CISCO CyberOps lab – Tracing a Route; cybersecurity training

Objectives

Part 1: Verifying Network Connectivity Using Ping

Part 2: Tracing a Route to a Remote Server Using Traceroute

Part 3: Trace a Route to a Remote Server Using Web-Based Traceroute Tool

Background

Tracing a route will list each routing device that a packet crosses as it traverses the network from source to destination. Route tracing is typically executed at the command line as:

tracert <destination network name or end device address>

(Microsoft Windows systems)

or

traceroute <destination network name or end device address>

(Unix and similar systems)

The traceroute (or tracert) tool is often used for network troubleshooting. By showing a list of routers traversed, it allows the user to identify the path taken to reach a particular destination on the network or across internetworks. Each router represents a point where one network connects to another network and through which the data packet was forwarded. The number of routers is known as the number of “hops” the data traveled from source to destination.

The displayed list can help identify data flow problems when trying to access a service such as a website. It can also be useful when performing tasks such as downloading data. If there are multiple websites (mirrors) available for the same data file, one can trace each mirror to get a good idea of which mirror would be the fastest to use.

Two trace routes between the same source and destination conducted some time apart may produce different results. This is due to the “meshed” nature of the interconnected networks that comprise the internet and the Internet Protocols’ ability to select different pathways over which to send packets.

Command-line-based route tracing tools are usually embedded with the operating system of the end device.

Scenario

Using an internet connection, you will use two route tracing utilities to examine the internet pathway to destination networks. First, you will verify connectivity to a website. Second, you will use the traceroute utility on the Linux command line. Third, you will use a web-based traceroute tool (https://gsuite.tools/traceroute).

Instructor Note: Some institutions disable ICMP echo replies used by both ping and traceroute utilities. Before students begin this activity, make sure there are no local restrictions related to ICMP datagrams. This activity assumes that ICMP datagrams are not restricted by any local security policy.

Required Resources

  • CyberOps Workstation VM
  • Internet access

Instructions

Step 1: Verifying Network Connectivity Using Ping

  1. Start the CyberOps Workstation VM. Log into the VM with the following credentials:

Username: analyst

Password: cyberops

  1. Open a terminal window in the VM to ping a remote server, such as cisco.com.

[analyst@secOps ~]$ ping -c 4 www.cisco.com

PING e2867.dsca.akamaiedge.net (184.24.123.103) 56(84) bytes of data.

64 bytes from a184-24-123-103.deploy.static.akamaitechnologies.com (184.24.123.103): icmp_seq=1 ttl=59 time=13.0 ms

64 bytes from a184-24-123-103.deploy.static.akamaitechnologies.com (184.24.123.103): icmp_seq=2 ttl=59 time=12.5 ms

64 bytes from a184-24-123-103.deploy.static.akamaitechnologies.com (184.24.123.103): icmp_seq=3 ttl=59 time=14.9 ms

64 bytes from a184-24-123-103.deploy.static.akamaitechnologies.com (184.24.123.103): icmp_seq=4 ttl=59 time=11.9 ms

 

— e2867.dsca.akamaiedge.net ping statistics —

4 packets transmitted, 4 received, 0% packet loss, time 3005ms

rtt min/avg/max/mdev = 11.976/13.143/14.967/1.132 ms

  1. The first output line displays the Fully Qualified Domain Name (FQDN) e2867.dsca.akamaiedge.net. This is followed by the IP address 184.24.123.103. Cisco hosts the same web content on different servers throughout the world (known as mirrors). Therefore, depending upon where you are geographically, the FQDN and the IP address will be different.

Four pings were sent and a reply was received from each ping. Because each ping received a response, there was 0% packet loss. On average, it took 3005 ms (3005 milliseconds) for the packets to cross the network. A millisecond is 1/1,000th of a second. Your results will likely be different.

Instructor Note: If the first ICMP packet times out, this could be a result of the PC resolving the destination address. This should not occur if you repeat the ping as the address is now cached.

Step 2: Tracing a Route to a Remote Server Using Traceroute

Now that basic reachability has been verified by using the ping tool, it is helpful to look more closely at each network segment that is crossed.

