Solved

mtr network test results

Posted on 2015-01-04
7
235 Views
Last Modified: 2015-01-26
I was talking with someone today about using mtr and we stumped ourselves asking each other what certain outputs might mean.

The following would be a normal test with a normal result reaching the target.

# mtr -c1 -r -n x.x.18.18

1.|-- 192.168.1.1
2.|-- x.x.x.77
3.|-- 10.10.18.1
4.|-- 192.168.76.32
5.|-- 10.29.52.53
6.|-- x.x.8.79
7.|-- x.x.48.14
8.|-- x.x.62.98
9.|-- x.x.0.12
10.|-- ???
11.|-- x.x.18.18

The following would indicate that we cannot reach the target and that hop 11 is down. However, we know that hop 10 always blocks icmp so how would we confirm that hop 11 is actually down?

# mtr -c1 -r -n x.x.18.18

1.|-- 192.168.1.1
2.|-- x.x.x.77
3.|-- 10.10.18.1
4.|-- 192.168.76.32
5.|-- 10.29.52.53
6.|-- x.x.8.79
7.|-- x.x.48.14
8.|-- x.x.62.98
9.|-- x.x.0.12
10.|-- ???

Finally, we stumped ourselves, wondering if such a result could even ever happen? If such a result were possible, while it might seem somewhat obvious, what would the true result of this following test be?

# mtr -c1 -r -n x.x.18.18

1.|-- 192.168.1.1
2.|-- x.x.x.77
3.|-- 10.10.18.1
4.|-- 192.168.76.32
5.|-- 10.29.52.53
6.|-- x.x.8.79
7.|-- x.x.48.14
8.|-- x.x.62.98
9.|-- ???
10.|-- ???
11.|-- ???
0
Comment
Question by:projects
  • 3
  • 2
7 Comments
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40530558
The first answer is to do a simple ping to the target.  If it doesn't respond (and you know that it normally does), then you can conclude that it is down (at least for ping).  Your last listing doesn't actually tell you anything about the last 3 servers except that they are not responding.  Right now I can't find any host that will not show the last 2 or 3 servers like that.
0
 

Author Comment

by:projects
ID: 40530849
Well, I know that I can confirm things using a separate ping or traceroute but the point is what if this was all we had for input. What would we conclude and how?

In the last example, it's possible that hop 9 and 10 are blocking icmp but there would be no way of confirming that if this is all we had for output. The fact that we see hop 11 as ??? means to me that the mtr test reached at least hop 10.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40530871
This site https://www.linode.com/docs/networking/diagnosing-network-issues-with-mtr has some good info along with a link at the bottom to the 'official' MTR site.  There are a lot of sites with 'mtr' info.  https://www.google.com/search?q=mtr+results
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:projects
ID: 40532534
Yes, I've seen that one and countless others but was hoping for more of an interactive response and communications :)
Reading is one thing, testing and talking about the results is another. I've read and read and am pretty sure I get it but I want to make sure and that is why I posted this.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40532630
Ok.  I don't the time right now to do anything more with this.  You can click on "Request Attention" above to get some others to look at your question.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 40538719
If I normally received responses from hop 9 and during one run I got the ???, but I still went past hop 9 I would initially  assume that hop 9 was so busy it could not respond to the request.  On most L3 devices the tasks that respond to ICMP requests for that device run at a lower priority that the tasks that forward/route traffic to the next hop.  This means when they are under stress ICMP responses may never get sent.

If I continued to receive ??? then I would change the assumption that the device at hop 9 was reconfigured to no longer respond to ICMP messages or the next hop out of #8 changed to a device that blocks ICMP.

Since hop 11 is the final destination the 3 assumptions I would make would be:

1) device/host is down
2) device/host is so busy it can't respond
3) device/host has been reconfigured so that it no longer responds to ICMP messages.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now