Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Wireshark capture on 3750 ...Please help

All,

I've got a host connected to my 3750 stack. The core router also connects to this stack. If I run wireshark on this host and traceroute to the core router, I get "Time-to-live-exceeded (Time to live exceeded in transit)" in wireshark.

The switch has vlans on it, but the native vlan is what I'm connected to. I've attached the exported wireshark trace. I really hope someone can help on this.

Thanks,

John

HTH, John *** Please rate all useful posts ***
1 ACCEPTED SOLUTION

Accepted Solutions

Re: Wireshark capture on 3750 ...Please help

I think that's how traceroute to work.

Host will set TTL=1 for first ping packet, then TTL=2 and so on... so that the devices in the path will reply with TTL exceeded. Then Host can know each hop's IP address based on those TTL exceeded packet.

Host will send 3 packet per TTL value and you should get 3 TTL exceed packet back per hop.

5 REPLIES
Hall of Fame Super Silver

Re: Wireshark capture on 3750 ...Please help

John

I have looked through the trace file and am not seeing much there that points to an explanation. It might be helpful if you would post the output of an attempt to tracert to that address that is failing.

The symptoms look like somewhere there is a routing loop trying to get to that destination address. So perhaps the output of show ip route from your 3750 might also be helpful.

HTH

Rick

Re: Wireshark capture on 3750 ...Please help

I think that's how traceroute to work.

Host will set TTL=1 for first ping packet, then TTL=2 and so on... so that the devices in the path will reply with TTL exceeded. Then Host can know each hop's IP address based on those TTL exceeded packet.

Host will send 3 packet per TTL value and you should get 3 TTL exceed packet back per hop.

Re: Wireshark capture on 3750 ...Please help

You are correct. I've always thought that the TTL was set and then was decremented, but it doesn't work the same is an IP packet. It does send the first hop, the first hop sends a TTL exceeded back, and it continues this to 30 hops.

Thanks for the info!

John

HTH, John *** Please rate all useful posts ***

Re: Wireshark capture on 3750 ...Please help

Rick,

The network is directly connected to the 3750:

Routing entry for 10.125.100.0/24

Known via "connected", distance 0, metric 0 (connected, via interface)

Advertised by bgp 65505

Routing Descriptor Blocks:

* directly connected, via Vlan1

Route metric is 0, traffic share count is 1

I'm not sure what you mean by an address that's failing. One that's non-existent? Anything that goes through the switch from two different hosts on two different switches (my host connected to an edge switch, and a host that's connected directly into the 3750) exhibit the same problem.

The first hop from my box to the router is set to a TTL of 1. It hits the switch and the switch expires it. It does this 3 times, and then my host sets the TTL to 2. Very odd.

I didn't post my whole routing table because I have a ton of bgp routes. (We run bgp on our core switch also.)

Thanks,

John

HTH, John *** Please rate all useful posts ***
Hall of Fame Super Silver

Re: Wireshark capture on 3750 ...Please help

John

Clearly this is a case where I got so busy looking at the details that I did not think about the context and what is really going on. Clearly Kevin hit the nail on the head that this is the expected behavior of traceroute/tracert.

HTH

Rick

1815
Views
0
Helpful
5
Replies