Modern digital networks are IP networks, based on packet-switched Internet Protocols. Packets of information travel from a source node connected to the network to a destination node connected to the network. The path these packets take through the myriad of possible routes through the network is chosen by routers, and may change. The path between source and destination may not be the same for each packet, and may not be the same in each direction.
This routing poses a question which is simple to ask, but difficult to answer: what path does a packet take through the network?
Tracing a path of IP packets through the network is generally accomplished by using the well-known traceroute utility. Traceroute attempts to report the route or path (the set of IP addresses of router interfaces) through which a certain type of packet (a UDP packet) travels to reach a particular destination port. Traceroute manipulates the time-to-live (TTL) attribute of the packets in the IP packet header it sends to get such information. The TTL attribute of a packet as used by traceroute is not a timer in the clock or time-of-day sense, but rather a counter which is decremented each time the packet passes through a router. When TTL is decremented to zero, the packet is dropped, and the router returns an ICMP Timer Expired message to the sender, including its own IP address as a source IP address in the IP packet header. So, by beginning with a TTL of 1 and incrementing the TTL until the destination is reached, a path may be “traced.” However, this “traced path” is an aggregate path which represents only a theoretical route, as it is built from a series of UDP packets. The path traced may not represent the actual path taken by packets, as the route may change during the mapping process. Additionally, the path is only traced in a single direction, and there is no guarantee that return traffic takes a reciprocal route. Nevertheless, the traceroute tool gives an approximate path with approximate round trip delays to each hop on a path that in many cases is good enough for network troubleshooting.
The ping utility also provides a round trip delay measurement between source and destination, but does not report on the path itself. Ping uses ICMP echo messages and ICMP echo reply messages. Because it uses ICMP messages, it may not provide an accurate measurement of real traffic round trip delay. ICMP messages may be routed differently than other network traffic, for example using different priorities or different routes. In addition, routers are usually designed to drop ICMP messages when the router becomes congested.
Approaches such as traceroute, ping, and their derivatives rely on special packet types, and provide aggregate data based on special test packets. These two techniques rely on active measurement by inserting special packets into the network. Such special packets may not be routed through the network in the same way as other traffic. Providing reliable information on packet routing involves measuring real traffic. Such information includes information on how long it takes a specific packet to travel from one node to another. As networks may have congestion points which introduce packet jitter, knowledge of congestion points and jitter is very often essential in determining network problems or anomalies.
What is needed is a way to obtain unidirectional IP path information on real network data, including timestamping of intercepted packets.