Traceroute gives you the hop-by-hop information of a route from a source host to a destination. In most cases getting the IP and maybe its DNS lookup (when available) is enough for troubleshooting purposes.
Nmap is another tool that I’ve been using a lot lately. It’s very well known in the networking and infosec community and can do so much, which makes me think that only the nmap developers themselves have a grasp of the whole spectrum of its capabilities and features.
Nmap Traceroute
Nmap has a wide range of network discovery capabilities out of the box. In the context of traceroute, it can do the following:
netbeez.net $nmap --traceroute in.gr Starting Nmap 7.40 ( https://nmap.org ) at 2020-09-29 01:40 EDT Nmap scan report for in.gr (213.133.127.247) Host is up (0.16s latency). Other addresses for in.gr (not scanned): 213.133.127.245 rDNS record for 213.133.127.247: titanas.alteregomedia.org Not shown: 997 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https 8080/tcp closed http-proxy TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 0.75 ms 172.31.0.1 2 5.62 ms 192.168.86.1 3 6.92 ms 192.168.1.254 4 10.44 ms 108-193-0-1.lightspeed.sntcca.sbcglobal.net (108.193.0.1) 5 ... 6 9.23 ms 12.242.117.22 7 10.56 ms 192.205.37.58 8 10.86 ms ae-9.r24.snjsca04.us.bb.gin.ntt.net (129.250.2.2) 9 68.48 ms ae-2.r24.asbnva02.us.bb.gin.ntt.net (129.250.6.238) 10 68.63 ms ae-0.r25.asbnva02.us.bb.gin.ntt.net (129.250.2.36) 11 158.23 ms ae-16.r21.frnkge13.de.bb.gin.ntt.net (129.250.4.97) 12 158.12 ms ae-8.r01.frnkge13.de.bb.gin.ntt.net (129.250.6.51) 13 166.78 ms 213.198.82.130 14 184.61 ms core11.nbg1.hetzner.com (213.239.252.22) 15 168.86 ms ex9k1.dc2.nbg1.hetzner.com (213.239.229.6) 16 164.29 ms titanas.alteregomedia.org (213.133.127.247) Nmap done: 1 IP address (1 host up) scanned in 14.81 seconds
The output looks very similar to the traceroute output you are familiar with. In addition, nmap does a port scan showing you what ports have been found open on the final host (80, 443, 8080). This run took 14.81 seconds, but if you add the option -sP nmap doesn’t do port scanning, and in that case, nmap finishes within a few seconds.
Traceroute Hops on Google Maps
We previously wrote about nmap scripts and its capabilities. Nmap has around 600 prepackages scripts that do a variety of tasks, but you can also write your own scripts tailored to your discovery or testing needs.
There are a few scripts that do traceroute geolocation, but the one I found that works more reliably and returns correct results more consistently is traceroute-gelocation.
Here is how you execute it:
netbeez.net $nmap --traceroute --script traceroute-geolocation --script-args traceroute-geolocation.kmlfile=coordinates-in.kml in.gr Starting Nmap 7.40 ( https://nmap.org ) at 2020-09-29 01:50 EDT Nmap scan report for in.gr (213.133.127.245) Host is up (0.16s latency). Other addresses for in.gr (not scanned): 213.133.127.247 rDNS record for 213.133.127.245: kronos.alteregomedia.org Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https Host script results: | traceroute-geolocation: | HOP RTT ADDRESS GEOLOCATION | 1 0.72 172.31.0.1 - ,- | 2 5.24 192.168.86.1 - ,- | 3 6.47 192.168.1.254 - ,- | 4 13.52 108-193-0-1.lightspeed.sntcca.sbcglobal.net (108.193.0.1) 37.294,-121.900 United States (California) | 5 ... | 6 8.32 12.242.117.22 37.751,-97.822 United States () | 7 10.47 192.205.37.58 37.751,-97.822 United States () | 8 11.58 ae-9.r24.snjsca04.us.bb.gin.ntt.net (129.250.2.2) 37.751,-97.822 United States () | 9 69.12 ae-2.r24.asbnva02.us.bb.gin.ntt.net (129.250.6.238) 37.751,-97.822 United States () | 10 68.20 ae-0.r25.asbnva02.us.bb.gin.ntt.net (129.250.2.36) 37.751,-97.822 United States () | 11 151.56 ae-16.r21.frnkge13.de.bb.gin.ntt.net (129.250.4.97) 37.751,-97.822 United States () | 12 155.67 ae-8.r01.frnkge13.de.bb.gin.ntt.net (129.250.6.51) 37.751,-97.822 United States () | 13 157.79 213.198.82.130 55.679,12.559 Denmark (Capital Region) | 14 166.25 core11.nbg1.hetzner.com (213.239.252.22) 51.299,9.491 Germany () | 15 169.37 ex9k1.dc2.nbg1.hetzner.com (213.239.229.6) 51.299,9.491 Germany () |_ 16 162.96 kronos.alteregomedia.org (213.133.127.245) 51.299,9.491 Germany () TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 0.72 ms 172.31.0.1 2 5.24 ms 192.168.86.1 3 6.47 ms 192.168.1.254 4 13.52 ms 108-193-0-1.lightspeed.sntcca.sbcglobal.net (108.193.0.1) 5 ... 6 8.32 ms 12.242.117.22 7 10.47 ms 192.205.37.58 8 11.58 ms ae-9.r24.snjsca04.us.bb.gin.ntt.net (129.250.2.2) 9 69.12 ms ae-2.r24.asbnva02.us.bb.gin.ntt.net (129.250.6.238) 10 68.20 ms ae-0.r25.asbnva02.us.bb.gin.ntt.net (129.250.2.36) 11 151.56 ms ae-16.r21.frnkge13.de.bb.gin.ntt.net (129.250.4.97) 12 155.67 ms ae-8.r01.frnkge13.de.bb.gin.ntt.net (129.250.6.51) 13 157.79 ms 213.198.82.130 14 166.25 ms core11.nbg1.hetzner.com (213.239.252.22) 15 169.37 ms ex9k1.dc2.nbg1.hetzner.com (213.239.229.6) 16 162.96 ms kronos.alteregomedia.org (213.133.127.245) Nmap done: 1 IP address (1 host up) scanned in 21.74 seconds
The output gives me the classic traceroute result, but also the coordinates of the IPs that can be geolocated. It has to be noted that sometimes fails without providing the coordinate information.
In addition, with the option --script-args traceroute-geolocation.kmlfile=coordinates-in.kml the coordinates were saved in a KML file that can be imported to Google maps and give you a cool view of the routing.
To do that, open Google maps, and
- Go to “My Maps” (the easiest way to find that is to google “My Maps” than trying to find it through the Google maps menu options).
- Click on “+CREATE A NEW MAP”
- Click on “Import” and import the file generated from the traceroute-geolocation NSE script above
- Voila!
It’s a quick and easy way to visualize a traceroute path for your convenience, for showing it to customers, or for educational purposes.
