0

I'm running a kali VM in virtualbox on a windows 11 computer. when i run tracert to google.com in the windows CMD it gives what looks like a normal output with 9 hops, but on my VM it looks like this:

traceroute -I google.com  
traceroute to google.com (142.251.179.138), 30 hops max, 60 byte packets
 1  pd-in-f138.1e100.net (142.251.179.138)  15.426 ms * *

I'm nearly 100% certain I'm not on the same network as google.com. I'm only using -I because using it normally looks like this:

traceroute google.com   
traceroute to google.com (142.251.179.139), 30 hops max, 60 byte packets
 1  [gateway IP address] ([gateway IP address])  0.393 ms  0.378 ms  0.367 ms
 2  [the exact same address] ([the exact same address again])  15.853 ms  15.845 ms  15.835 ms

Before I set a firewall rule to allow inbound ICMPv4 packets, it looked like this (for default, -I, -U, and -T):

traceroute google.com
traceroute to google.com (142.251.179.102), 30 hops max, 60 byte packets
 1  [gateway IP address] ([gateway IP address])  5.541 ms  5.568 ms  5.549 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

After also setting a rule to allow UDP, I can run it with -U and get the following:

traceroute -U google.com
traceroute to google.com (142.251.179.101), 30 hops max, 60 byte packets
 1  [gateway IP] ([gateway IP])  0.346 ms  0.392 ms  0.384 ms
 2  pd-in-f101.1e100.net (142.251.179.101)  3.824 ms  4.503 ms  5.691 ms

With TCP:

sudo traceroute -T google.com       
[sudo] password for kali: 
traceroute to google.com (142.251.179.102), 30 hops max, 60 byte packets
 1  pd-in-f102.1e100.net (142.251.179.102)  22.763 ms  28.803 ms  15.613 ms

This is the case for youtube.com and tryhackme.com as well, but if I try duolingo.com (this time EVERY line returns * * * rather than just every line after the gateway IP):

traceroute -I duolingo.com 
traceroute to duolingo.com (34.205.80.233), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

All other options (including default) give the same result as for google (but ending with Duolingo's IP address).

Improve this question
1
  • To investigate I would try (a) Run tracert on the Windows host while using Wireshark on the host to record the packets (b) Run traceroute on the Kali VM while using Wireshark on both the host and VM to record the packets (c) Compare the packets from (a) and (b) to find the difference in what is received. I haven't run traceroute in a VM, but the virtualbox networking could potentially be affecting the results. Commented Nov 16 at 7:27

1 Answer 1

Reset to default
2

Traceroute cannot properly work through VirtualBox's 'NAT' mode.

The way VirtualBox implements its 'NAT' mode is not through full IP forwarding, but through emulation or proxying – the VirtualBox process itself "consumes" your TCP or UDP packets (using SLiRP network stack) and establishes separate TCP connections or sends fresh UDP packets from the host OS to the destination.

This passes through the data within those packets, but not the full metadata, e.g. your traceroute probes were sent with very specific IP TTL fields (to trigger responses from increasingly farther gateways) but VirtualBox's proxy just copies the data to a fresh UDP packet that has the default maximum TTL.

So the TTL=1 probe that was meant to trigger a reply from the 1st gateway just travels all the way to the end destination and that's what shows up as the 1st hop.

To avoid this, either use 'Bridged' mode (the VM directly sends Ethernet frames to your LAN), or the 'Host-Only' mode + enable OS-level IP forwarding and NAT on the Windows host (this turns the host into a full IP router).

Note that if the final host doesn't answer ICMP Echo Request – i.e. if you cannot ping it – then an ICMP traceroute will always turn into * * * when it would normally show the final host (as there is no way for traceroute to know that it has actually reached the destination without some kind of response). VirtualBox's NAT merely makes it happen sooner.

The same applies to UDP traceroute when the final host has a firewall that quietly discards UDP packets on those ports (instead of replying with some kind of ICMP "Port Unreachable" which would be more proper).


As a final note, sometimes network operators just do Weird Things that make even normal traceroutes look odd:

  • Some ISPs use ECMP load-balancing between two alternate paths, or even between two different upstream carriers. This makes UDP traceroutes unreliable as the varying port numbers cause each probe to alternate between the two paths. Prefer ICMP, or UDP with a fixed port number.

  • Many ISPs use MPLS, which typically supports traceroute but in a way that makes the timings look "flat" because MPLS gateways can't immediately return probe responses to the sender; instead the reply has to be carried on forward, towards the destination, until it exits MPLS, and only then routed back to you. Use the -e, --extensions option to see where MPLS might be involved.

  • Some carriers might internally use Ethernet-layer routing (perhaps SPB/TRILL or some similar method that carries Ethernet frames across their entire backbone from PoP to PoP), which is entirely invisible to IP-layer traceroute.

  • Some ISPs have weird/buggy/suspicious network equipment that resets TTL to 255 on packets traveling through it, causing the trace to "collapse" past that point (making all subsequent hops vanish, and making it look like the packets teleported to the destination).

  • Google even admits in their documentation that their "cloud" network sometimes resets or even increments packet TTL instead of decrementing it, again making their internal hops vanish from traceroute when tracing to a GCE VM and making it look like the packet just teleported halfway across the world.

So don't be surprised if an occasional traceroute looks equally weird on the host as it does in the VM.

Improve this answer
0

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.