.Dd August 17, 2002
.Dt LFT 8
.Os LFT
.Sh NAME
.Nm lft
.Nd display the route packets take to a network host/socket using one of several
layer-4 protocols and methods; optionally show heuristic network information in transitu
.Sh SYNOPSIS
.Nm lft
.Op Fl d Ar dport
.Op Fl s Ar sport
.Op Fl m Ar retry min
.Op Fl M Ar retry max
.Op Fl a Ar ahead
.Op Fl c Ar scatter ms
.Op Fl t Ar timeout ms
.Op Fl l Ar min ttl
.Op Fl H Ar max ttl
.Op Fl L Ar length
.Op Fl q Ar ISN
.Op Fl D Ar device
.Op Fl f Ar device
.Op Fl G Ar icons path
.Op Fl ACEINPRSTUVbeghinpruvxyz
.Ar [<gateway> <...>]
.Ar target:dport
.Sh DESCRIPTION
The Internet is a large and complex aggregation of network hardware, 
connected together by gateways.  Tracking the route one's packets follow 
(or finding the miscreant gateway that's discarding your packets) can be 
difficult.  (from traceroute(8)) 
.Pp
.Nm 
was developed to automate a solution to the above, taking into 
account that modern networks contain many configurations of load balancers, 
proxies, and stateful firewalls.
.Pp
.Nm 
implements numerous network tracing methods and strategies.  Generally,
.Nm
sends various types of layer-4 probes utilizing the IP protocol `time to live' 
field and attempts to elicit an
.Tn ICMP `time exceeded in transit'
response from each gateway along the path to some host.  RFC 1393 Traceroute 
Using an IP Option is also available as one of several tracing methods.
.Pp
.Nm 
additionally listens for various messages along the way to assist network
managers in ascertaining per-protocol heuristic routing information.  
.Nm
can optionally retrieve various information about the networks it traverses using
a variety of sources such as registries, routing arbiters, etc.
.Pp
The only mandatory parameter is the target host name or IP number.  
Options toggle the display of more interesting data or change the variables
of the trace itself.  The (-E/-e) adaptive option tries several combinations 
of TCP states (changing flags inside the probes it sends) in order to improve 
the chances of a successful trace and expose stateful packet filters.
.Pp
Other options are:
.Bl -tag -width Ds
.It Fl d Ar dport
Set
.Ar dport
as the destination TCP port of the probes LFT generates.  Default is 80.  This option is useful to see if packets follow a different route based on protocol destination, a likely scenario when load balancers or proxies are involved.  This option may also bypass less sophisticated packet filter configurations.
.It Fl s Ar sport
Set
.Ar sport
as the origin TCP port of the probes LFT generates.  Default is 53.  This option is useful to see if packets follow a different route based on protocol source. This option may also bypass less sophisticated packet filter configurations.
.It Fl z
Automatically select a pseudo-random source port.  This option may be useful if your local
packet filter or proxy doesn't allow you to use source ports outside of the dymanic range allocation.
.It Fl m Ar min
Set 
.Ar min
as the minimum number of re-attempts to send per host.  Default is 1 unless adaptive
(-E) mode is used.
.It Fl M Ar max
Set 
.Ar max
as the maximum number of re-attempts to send per host.  Default is 3.
.It Fl a Ar ahead
Set 
.Ar ahead
as the number of hops forward to query before waiting for a response.  Default
is 5.
.It Fl c Ar scatter ms
Set 
.Ar scatter ms
as the minimum number of milliseconds to wait between sending probes.  Default
is 20.
.It Fl t Ar timeout ms
Set 
.Ar timeout ms
as the maximum number of milliseconds to wait before assuming a probe was 
lost/discarded.  Default is 250.
.It Fl l Ar min ttl
Set 
.Ar min tll
as the minimum TTL (time-to-live) on outgoing probes (essentially, the 
first hop in the line that you want to display).  Default is 1.
.It Fl q Ar ISN
Set 
.Ar ISN
as the ISN (initial sequence number) of the first probe.  If unset, one will be
automatically generated using a pseudo-random, time-seeded algorithm.
.It Fl L Ar length
Set 
.Ar length
as the size of probe packets in bytes.  This includes layer-3 and layer-4 headers, but
does not include layer-2 headers.  For example, setting the length to 1500 would create
a 1500-byte probe packet which would result in a 1514-byte frame on an Ethernet network.
.It Fl D Ar device
Set 
.Ar device
as the network device or address to receive traffic.  (e.g., "en1" or "1.2.3.4")  If unset, 
.Nm
will attempt to determine and acquire the appropriate interface based on routing.
.It Fl f Ar device
Set 
.Ar device
as the network device or address to transmit traffic.  (e.g., "en1" or "1.2.3.4")  If unset, 
.Nm
will attempt to determine and acquire the appropriate interface based on routing.
This serves to operate 
.Nm
in a passive mode where you may transmit from a (potentially) spoofed IP address on one
interface, yet receive on another. This allows you to trace from a different
IP address whose traffic you can see in order to intercept replies.
.It Fl H Ar ttl
Set 
.Ar ttl
as the maximum TTL, essentially the maximum route traversal distance in 
hops.  Default is 30.
.It Fl G Ar icons path
Set
.Ar icons path
as the path to GraphViz icons in connection with GraphViz output.
.It Fl I
Set the ToS (Type of Serice) bit on outgoing IP datagrams.  The ToS will
be set to the differentiated services request minimize-delay.
.It Fl i
Disable "stop" on ICMP other than TTL expired.
.It Fl n
Print addresses numerically rather than symbolically and numerically.  
Disables use of the DNS resolver completely. 
.It Fl h
Print addresses symbolically rather than symbolically and numerically.  If
the DNS resolver fails to resolve an address, the address is printed numerically.
.It Fl E/e
Enable use of the adaptive engine which tries several combinations of TCP states
(changing flags inside the probes it sends) in order to improve
the chances of a successful trace.  The engine also displays other useful
information such as stateful inspection firewalls or broken IP stacks 
encountered along the way.
.It Fl F 
Enable use of TCP packets with the FIN flag set.  This strategy fools unsophisticated
packet filters that don't maintain a proper state table.  Such devices will forward the packet 
to its destination rather than filter it, assuming a handshake has already taken place and 
the probes are part of an existing and valid TCP stream.  
.It Fl u
Enable use of UDP-based probes instead of TCP-based probes.  This strategy is similar
to the traditional traceroute method, but many of LFT's other options (such as source
and destination port selection) are still available.  By default, LFT's UDP probes
have a small payload (unlike LFT's TCP probes that carry no payload).  
.It Fl N
Enable lookup and display of network or AS names (e.g., [GNTY-NETBLK-4]).  This 
option queries Prefix WhoIs, RIPE NCC, or the RADB (as requested).  In the case of 
Prefix WhoIs or RADB, the network name is displayed.  In the case of RIPE NCC, the 
AS name is displayed.
.It Fl P
Enable RFC 1393 tracing method using ICMP and an IP option.  While this strategy
has been formalized in an RFC, few network equipment vendors support it.  
.It Fl p
Enable use of ICMP-based probes instead of TCP-based probes.  This strategy 
is sometimes the fastest, however firewalls commonly filter ICMP at network borders.
ICMP probes are echo request (ping) packets.
.It Fl b
Enable TCP basic tracing method.  Unlike the default method, the basic method generates
TCP probes without relying upon sequence numbers being conveyed correctly.  This
makes LFT more comptabile with networks employing NAT, but is slower than the default
method.  TCP basic may also be used with adaptive mode (-E).
.It Fl A
Enable lookup and display of of AS (autonomous system) numbers (e.g., [1]).  
This option queries one of several whois servers (see options 'C' and 'r')
in order to ascertain the origin ASN of the IP address in question.  By 
default, LFT uses the pWhoIs service whose ASN data tends to be more accurate 
and more timely than using the RADB as it is derived from the Internet's global 
routing table.  See www.pwhois.org
.It Fl r
Force use of the RIPE NCC RIS whois service to lookup ASNs.  This is an alternative
source of timely ASN-related information built using the Internet's global
routing table.  See www.ripe.net/projects/ris
.It Fl C
Force use of the Cymru whois service to lookup ASNs.  This is an
alternative source of timely ASN-related information built using the 
Internet's global routing table.  See www.cymru.com
.It Fl R
Force use of the RADB whois service to lookup ASNs.  This tends to be quick,
but incomplete and usually inaccurate with regard to the 'actual' Internet
routing table.  See www.radb.net
.It Fl T
Enable display of LFT's execution timer.  This option places timers on the
trace itself and on lookups and name resolution to show where LFT is spending
its time, waiting on resolvers, or processing trace packets.  Use with -V (verbose) 
to display additional detail.
.It Fl U
Display all times in UTC/GMT0.  This option also enables the -T option automatically.
.It Fl S
Suppress display of the real-time status bar.  This option makes LFT show its
completed trace output only, no-frills.
.It Fl x
Enable XML output and suppress all other output to stdout.
.It Fl g
Enable GraphViz output and suppress all other output to stdout.
.It Fl y
Enable network seam testing in connection with GraphViz output.
.It Fl V
Display verbose output.  Use more V's for more info.
.It Fl v
Display version information, then exit(1).
.El
.Pp
Any hosts listed after these options and before the final host/target will comprise
the loose source route.  Since network operators have security concerns
regarding the use of source routing, don't expect the LSRR options
to do anything for you in most public networks.
.Sh EXAMPLES
A sample use and output might be:
.Bd -literal
[edge.lax]$ lft -S 4.2.2.2

