Which begs the same question I've asked in the recent past: then what *is* a good diagnostic tool? If ICMP "is not the best way to test", then what is? What other globally-implemented layer 3 or below protocols do we have available for troubleshooting?
Sure, UDP-based traceroute still relies on ICMP TTL exceeded responses to work. I've no idea what TCP traceroute relies on, as I haven't looked at it.
I love it when people answer their own questions and tell us that they are lazy, to boot. For the record, TCP traceroute and similar TCP based tools rely on the fact that if you send a TCP SYN packet to a host it will respond with either a TCP RST (if the port is NOT listening) or a TCP SYN/ACK. The round trip time of this provides useful information which is unaffected by any ICMP chicanery on the part of routers or firewalls. A polite application such as TCP traceroute will reply to the SYN/ACK with an RST packet so it is reasonably safe to use this tool with live services. Of course, even TCP packets can be blocked or dropped for various reasons so this is not a 100% solution. However, if you want to avoid ICMP filtering or low precedence, then TCP traceroute will help. --Michael Dillon