Routes traced can go through many hops and a number of different Internet Service Providers (ISPs), depending on the size of your ISP and the location of the source and destination hosts. Each “hop” represents a router. A router is a specialized type of computer used to direct traffic across the internet. Imagine taking an automobile trip across several countries using many highways. At different points in the trip you come to a fork in the road in which you have the option to select from several different highways. Now further imagine that there is a device at each fork in the road that directs you to take the correct highway to your final destination. That is what a router does for packets on a network.

Because computers talk in binary or hexadecimal numbers, rather than words, routers are uniquely identified using IP addresses. The traceroute tool shows you what path through the network a packet of information takes to reach its final destination. The traceroute tool also gives you an idea of how fast traffic is going on each segment of the network. Packets are sent to each router in the path, and the return time is measured in milliseconds.

Note: CyberOps Workstation VM network settings may need to be set to bridged adapter if you are not getting any traceroute results. To check your network settings, go to: Machine > Settings, select Network, the tab Adapter 1, Attached to: Bridged Adapter.

To do this, the traceroute tool is used.

  1. At the terminal prompt, type traceroute www.cisco.com.

[analyst@secOps ~]$ traceroute www.cisco.com

traceroute to www.cisco.com (184.24.123.103), 30 hops max, 60 byte packets

1  192.168.1.1 (192.168.1.1)  6.527 ms  6.783 ms  6.826 ms

2  10.39.176.1 (10.39.176.1)  27.748 ms  27.533 ms  27.480 ms

3  100.127.65.250 (100.127.65.250)  27.864 ms  28.570 ms  28.566 ms

4  70.169.73.196 (70.169.73.196)  29.063 ms  35.025 ms  33.976 ms

5  fed1bbrj01.xe110.0.rd.sd.cox.net (68.1.0.155)  39.101 ms  39.120 ms  39.108 ms

6  a184-24-123-103.deploy.static.akamaitechnologies.com (184.24.123.103)  38.004 ms  13.583 ms  13.612 ms

  1. If you would like to save the traceroute output to a text file for later review, use the right carat (>) and the desired filename to save the output in the present directory. In this example, the traceroute output is saved in the /home/analyst/cisco-traceroute.txt file.

[analyst@secOps ~]$ traceroute www.cisco.com > cisco-traceroute.txt

You can now enter the cat cisco-traceroute.txt command to view the output of the trace stored in the text file.

  1. Perform and save the traceroute results for one of the following websites. These are the Regional Internet Registry (RIR) websites located in different parts of the world:

Africa:                www.afrinic.net

Australia:           www.apnic.net

Europe:              www.ripe.net

South America:   www.lacnic.net

Note: Some of these routers along the route may not respond to traceroute.

Step 3: Trace a Route to a Remote Server Using Web-Based Traceroute Tool

  1. Open a web browser in the VM and search for a visual traceroute tool that you can use in the web browser. Try going to the following website: https://gsuite.tools/traceroute
  2. Enter any website you wish. Example: www.cisco.com and press Trace.

Note: If you get the error “SEC_ERROR_OCSP_FUTURE_RESPONSE” in Firefox then the CyberOps Workstation clock/time is incorrect. To fix the time enter the following command to update the clock/time then refresh the web browser and enter the visual trace:

[analyst@secOps ~]$ sudo ntpd -qg

Question:

Review the geographical locations of the responding hops. What did you observe regarding the path?

 

It does not always take the shortest path from the source to the destination.

Reflection Question

How is the traceroute different when going to www.cisco.com or other websites from the terminal (see Part 2) rather than from the online website? (Your results may vary depending upon where you are located geographically, and which ISP is providing connectivity to your school.)

 

The traceroute from the terminal is different than the one from the website. The domains, such as cisco.com, can be hosted on many websites or mirrors throughout the world. This is done so that access time to the site will be fast from anywhere in the world.

 



This website uses cookies and asks your personal data to enhance your browsing experience. We are committed to protecting your privacy and ensuring your data is handled in compliance with the General Data Protection Regulation (GDPR).