tracking TCP session hop by hop
Hi Experts, Is there any way that we can track TCP session hop by hop? Say we have 10 ECMP between A and Z point, what's the easiest way to track specific session is using which path? How we can check between servers(Linux/Unix) and between Routers(Cisco/Juniper etc)? Thanks -Yifeng
Have a look at tcptraceroute: https://github.com/mct/tcptraceroute/blob/master/examples.txt On 28 November 2017 at 20:48, Yifeng Zhou <zhuifeng0426@gmail.com> wrote:
Hi Experts,
Is there any way that we can track TCP session hop by hop?
Say we have 10 ECMP between A and Z point, what's the easiest way to track specific session is using which path? How we can check between servers(Linux/Unix) and between Routers(Cisco/Juniper etc)?
Thanks
-Yifeng
https://paris-traceroute.net/ <https://paris-traceroute.net/>
On Nov 28, 2017, at 3:48 PM, Yifeng Zhou <zhuifeng0426@gmail.com> wrote:
Hi Experts,
Is there any way that we can track TCP session hop by hop?
Say we have 10 ECMP between A and Z point, what's the easiest way to track specific session is using which path? How we can check between servers(Linux/Unix) and between Routers(Cisco/Juniper etc)?
Thanks
-Yifeng
Somebody needs to renew their Let's Encrypt SSL cert. -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Jennifer Rexford Sent: Wednesday, November 29, 2017 8:08 AM To: Yifeng Zhou <zhuifeng0426@gmail.com> Cc: nanog@nanog.org Subject: Re: tracking TCP session hop by hop https://paris-traceroute.net/ <https://paris-traceroute.net/>
On Nov 28, 2017, at 3:48 PM, Yifeng Zhou <zhuifeng0426@gmail.com> wrote:
Hi Experts,
Is there any way that we can track TCP session hop by hop?
Say we have 10 ECMP between A and Z point, what's the easiest way to track specific session is using which path? How we can check between servers(Linux/Unix) and between Routers(Cisco/Juniper etc)?
Thanks
-Yifeng
Attention: Information contained in this message and or attachments is intended only for the recipient(s) named above and may contain confidential and or privileged material that is protected under State or Federal law. If you are not the intended recipient, any disclosure, copying, distribution or action taken on it is prohibited. If you believe you have received this email in error, please contact the sender with a copy to compliance@ochin.org, delete this email and destroy all copies.
On Tue, Nov 28, 2017 at 3:48 PM, Yifeng Zhou <zhuifeng0426@gmail.com> wrote:
Is there any way that we can track TCP session hop by hop?
Say we have 10 ECMP between A and Z point, what's the easiest way to track specific session is using which path? How we can check between servers(Linux/Unix) and between Routers(Cisco/Juniper etc)?
A TCP connection is uniquely identified by the combination of four numbers: The source IP address, the source port, the destination IP address and the destination port. You used the word session, but sessions happen above TCP in the stack and may use more than one TCP connection. Every packet in the connection contains all four numbers and no packet from any other connection contains the same four numbers. If you want to track the connections, you capture the packets at each point in the path (router products have vendor-specific ways of doing this) and see which unique sets of the four numbers went through which router and router interface. If you want to -test- which path a TCP connection -would- take, Ruairi's afore-mentioned tcptraceroute is the way to go. The regular traceroute with modern Linux servers also supports the "-T" flag which does the same thing. It works just like regular traceroute but uses synthetic TCP SYN packets instead of ICMP or UDP packets, allowing the packets to pass firewalls which would otherwise block the trace. Bear in mind that in each case you will likely only see the path taken at the IP level. Underlying transits at the Ethernet or MPLS level are intentionally invisible to the endpoints. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
Thank you all for the reply! I think traceroute/tcptraceroute is a good way to track tcp session as we can use same 5 tuple as normal TCP does. Bill brought up an interesting point about MPLS and Ethernet, I give it a bit of think and here's what i can tell, please correct me if i'm wrong for MPLS, everything should be the same prior enter MPLS cloud. At ingress router, it will push MPLS label (also entropy label if enabled), but it should be the same for traceroute traffic and actual TCP traffic(we have same 4 tuple, or 5, including incoming interface on router), so the label/entropy label should be same. Inside MPLS cloud, normally router will use mpls label, src, dst ip, port number(or entropy label if enabled) as hash seed(depends on configuration) to calculate which ECMP path it will use. Choose member link inside lAG might be another story for non-entropy enabled MPLS cloud, but we don't really care as they belong to same IP(layer-3) path, but I think they should be same as well? Thanks 2017-11-29 9:06 GMT-08:00 William Herrin <bill@herrin.us>:
On Tue, Nov 28, 2017 at 3:48 PM, Yifeng Zhou <zhuifeng0426@gmail.com> wrote:
Is there any way that we can track TCP session hop by hop?
