RE: Traceroute question

Traceroute base on the IP header time-to-live (TTL) field. TTL field is used
to limit IP datagram's. TTL functions as a decrementing counter, Each hop
(router etc..) that a datagram passes through reduces the TTL field by one.
If the TTL value reaches 0, the datagram is discarded and a time exceeded in
transit Internet Control Message Protocol (ICMP) message is created to
inform the source of the failure (Type 11 code 0).

Now.. 
What if there is a machine that function as packet filter?
Well..
The last 2 host have the same ip address. Why?
The firewall defined to return Echo Reply (Type 0 code 0).
The first time that the firewall handle the packet that his TTL was 0,
The firewall return time exceeded, the second packet has a TTL 1,
The firewall will pass thru the packet to the next machine, that will
Return echo reply if it is the destination  or time exceeded if it's not.
Assume it return an echo reply. And the firewall not allow a ICMP outgoing
packets, the firewall return with his own ip the echo reply.
That why we get 2 or more result with the same ip.

A solution:
Try to do a TCP traceroute because Windows tracert base on ICMP, Unix
traceroute base on UDP.
You can use Hping.


-----Original Message-----
From: Becky Nelson [mailto:ralf.jacober@gmail.com] 
Sent: Thursday, December 28, 2006 3:37 AM
To: pen-test@securityfocus.com
Subject: Traceroute question

I am running a traceroute and have two hops that report the same
address.  Could someone please explain what would cause this?  I
suspect that this is some type of firewall?

Regards,

Ralf