Hop  LFT trace to vnsc-bak.sys.gtei.net (4.2.2.2):80/tcp
 1   ln-gateway.centergate.com (206.117.161.1) 0.5ms
 2   isi-acg.ln.net (130.152.136.1) 2.3ms
 3   isi-1-lngw2-atm.ln.net (130.152.180.21) 2.5ms
 4   gigabitethernet5-0.lsanca1-cr3.bbnplanet.net (4.24.4.249) 3.0ms
 5   p6-0.lsanca1-cr6.bbnplanet.net (4.24.4.2) 3.4ms
 6   p6-0.lsanca2-br1.bbnplanet.net (4.24.5.49) 3.3ms
 7   p15-0.snjpca1-br1.bbnplanet.net (4.24.5.58) 10.9ms
 8   so-3-0-0.mtvwca1-br1.bbnplanet.net (4.24.7.33) 11.1ms
 9   p7-0.mtvwca1-dc-dbe1.bbnplanet.net (4.24.9.166) 11.0ms
10   vlan40.mtvwca1-dc1-dfa1-rc1.bbnplanet.net (128.11.193.67) 11.1ms
**   [neglected] no reply packets received from TTLs 11 through 20
**   [4.2-3 BSD bug] the next gateway may errantly reply with reused TTLs
21   [target] vnsc-bak.sys.gtei.net (4.2.2.2) 11.2ms