Say we have 10 ECMP between A and Z point, what's the easiest way to track specific session is using which path? How we can check between servers(Linux/Unix) and between Routers(Cisco/Juniper etc)?
A TCP connection is uniquely identified by the combination of four numbers: The source IP address, the source port, the destination IP address and the destination port. You used the word session, but sessions happen above TCP in the stack and may use more than one TCP connection. Every packet in the connection contains all four numbers and no packet from any other connection contains the same four numbers.
If you want to track the connections, you capture the packets at each point in the path (router products have vendor-specific ways of doing this) and see which unique sets of the four numbers went through which router and router interface.
If you want to -test- which path a TCP connection -would- take, Ruairi's afore-mentioned tcptraceroute is the way to go. The regular traceroute with modern Linux servers also supports the "-T" flag which does the same thing. It works just like regular traceroute but uses synthetic TCP SYN packets instead of ICMP or UDP packets, allowing the packets to pass firewalls which would otherwise block the trace.
Bear in mind that in each case you will likely only see the path taken at the IP level. Underlying transits at the Ethernet or MPLS level are intentionally invisible to the endpoints.
Regards, Bill Herrin
-- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
On Wed, Nov 29, 2017 at 9:06 AM, William Herrin <bill@herrin.us> wrote:
On Tue, Nov 28, 2017 at 3:48 PM, Yifeng Zhou <zhuifeng0426@gmail.com> wrote:
Is there any way that we can track TCP session hop by hop?
Say we have 10 ECMP between A and Z point, what's the easiest way to track specific session is using which path? How we can check between servers(Linux/Unix) and between Routers(Cisco/Juniper etc)?
A TCP connection is uniquely identified by the combination of four numbers: The source IP address, the source port, the destination IP address and the destination port. You used the word session, but sessions happen above TCP in the stack and may use more than one TCP connection. Every packet in the connection contains all four numbers and no packet from any other connection contains the same four numbers.
If you want to track the connections, you capture the packets at each point in the path (router products have vendor-specific ways of doing this) and see which unique sets of the four numbers went through which router and router interface.
If you want to -test- which path a TCP connection -would- take, Ruairi's afore-mentioned tcptraceroute is the way to go. The regular traceroute with modern Linux servers also supports the "-T" flag which does the same thing. It works just like regular traceroute but uses synthetic TCP SYN packets instead of ICMP or UDP packets, allowing the packets to pass firewalls which would otherwise block the trace.
Bear in mind that in each case you will likely only see the path taken at the IP level. Underlying transits at the Ethernet or MPLS level are intentionally invisible to the endpoints.
In the data center context, enabling sFlow continuously captures packets from all paths and can be used to trace multi-path packet flows, whether layer 2 (MLAG/LAG), or layer 3 (ECMP). sFlow reports physical switch ports and captures Ethernet packet headers, so you can relate paths to MPLS labels, Ethernet headers, IP headers, TCP/UDP headers, VxLAN tunnels, etc. The following article provides an example: http://blog.sflow.com/2017/09/troubleshooting-connectivity-problems.html
participants (6)
-
Jennifer Rexford -
Peter Phaal -
Ruairi Carroll -
Tyler Applebaum -
William Herrin -
Yifeng Zhou