hard QoS, of reserving network resources for certain types of flows. The main mechanism used to achieve this level of service is RSVP (Resource Reservation Protocol).

Criteria for quality of service

The main criteria for judging the quality of service are as follows:

• Capacity (bandwidth): sometimes called bandwidth abuse of language, it defines the maximum amount of information (bits) per unit time.
• Jitter: it represents the fluctuation of the digital signal in time or phase.
• Latency, or delay the response time: it characterizes the delay between transmission and reception of a packet.
• Packet loss: it corresponds to the non-issuance of a packet of data, mostly due to network congestion.
• Desequencing: this is a modification of the order of arrival of packets.

Netstat is a tool to determine the TCP connections are active on the machine where the command is enabled and thus list all the ports TCP and UDP open on the computer.

The command “netstat” also provides statistics on a number of protocols (Ethernet, IPv4, TCP, UDP, ICMP and IPv6).

Settings netstat

Used without any arguments, the netstat command displays all connections opened by the machine. The netstat command has a number of optional parameters; its syntax is as follows:

netstat [-a] [-e] [-n] [-o] [-s] [-p proto] [-r] [interval]

Used with the -a, netstat shows all connections and listening ports on the machine.
Used with the -e, the netstat command displays statistics Ethernet .
Used with the -n, the netstat command displays addresses and port numbers in numeric format, without name resolution.
Used with the -o netstat details the process number associated with the connection.
Used with the -p flag of the protocol (TCP, UDP or IP), netstat displays the information requested on the specified protocol.
Used with the -r argument, the command netstat displays routing table.
Used with the -s argument, the netstat command displays detailed statistics by protocol.


Finally an optional interval to determine the refresh information in seconds. By default this parameter is 1 second.

The ping tool allows to diagnose network connectivity with a command like:

ping name.of.machine

name.of.machine represents the IP address of the machine or its name. It is usually best at first to test with the IP address of the machine.

Operation table

Ping uses the ICMP protocol , to diagnose the transmission conditions. He thus uses two types of protocol messages (out of 18 proposed by ICMP):

Type 0 is an “echo request”, issued by the source machine;
The type 8 corresponding to an “echo reply”, issued;
At regular intervals (default every second), the source machine (the one on which the ping command is executed) sends a command “echo requests’ to the target machine. Upon receipt of the package “echo reply”, the source machine displays a line containing a certain amount of information. In case of non receipt of the response, a line that says “timeout” error.

Result of ping

Depending on the operating system, display the output of a ping may be slightly different.

The result of such a command under GNU / Linux:

ping www.mynetworkdictionary.com
ping www.mynetworkdictionary.com (163.5.255.85): 56 data bytes
64 bytes from 163.5.255.85: icmp_seq = 0 ttl = 56 time = 7.7 ms
64 bytes from 163.5.255.85: icmp_seq = 1 ttl = 56 time = 6.0 ms
64 bytes from 163.5.255.85: icmp_seq = 2 ttl = 56 time = 5.5 ms
64 bytes from 163.5.255.85: icmp_seq = 3 ttl = 56 time = 6.0 ms
64 bytes from 163.5.255.85: icmp_seq = 4 ttl = 56 time = 5.3 ms
64 bytes from 163.5.255.85: icmp_seq = 5 ttl = 56 time = 5.6 ms
64 bytes from 163.5.255.85: icmp_seq = 6 ttl = 56 time = 7.0 ms
64 bytes from 163.5.255.85: icmp_seq = 7 ttl = 56 time = 6.0 ms
--- Ping statistics --- www.mynetworkdictionary.com
Transmitted packets 8, 8 packets received, 0% packet loss
round-trip min / avg / max = 5.3/6.1/7.7 ms

The result of such a command as a Windows system:

ping www.mynetworkdictionary.com
Pinging www.mynetworkdictionary.com [205.234.219.179] with 32 bytes of data:
Response 205.234.219.179: bytes = 32 time = 34 ms = 54 TTL
Response 205.234.219.179: bytes = 32 time = 37 ms TTL = 54
Response 205.234.219.179: bytes = 32 time = 32ms TTL = 54
Response 205.234.219.179: bytes = 32 time = 33 ms TTL = 54
Ping statistics for 205.234.219.179:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip in milliseconds:
Minimum = 32ms, Maximum = 37ms, Average = 34ms

The output of the ping command allows to know:

• The IP address matches the name of the remote machine;
• The ICMP sequence number;
• The lifetime of a packet (TTL Time To Live). The field of life (TTL) indicates the number of routers traversed by the packet in the exchange between the two machines. Each IP packet has a TTL field set to a relatively high value. Each time a router, the field is decremented. If it happens that the field reaches zero, the router will perform the packet in a loop and destroy it.
• The round trip delay time (round-trip delay) corresponding to the duration in milliseconds for a round trip between the source and the target machine. A package should normally have a propagation delay less than 200 ms.
• The number of lost packets.

Traceroute is a tool for diagnosing networks, present on most operating systems, to determine the path followed by a package. The traceroute command allows to draw a map of the routers between a source machine and target machine. The traceroute command differs between operating systems.

Under the systems UNIX / Linux , the traceroute command is as follows:
traceroute name.of.machine

Under the systems Windows , the traceroute command is as follows:
tracert name.of.machine

Output of traceroute

The traceroute command provides output describing the names and IP addresses of successive routers, preceded by a serial number and the minimum response time, average and maximum:

Tracing route to www.mynetworkdictionary.com [205.234.219.179] over a maximum of 30 hops:
1 33 ms 32 ms 33 ms Raspail-2-81-57-234-254.fbx.proxad.net [81.57. 234 254]
2 33 ms 33 ms 33 ms vlq-6k-2-a5.routers.proxad.net [213.228.4.254]
3 33 ms 33 ms 33 ms vlq-6k-2-v802.intf.routers.proxad.net [ 212.27.50.46]
4 33 ms 33 ms 33 ms th1-6k-2-v806.intf.routers.proxad.net [212.27.50.41]
5 32 ms 34 ms 34 ms CBV-6k-2-v802.intf.routers. proxad.net [212.27.50.34]
6 34 ms 32 ms 33 ms ldc-6k-1-a0.routers.proxad.net [213.228.15.67]
7 35 ms 35 ms 35 ms cogent.FreeIX.net [213.228.3.187]
8 36 ms 36 ms 35 ms NeufTelecom.demarc.cogentco.com [130.117.16.22]
9 36 ms 36 ms 36 ms V3994.c1cbv.gaoland.net [212.94.162.209]
10 34 ms 34 ms 35 ms V4080.core3.cbv . gaoland.net [212.94.161.129]
11 36 ms 35 ms 37 ms 212.94.164.210 12 36 ms 36 ms 36 ms nestor.commentcamarche.org [163.5.255.85]
Route determined.

How Traceroute

Traceroute supports its operation on the TTL field of IP packets. Indeed, each IP packet has a field life TTL (Time to Live) decremented each time a router. When this field reaches zero, the router, whereas the package in a loop, destroys the packet and sends an ICMP notification to the sender.

Thus, traceroute sends packets to a UDP port unprivileged deemed not used (default port 33434) with a TTL equal to 1. The first router encountered will remove the package and send an ICMP giving including the IP address of the router and the propagation time loop. Traceroute will increment sequentially and field life in order to obtain a response from each router along the path until you get a reply “ICMP port unreachable” from the target machine.