.Ed
.Pp
The (-S) option was used to suppress the real-time status bar for clean output.
LFT's "**" notifiers in between hops 10 and 21 represent additional useful information: the first is a "[neglected]" indicator that lets us know that none of the probes sent with the TTLs indicated elicited responses.  This could be for a variety of reasons, but the cause of this specific occurrence is described in the next informative message which indicates that this is likely the result of a bug in
the 4.[23]
.Tn BSD
network code (and its derivatives):  BSD 4.x (x < 3)
sends an unreachable message using whatever TTL remains in the
original datagram.  Since, for gateways, the remaining TTL is
zero, the
.Tn ICMP
"time exceeded" is guaranteed to not make it back
to us.  LFT does its best to identify this condition rather than print 
lots and lots of hops that don't exist (trying to reach a high enough TTL).
.Pp
Now, using the adaptive engine option:
.Bd -literal 

[edge.lax]$ lft -E -S 4.2.2.1

Hop  LFT trace to vnsc-pri.sys.gtei.net (4.2.2.1):80/tcp
 1   ln-gateway.centergate.com (206.117.161.1) 0.5/0.5ms
 2   isi-acg.ln.net (130.152.136.1) 2.1/2.3ms
 3   isi-1-lngw2-atm.ln.net (130.152.180.21) 2.6/7.1ms
 4   gigabitethernet5-0.lsanca1-cr3.bbnplanet.net (4.24.4.249) 6.1/3.9ms
**   [firewall] the next gateway may statefully inspect packets
 5   p0-0-0.lsanca1-csr1.bbnplanet.net (4.24.4.10) 155.4/3.7ms
 6   [target] vnsc-pri.sys.gtei.net (4.2.2.1) 22.6/3.7/*/*/*/*/*ms

.Ed
.Pp
In the scenario above, the adaptive engine was able to identify a stateful, packet-inspecting firewall in the path.  Another example with more options:
.Bd -literal

[edge.lax]$ lft -S -A -T -m 2 -d 80 -s 53 www.yahoo.com

Hop  LFT trace to w9.scd.yahoo.com (66.218.71.88):80/tcp
 1   [226] ln-gateway.centergate.com (206.117.161.1)  1 ms
 2   [226] isi-acg.ln.net (130.152.136.1)  2 ms
 3   [226] isi-1-lngw2-atm.ln.net (130.152.180.21)  3 ms
 4   [1] gigether5-0.lsanca1-cr3.bbnplanet.net (4.24.4.249)  3 ms
 5   [1] p6-0.lsanca1-cr6.bbnplanet.net (4.24.4.2)  5 ms
 6   [1] p6-0.lsanca2-br1.bbnplanet.net (4.24.5.49)  3 ms
 7   [1] p1-0.lsanca2-cr2.bbnplanet.net (4.25.112.1)  3 ms
 8   [16852] pos4-0.core1.LosAngeles1.Level3.net (209.0.227.57)  3 ms
 9   [3356] so-4-0-0.mp1.LosAngeles1.Level3.net (209.247.10.193)  3 ms
10   [3356] so-3-0-0.mp2.SanJose1.Level3.net (64.159.1.130)  11 ms
11   [3356] gige10-0.ipcolo4.SanJose1.Level3.net (64.159.2.42)  11 ms
12   [3356] cust-int.level3.net (64.152.81.62)  52 ms
13   [10310] vl17.bas2.scd.yahoo.com (66.218.64.150)  53 ms
14   [10310] w9.scd.yahoo.com (66.218.71.88) [target]  54 ms
.Pp
LFT's trace took 5.23 seconds.  Resolution required 3.58 seconds.

