Actually David, I suspect you have that backwards. TCP/IP trace was built "after" ICMP, as an alternative to get around people that blocked the former. And yes I ***mean*** TCP/IP, not IP. The two are completely different.
Look, the theory behind it is that, yes, ICMP works fine, but if its blocked, how do you get the same info? Well, TCP/IP (Again not **IP**), has packet time outs. So, you send out a packet request in TCP/IP, with some stupid time out. The router recieves it, checks the transit time, concludes that your timeout was too short, and sends back, again via TCP/IP, "Sorry, but your HTTP request timed out before I could deliver it." By doing that, they can produce "identical" results to ICMP.
Why not just use ICMP? Because some admins are morons. Yes, there are probably some bad implementations one some hardware, and some I think they have even found, but what kind of privilege escalation does that give you? Oh, know, they might be able to ask some computer on my network what its name is, or how its connected to the router? Whimper! That's just too scary! As far as I know even a borked version with a buffer overflow, or similar bug, can't escalate privilege above ICMP, so doing so is pretty damn useless as a hack.
This doesn't stop a) ISPs from setting their router/modem firewalls to block them for no damn reason, nor from some backbones doing the same stupid thing. Remember some years back we had some hickups in the backbone running from here to California on the way to NY, then Europe. Some twit set their router to block ICMP, so that when the network went a little wonky, the only way to find out if the server I wanted to get to was up at all was to just connect to it. Normally I would run a batch file, which would, every once in a while, run a tracert, so I could watch the network condition and see when there at least *should be* a connection again. Same with something like Ping. Its not uncommon for some services, if they lose a connection, to ping their remote host, until they get a response, rather than sending out larger packets to what might be an overburdened server, to reconnect. So, what happens to your service if some moron running a router sets it to block all ICMP packets, so that ping will **never** tell you that the route is open and a connection can be attempted again?
Point is, its gotten common enough in the paranoia of the last 5+ years that some people have decided to write TCP/IP tracers, which use HTTP type requests to find the information, since the ICMP won't bloody work any more.
What even the IP tracert you are talking about is/was, that isn't what I am talking about (or if it is, one of us has it wrong about *when* they came up with it). Oh, and there was a service you could install, prior to yet another patch from MS, called WinPCap, which did something to bypass the problem, so that the tracert would work again. What ever additional change they made, that won't work either any more.
Anyway. Point is that the patch they did to try to curtail this actually made it harder to *fix* potentially even more critical problems. Since the only way you can trace something is either via TCP/IP or ICMP, if the later is blocked, the former can and does generate information that is damn near worthless, in some configurations, to find the same information. Its like the difference between giving someone a GPS or a basic map, with all the names, street numbers, and even any indication if its the right city, removed. And all to prevent something that **didn't stop** after they patched it this way. lol |