Tracerouting networks with complex topology. How to detect NAT

There are plenty programs to track the route packets, you can get to know with them in the detailed article on trace route methods and programs called ‘Trace route tools and methods’ (by the way, it is recommended that you start acquaintance with it). The current article will again touch upon trace route issues. But the point is not so much in the new tool or in the new method, the point is that it is very likely that the routes shown by traditional tools are incorrect.

To clarify what I mean, this is what a typical trace looks like from my computer to the host:

But in fact, the network topology through which a packet can go from my computer to looks something like this:

The difference is obvious – at some points there are up to five alternatives for nodes through which the network packet will actually pass.

It's all about load balancers and routers with load balancing. As a result, routes shown by traditional tools may contain errors such as:

  • skipping nodes
  • wrong paths (when two nodes located in different routes are shown as consecutive)

A detailed explanation of how this happens is given in the article:

ECMP trace

Networks are now much more complicated than before, and there can be many paths between two network objects (such as your phone, your laptop, some kind of remote server, etc.). This packet routing method is called ECMP or Equal-Cost MultiPath and is used to increase network bandwidth and reliability.

Running a regular trace on an ECMP-enabled network can be a headache, so tools like paris-traceroute exist.

Equal-cost multi-path routing

Equal-cost multi-path routing (ECMP) is a routing strategy in which packets can be forwarded to the next hop at a single destination through several “best paths” that are connected to the start node and for which the routing metric is calculated. Multi-path routing can be used in conjunction with most routing protocols, since this solution is limited to one router for each hop. It can substantially increase bandwidth by load-balancing traffic over multiple paths; however, there may be significant problems in deploying it in practice.

Additional Information:

Simply put, the path of a packet from point A to point F can be represented as follows:

The package can take route B-D or C-E.

A regular traceroute sends a lot of packets, but cannot force them all to follow the same route. Therefore, different packets can be sent on different routes and messages about the expiration of the packet can come from nodes from different paths.

The way packets can go is shown in black arrows, and the path that traditional routing tools can show is shown in red:

It is even worse when two routes of the same metric score have different lengths:

The team that created Paris-traceroute invented a technique that uses ECMP stream hashing to check all possible paths. Dublin Traceroute does what Paris-traceroute can do, plus a little more.

One such additional feature is the NAT discovery method. Dublin Traceroute forges an IP identifier in a test packet and analyzes the responses to detect all NATs encountered. This is a new algorithm that is not found in other network mapping solutions, although the IP identifier is not new to NAT-related tasks. For example, Paris-traceroute uses an IP ID to determine if the loop in traceroute is a result of a NAT device, for this it uses the IP identifier of a response packet, for an explanation see Stephen Bellovin's article “A technique for Counting NATted Hosts”.

Paris-traceroute already detects NAT devices, but it’s actually quite different: Paris-traceroute can tell you whether the transition that appears as a loop in traceroute is due to NAT or not; while Dublin Traceroute can tell you if there is NAT after a given point, it can also identify multiple NATs.

How to install dublin traceroute

Dublin Traceroute has a library and command line tool that installs quite easily. But there is also a Python version that can trace route and additionally can draw route graphs using the data. To enable these functions on your system, you need to install different dependencies – as is shown below.

If you only need the ability to trace route and you are not interested in graphs, then it is enough to install dublin-traceroute package and skip others.

To install Dublin Traceroute on Kali Linux, run the following commands:

sudo apt install dublin-traceroute
# Python module installation
sudo apt install libtins-dev libpcap-dev libjsoncpp-dev libdublintraceroute-dev python3-tabulate python3-pygraphviz python3-setuptools-scm
git clone
sudo cp -r dublin-traceroute/include/dublintraceroute /usr/include/
sudo pip3 install dublintraceroute

To install Dublin Traceroute in BlackArch, run the following commands:

sudo pacman -S dublin-traceroute libtins jsoncpp python-tabulate python-pygraphviz python-setuptools-scm
sudo pip3 install dublintraceroute

How to trace route a multi-path route

To perform trace route network with multi-path topology for find all possible network paths, run a command of the form:

sudo dublin-traceroute HOST

For example, to trace multi-routes to the host:

sudo dublin-traceroute

Example output (only the first two screens – there is actually more information):

The following options may come in handy:

  -N --no-dns                   do not attempt to do reverse DNS lookup of the hops
  -o --output-file              the output file name (default: trace.json)

To draw a route schedule based on the data received:

python3 -m dublintraceroute plot trace.json

An example of the constructed routes is shown at the beginning of the article.

If you used the -o option and specified a different file name to save the results, type it instead of trace.json.

Another example of multi-route tracing:

sudo dublin-traceroute

IPv6 Support

The Dublin Traceroute program is written in C ++ and Python. IPv6 support according to the author of the program is, but in a version that is written in Go. The source code for Go lies in the same repository as C++, but nowhere is it written how to complete the installation and how fully the support is implemented.

Perhaps full IPv6 support will be added later.

Dublin Traceroute options


  dublin-traceroute <target> [--sport=src_base_port]


  -h --help                     this help
  -v --version                  print the version of Dublin Traceroute
  -s SRC_PORT --sport=SRC_PORT  the source port to send packets from (default: 12345)
  -d DST_PORT --dport=DST_PORT  the base destination port to send packets to (default: 33434)
  -n NPATHS --npaths=NPATHS     the number of paths to probe (default: 20)
  -t MIN_TTL --min-ttl=MIN_TTL  the minimum TTL to probe (default: 1)
  -T MAX_TTL --max-ttl=MAX_TTL  the maximum TTL to probe. Must be greater or equal than the minimum TTL (default: 30)
  -D DELAY --delay=DELAY        the inter-packet delay in milliseconds (default: 10)
  -b --broken-nat               the network has a broken NAT configuration (e.g. no payload fixup). Try this if you see fewer hops than expected
  -i --use-srcport              generate paths using source port instead of destination port
  -N --no-dns                   do not attempt to do reverse DNS lookup of the hops
  -o --output-file              the output file name (default: trace.json)

python-dublin-traceroute options


python3 -m dublintraceroute -h [-h] {plot,trace,probe} ...


positional arguments:
  {plot,trace,probe}  Commands
    plot              Plot a traceroute from JSON results
    trace             Run a multipath traceroute towards a target
    probe             Run a multipath probe towards a target

optional arguments:
  -h, --help          show this help message and exit

Last Updated on

Recommended for you:

Leave a Reply

Your email address will not be published.