Spectroscopy of traceroute delays
[NOTE: This is an updated version of the paper published in Proceedings of PAM 2005. The hardcopy version published by Springer includes the deprecated version, while the electronic proceedings include this updated version. The updated paper correctly accounts for the specific timestamp behavior, previously unknown to the authors, of the particular version of the firmware used in the Dag GE card of our experiments.]
We analyze delays of traceroute probes, i.e. packets that elicit ICMP TimeExceeded messages, for a full range of probe sizes up to 9000 bytes as observed on unloaded high-end routers. Our ultimate motivation is to use traceroute RTTs for Internet mapping of router and PoP (ISP point-of-presence) level nodes, including potentially gleaning information on equipment models, link technologies, capacities, latencies, and spatial positions. To our knowledge it is the first study to examine in a reliable testbed setting the detailed statistics of ICMP response generation.
We find that two fundamental assumptions about ICMP may not hold in some cases in modern routers, namely that ICMP delays are a linear function of packet size and that ICMP generation rate is equal to the capacity of the interface on which probes are received. The primary causes of these violations appear to be internal segmentation of packets into cells and limiting of ICMP packet rates and bit rates inside a router. Our results suggest that the linear model of packet delay as a function of packet size merits revisiting for certain router models and time resolutions. Our findings also suggest possibilities of developing new techniques for bandwidth estimation and router fingerprinting.