Wireshark capture on 3750 ...Please help

Answered Question
Mar 11th, 2009

All,

I've got a host connected to my 3750 stack. The core router also connects to this stack. If I run wireshark on this host and traceroute to the core router, I get "Time-to-live-exceeded (Time to live exceeded in transit)" in wireshark.

The switch has vlans on it, but the native vlan is what I'm connected to. I've attached the exported wireshark trace. I really hope someone can help on this.

Thanks,

John

Attachment: 
I have this problem too.
0 votes
Correct Answer by Yudong Wu about 7 years 8 months ago

I think that's how traceroute to work.

Host will set TTL=1 for first ping packet, then TTL=2 and so on... so that the devices in the path will reply with TTL exceeded. Then Host can know each hop's IP address based on those TTL exceeded packet.

Host will send 3 packet per TTL value and you should get 3 TTL exceed packet back per hop.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Wed, 03/11/2009 - 09:42

John

I have looked through the trace file and am not seeing much there that points to an explanation. It might be helpful if you would post the output of an attempt to tracert to that address that is failing.

The symptoms look like somewhere there is a routing loop trying to get to that destination address. So perhaps the output of show ip route from your 3750 might also be helpful.

HTH

Rick

Correct Answer
Yudong Wu Wed, 03/11/2009 - 09:55

I think that's how traceroute to work.

Host will set TTL=1 for first ping packet, then TTL=2 and so on... so that the devices in the path will reply with TTL exceeded. Then Host can know each hop's IP address based on those TTL exceeded packet.

Host will send 3 packet per TTL value and you should get 3 TTL exceed packet back per hop.

John Blakley Wed, 03/11/2009 - 10:12

You are correct. I've always thought that the TTL was set and then was decremented, but it doesn't work the same is an IP packet. It does send the first hop, the first hop sends a TTL exceeded back, and it continues this to 30 hops.

Thanks for the info!

John

John Blakley Wed, 03/11/2009 - 09:58

Rick,

The network is directly connected to the 3750:

Routing entry for 10.125.100.0/24

Known via "connected", distance 0, metric 0 (connected, via interface)

Advertised by bgp 65505

Routing Descriptor Blocks:

* directly connected, via Vlan1

Route metric is 0, traffic share count is 1

I'm not sure what you mean by an address that's failing. One that's non-existent? Anything that goes through the switch from two different hosts on two different switches (my host connected to an edge switch, and a host that's connected directly into the 3750) exhibit the same problem.

The first hop from my box to the router is set to a TTL of 1. It hits the switch and the switch expires it. It does this 3 times, and then my host sets the TTL to 2. Very odd.

I didn't post my whole routing table because I have a ton of bgp routes. (We run bgp on our core switch also.)

Thanks,

John

Richard Burts Wed, 03/11/2009 - 10:33

John

Clearly this is a case where I got so busy looking at the details that I did not think about the context and what is really going on. Clearly Kevin hit the nail on the head that this is the expected behavior of traceroute/tracert.

HTH

Rick

Actions

This Discussion