October 21, 2009

Layer Four Traceroute (LFT) and WhoB

LFT, short for Layer Four Traceroute, is a ‘traceroute’ application that works much faster than traditional Linux (traceroute) and Windows (tracert) options and can bypass restrictive packet-filters (firewalls). More importantly, LFT implements numerous other features including AS number lookups, loose source routing and netblock name lookups.

What makes LFT unique? LFT is the all-in-one traceroute tool because it can launch a variety of different probes using ICMP, UDP, and TCP protocols, or the RFC1393 trace method. For example, rather than only launching UDP probes in an attempt to elicit ICMP “TTL exceeded” from hosts in the path, LFT can send TCP SYN or FIN probes to target arbitrary services. Then, LFT listens for “TTL exceeded” messages, TCP RST (reset), and various other interesting heuristics from firewalls or other gateways in the path. LFT also distinguishes between TCP-based protocols (source and destination), which make its statistics slightly more realistic, and gives a savvy user the ability to trace protocol routes, not just layer-3 (IP) hops. With LFT’s verbose output, much can be discovered about a target network.

Here’s example output from LFT:

[root@server src]# lft -e -A -N -s 2222 -d 80 -m 2 -M 2 -a 5 -c 20 -t 800 -H 30 www.google.com
Tracing ............*****.........................T
TTL LFT trace to hkg01s01-in-f103.1e100.net (64.233.189.103):80/tcp
1 [2XXX] [MY-AS] core-rtr1.myserver.net (200.0.0.1) 0.7/0.8ms
2 [4750] [csloxinfo-th] wan-mywan.net (203.0.0.9) 13.0/13.1ms
3 [4750] [csloxinfo-th] ge-1-1-CT45.csloxinfo.net (203.146.11.205) 13.4/13.4ms
4 [4750] [csloxinfo-th] 210.1.46.161 13.4/13.5ms
5 [4750] [csloxinfo-th] 210.1.46.228 13.4/13.6ms
6 [7568] [CSLIIG-TH] 202.183.136.77 49.2/49.2ms
7 [7568] [CSLIIG-TH] 202.183.136.82 49.2/49.2ms
8 [7568] [CSLIIG-TH] 202.183.136.98 49.3/49.5ms
9 [15169] [GOOGLE] 209.85.243.158 49.6/49.9ms
10 [15169] [GOOGLE] 209.85.242.243 63.6/61.1ms
11 [15169] [GOOGLE] 72.14.239.201 195.3/91.6ms
** [firewall] the next gateway may implement a flag-based state filter
12 [15169] [GOOGLE] 66.249.94.30 93.4/100.6ms
13 [15169] [GOOGLE] [target closed] hkg01s01-in-f103.1e100.net (64.233.189.103):80 89.6ms

WhoB is a likable whois client designed to provide everything a network engineer needs to know about a routed IP address by typing one line and reading one line. But even so, it’s worth typing a few more lines because WhoB can do lots of other cool things for you! It can display the origin-ASN based on the global routing table at that time (according to Prefix WhoIs, RIPE NCC, or Cymru), the ‘origin’ ASN registered in the RADB (IRR), the netname and orgname, etc. By querying pWhoIs, WhoB can even show you all prefixes being announced by a specific Origin-ASN. WhoB performs the lookups quickly, the output is easily parsed by automated programs, and it’s included as part of the Layer Four Traceroute (LFT) software package. LFT uses WhoB as a framework.

Here’s example output from WHOB:

[root@v src]# whob -ntp www.google.com
64.233.189.99 | origin-as 15169 (64.233.188.0/23) | 20-Oct-09 10:09:48 ICT | as-path 3257 15169 | GOOGLE | Google Inc.

LFT and WhoB continue to evolve and provide more and more useful data to network engineers and to anyone else that cares how IP datagrams are being routed. With the advent of smarter firewalls, traffic engineering, QoS, and per-protocol packet forwarding, LFT and WhoB have become invaluable tools for many network managers worldwide.

RPM (*nix) packages for LFT (which includes WhoB) can be downloaded from here.

A Windows application version ($$) is available here.