-2

I use Nmap to traceroute some websites as follows

nmap -Pn --traceroute 108.177.127.103

I notice that the result varies depending on the used TCP port. So, when I use port 25 instead of port 80, it gives different results.

The weird thing is that the routing process should take place in the 3rd layer. The routing process should not depend on the TCP ports.

My first thought was that something is wrong with Nmap. But, when I used Wireshark to sniff the packets. I found the ICMP responses, they perfectly align with what Nmap is giving.

Then, I used windows command line as follows

tracert 108.177.127.103

I got a completely different result (it gave 24 hops, in nmap there were only 9 hops).

Again, I used Wireshark to see what was sent and received and they all perfectly fine. However, cmd tracert uses ping requests, it doesn't use TCP protocol.

What's worse is that in some cases, the traced routers IPs are all private. Even though, the target IP address is not even in my country!

This is one of the Nmap traceroutes on 162.121.211.20 port 25:

192.168.1.1 (192.168.1.1)

host-197.43.213.1.tedata.net (197.43.213.1)

10.45.3.49 (10.45.3.49)

10.38.6.30 (10.38.6.30)

10.38.7.81 (10.38.7.81)

10.37.87.141 (10.37.87.141)

10.37.22.190 (10.37.22.190)

10.37.242.170 (10.37.242.170)

162.121.211.20

Can anyone explain to me what's going on please ?!

Abdulrahman Mahdy
  • 29
  • 5

1 Answers1

1

In practice some routing decisions can depend on the upper layers.

For instance if an ISP provides anti-virus, content filtering, or proxying/content-distribution services, then it might send HTTP traffic to some special equipment to provide these services.

Port 25 (SMTP) traffic might be redirected to some anti-spam filters.

Various "low priority" traffic (the definition of which can vary) might be sent through other paths than "high priority" traffic. Classic examples are VoIP or gaming traffic being prioritized over BitTorrent.

This is part of what Net Neutrality is all about.

Malt
  • 28,965
  • 9
  • 65
  • 105