Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3131
Views
0
Helpful
5
Replies

Wireshark capture on 3750 ...Please help

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎03-11-2009 09:27 AM - edited ‎03-06-2019 04:31 AM

All,

I've got a host connected to my 3750 stack. The core router also connects to this stack. If I run wireshark on this host and traceroute to the core router, I get "Time-to-live-exceeded (Time to live exceeded in transit)" in wireshark.

The switch has vlans on it, but the native vlan is what I'm connected to. I've attached the exported wireshark trace. I really hope someone can help on this.

Thanks,

John

HTH, John *** Please rate all useful posts ***
Labels:
Preview file
5 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Yudong Wu
Level 7
Level 7
In response to Richard Burts

‎03-11-2009 09:55 AM

I think that's how traceroute to work.

Host will set TTL=1 for first ping packet, then TTL=2 and so on... so that the devices in the path will reply with TTL exceeded. Then Host can know each hop's IP address based on those TTL exceeded packet.

Host will send 3 packet per TTL value and you should get 3 TTL exceed packet back per hop.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎03-11-2009 09:42 AM

John

I have looked through the trace file and am not seeing much there that points to an explanation. It might be helpful if you would post the output of an attempt to tracert to that address that is failing.

The symptoms look like somewhere there is a routing loop trying to get to that destination address. So perhaps the output of show ip route from your 3750 might also be helpful.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
Yudong Wu
Level 7
Level 7
In response to Richard Burts

‎03-11-2009 09:55 AM

I think that's how traceroute to work.

Host will set TTL=1 for first ping packet, then TTL=2 and so on... so that the devices in the path will reply with TTL exceeded. Then Host can know each hop's IP address based on those TTL exceeded packet.

Host will send 3 packet per TTL value and you should get 3 TTL exceed packet back per hop.

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to Yudong Wu

‎03-11-2009 10:12 AM

You are correct. I've always thought that the TTL was set and then was decremented, but it doesn't work the same is an IP packet. It does send the first hop, the first hop sends a TTL exceeded back, and it continues this to 30 hops.

Thanks for the info!

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to Richard Burts

‎03-11-2009 09:58 AM

Rick,

The network is directly connected to the 3750:

Routing entry for 10.125.100.0/24

Known via "connected", distance 0, metric 0 (connected, via interface)

Advertised by bgp 65505

Routing Descriptor Blocks:

* directly connected, via Vlan1

Route metric is 0, traffic share count is 1

I'm not sure what you mean by an address that's failing. One that's non-existent? Anything that goes through the switch from two different hosts on two different switches (my host connected to an edge switch, and a host that's connected directly into the 3750) exhibit the same problem.

The first hop from my box to the router is set to a TTL of 1. It hits the switch and the switch expires it. It does this 3 times, and then my host sets the TTL to 2. Very odd.

I didn't post my whole routing table because I have a ton of bgp routes. (We run bgp on our core switch also.)

Thanks,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to John Blakley

‎03-11-2009 10:33 AM

John

Clearly this is a case where I got so busy looking at the details that I did not think about the context and what is really going on. Clearly Kevin hit the nail on the head that this is the expected behavior of traceroute/tracert.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card