.Ed
.Pp
Note the -Ar above displays ASNs using the RADB as a whois source.  A better option may have been
to use the -A alone or perhaps -AC.
.Pp
And why not request netblock lookups?
.Bd -literal

[edge.lax]$ lft -S -N www.microsoft.com

Hop  LFT trace to www.us.microsoft.com (207.46.197.113):80/tcp
 1   [LOS-NETTOS-BLK4] ln-gateway.centergate.com (206.117.161.1)  2 ms
 2   [LOS-NETTOS] isi-acg.ln.net (130.152.136.1)  3 ms
 3   [LOS-NETTOS] isi-1-lngw2-pos.ln.net (130.152.80.30)  5 ms
 4   [GNTY-4-0] gigether5-0.lsanca1-cr3.bbnplanet.net (4.24.4.249)  4 ms
 5   [GNTY-4-0] p6-0.lsanca1-cr6.bbnplanet.net (4.24.4.2)  3 ms
 6   [GNTY-4-0] p6-0.lsanca2-br1.bbnplanet.net (4.24.5.49)  3 ms
 7   [GNTY-4-0] p15-0.snjpca1-br1.bbnplanet.net (4.24.5.58)  10 ms
 8   [GNTY-4-0] p9-0.snjpca1-br2.bbnplanet.net (4.24.9.130)  11 ms
 9   [GNTY-4-0] so-1-0-0.sttlwa2-br1.bbnplanet.net (4.0.3.229)  27 ms
10   [GNTY-4-0] so-0-0-0.sttlwa1-hcr1.bbnplanet.net (4.24.11.202)  28 ms
11   [GNTY-4-0] so-7-0-0.sttlwa1-hcr2.bbnplanet.net (4.24.10.234)  28 ms
12   [GNTY-4-0] p1-0.sttlwa1-cr2.bbnplanet.net (4.24.10.241)  29 ms
13   [GNTY-4-0] p2-0.msseattle.bbnplanet.net (4.25.89.6)  32 ms
14   [MICROSOFT-GLOBAL-NET] 207.46.154.9  32 ms
15   [MICROSOFT-GLOBAL-NET] 207.46.155.17  33 ms
16   [MICROSOFT-GLOBAL-NET] 207.46.129.51 [prohibited]  35 ms

.Ed
.Pp 
.Sh TROUBLESHOOTING
If traces don't appear to go anywhere, there are a number of things to try.  
If you are receiving an error related to permissions, be sure the
.Nm
executable is set-uid root so it may execute with root-level permissions
required to utilize raw sockets on most operating systems.
.Pp
If you do not receive permissions-related errors, but traces still don't go 
anywhere, first activate verbose output by adding -VV to your command line 
options.  Then, reading the verbose output, if you see trace
probes going out, but no replies being detected (as indicated by "RCVD" tags),
you may:  Use the TCP basic (-b) method if you wish to use TCP probes and you 
fear NAT may be causing your trace to fail.  Alternatively, select a different
trace method and protocol such as UDP (-u) or ICMP (-p).
.Pp
If you are attempting to use RFC 1393 (-P) and your trace is failing, this is 
likely because network equipment somewhere in the path does not conform to 
RFC 1393.  Your only option is to select an alternative tracing method or protocol.
.Pp
If you are attempting to utilize adaptive mode (-E/-e) and traces fail, first
try enabling NAT compatibility using TCP basic (-b).  If traces still fail, the
most likely reason is a close-proximity stateful firewall in your network, which 
prevents this feature from working.
.Pp
.Sh AUTHORS
Victor Oppleman, Eugene Antsilevitch, Sergey Kondryukov and other helpers around the world.
.Sh REPORTING BUGS
To report bugs, send e-mail to <lft@oppleman.com>
.Sh SEE ALSO
.Xr traceroute 8 ,
.Xr netstat 1 ,
.Xr whois 1 ,
.Xr whob 8
.Sh HISTORY
The
.Nm
command first appeared in 1998 as 'fft'.  Renamed as a result of confusion with fast fourier transforms, 
.Nm
stands for 'layer four traceroute.'  Thanks also to Nils McCarthy for writing 'FFT', LFT's predecessor.