How can traceroute fail, yet the site still open in a web browser?

I have a client whose website I was unable to connect to. I tried
running a traceroute to see if I could pinpoint where the problem was
happening. I get around 17 hops and the rest of the hops are ***. The
trail usually ends arround an msp1.alter.net domain, which I beleive is
backbone server. I'm guessing this suggests the problem is with the
client's server.

Then I tried a bunch of sites I have no problem connecting with, and
discovered that some connect after only a few hops, and other terminate
in a string of *** hops.

How can a site traceroute take several minutes and return 20 or 30
failed responses, yet load in a web browser almost instantly? I even
tried changing the response time to 10 seconds -- same results.

-- networking neophyte

"jshock" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
>I have a client whose website I was unable to connect to. I tried
> running a traceroute to see if I could pinpoint where the problem was
> happening. I get around 17 hops and the rest of the hops are ***. The
> trail usually ends arround an msp1.alter.net domain, which I beleive is
> backbone server. I'm guessing this suggests the problem is with the
> client's server.
>
> Then I tried a bunch of sites I have no problem connecting with, and
> discovered that some connect after only a few hops, and other terminate
> in a string of *** hops.
>
> How can a site traceroute take several minutes and return 20 or 30
> failed responses, yet load in a web browser almost instantly? I even
> tried changing the response time to 10 seconds -- same results.
>
> -- networking neophyte
>
Routers or servers blocking ICMP traffic. traceroute uses ICMP traffic and
some routers/servers may be configured to block incoming ICMP traffic.

In news:(E-Mail Removed) ups.com,
jshock <(E-Mail Removed)> wrote:

> How can a site traceroute take several minutes and return 20 or 30
> failed responses, yet load in a web browser almost instantly? I even
> tried changing the response time to 10 seconds -- same results.

Some network hops along the path may not transmit ICMP requests/replies. The
web sites transmit TCP packets and so connect properly.

Use tcptraceroute ( http://freshmeat.net/projects/tcptraceroute/ ) to use
TCP rather than ICMP/UDP packets for more reliable traceroute to any desired
port/destination.

On Wed, 14 Jun 2006 09:37:39 -0700, ynotssor wrote:

> In news:(E-Mail Removed) ups.com, jshock
> <(E-Mail Removed)> wrote:
>
>> How can a site traceroute take several minutes and return 20 or 30
>> failed responses, yet load in a web browser almost instantly? I even
>> tried changing the response time to 10 seconds -- same results.
>
> Some network hops along the path may not transmit ICMP requests/replies.
> The web sites transmit TCP packets and so connect properly.

Broadly correct but UNIX/Linux traceroute sends its probes using UDP
packets and expects ICMP TTL expired packets in return. Either or both
could be blocked.

Some versions of traceroute on Linux can optionally send ICMP instead of
UDP. Different distros vary in this respect - the one SuSE supply cannot,
the one Red Hat do can for instance. Of course it's easy enough to drop
the RH version into SuSE etc. ICMP is more likely to get through firewalls
than UDP, probably because MS's "tracerte" uses ICMP.

> Use tcptraceroute (http://freshmeat.net/projects/tcptraceroute/ ) to
> use TCP rather than ICMP/UDP packets for more reliable traceroute to any
> desired port/destination.

Agreed, an excellent tool in these days of strong firewalling.

I run SuSE servers and on a machine which does any Internet communication
I always install both an ICMP capable traceroute (in an alternate
location to the supplied one) and tcptraceroute.

Regards, Ian

On Wed, 14 Jun 2006, in the Usenet newsgroup comp.os.linux.networking, in
article <(E-Mail Removed)>,
Ian Northeast wrote:

>Some versions of traceroute on Linux can optionally send ICMP instead of
>UDP. Different distros vary in this respect - the one SuSE supply cannot,
>the one Red Hat do can for instance.

The original LBL version of traceroute used UDP because at the time, the
RFCs did not permit an ICMP packet to cause an ICMP error (RFC791 was
later changed to not permit ICMP _error_ packets to cause an ICMP error).
Olaf Kirch re-wrote traceroute for Caldera, and SuSE adopted this version.
It differs in lacking some of the original features of the LBL version,
but added IPv6 support.

>Of course it's easy enough to drop the RH version into SuSE etc.

Is it? I've always encountered compatibility problems, and usually just
recompiled the binary from source.

>ICMP is more likely to get through firewalls than UDP, probably because
>MS's "tracerte" uses ICMP.

I'd suspect a lot more people block ICMP Echos than UDP - simply because
of excessive abuse from skript kiddiez. Certainly our corporate firewall
blocks both.

>Agreed, an excellent tool in these days of strong firewalling.

Trying to stay one step ahead of the latest thing that the skript kiddiez
are abusing is a bit of a problem.

Old guy

On Wed, 14 Jun 2006 15:33:40 -0500, Moe Trin wrote:

> On Wed, 14 Jun 2006, in the Usenet newsgroup comp.os.linux.networking, in
> article <(E-Mail Removed)>, Ian
> Northeast wrote:

>>Of course it's easy enough to drop the RH version into SuSE etc.
>
> Is it? I've always encountered compatibility problems, and usually just
> recompiled the binary from source.

Yes, that's what I meant. I wouldn't try installing a RH RPM in SuSE. It
could cause all sorts of problems apart from library incompatibility.

>>ICMP is more likely to get through firewalls than UDP, probably because
>>MS's "tracerte" uses ICMP.
>
> I'd suspect a lot more people block ICMP Echos than UDP - simply because
> of excessive abuse from skript kiddiez. Certainly our corporate firewall
> blocks both.

Practical experience debugging mail problems shows that ICMP traceroute
gets through more often than the UDP version. But these days it's quite
rare for either to make it all the way, which is why tcptraceroute is so
useful.

Regards, Ian

Moe Trin wrote:
> I'd suspect a lot more people block ICMP Echos than UDP - simply because
> of excessive abuse from skript kiddiez.

What about excessive FUD from Steve Gibson?

On Thu, 15 Jun 2006, in the Usenet newsgroup comp.os.linux.networking, in
article <(E-Mail Removed)>,
Ian Northeast wrote:

> Moe Trin wrote:

>> I'd suspect a lot more people block ICMP Echos than UDP - simply because
>> of excessive abuse from skript kiddiez. Certainly our corporate firewall
>> blocks both.
>
>Practical experience debugging mail problems shows that ICMP traceroute
>gets through more often than the UDP version. But these days it's quite
>rare for either to make it all the way, which is why tcptraceroute is so
>useful.

Ain't that the truth. I'm also finding a lot of cases where even
tcptraceroute is being blocked - typically, it seems to be perimeter
firewalls dropping ICMP Type 3. Some of that is the result of excess
paranoia, and some the result of exasperation.

Old guy

On 15 Jun 2006, in the Usenet newsgroup comp.os.linux.networking, in article
<(E-Mail Removed) .com>,
(E-Mail Removed) wrote:

>Moe Trin wrote:
>> I'd suspect a lot more people block ICMP Echos than UDP - simply because
>> of excessive abuse from skript kiddiez.
>
>What about excessive FUD from Steve Gibson?

He's certainly a factor, but the whole "personal firewall" industry
catering to windoze users deserves a major share of the blame. But then,
most users (not just windoze) don't want to expend more than a few
seconds learning about anything, and virtually all networking concepts
are beyond them.

Old guy