Skip to content

MTR Testing Connections… for Fun and Profit?

A Word about ICMP

Keep in mind that doing ICMP traceroutes might show packet loss because ICMP is either turned off or very low priority depending on the carrier, load, and other factors. So while ICMP can give you an idea of where to look it isn't going to give you the whole story.

General Testing

Example

mtr hostname.network
mtr -T hostname.network
mtr -U hostname.network

The first command does ICMP, the second does TCP, the third does UDP.

If you need to test a port number add -P with the port number. If you need to make a report to send to someone you can add the -rw flags on to the command. This will make something that you can copy & paste

Carrier Testing

Example

mtr -rwnb -z 2 -P 443 -T hostname.network

This does the following:

  • Creates a wide report (rw)
  • No DNS lookup & show IPs (nb)
  • Shows Full ASN if possible (-z 2)
  • Traces to port 443 (-P 443)
  • Uses TCP (-T)

This will give you good results that you can use to report to carriers if you're having packet loss problems. It's shows the important bits like ASN & IP addresses. That way they can get their BGP and other data to make sure things are looking correct.

Tip

  • If you're testing and do not need the ASN you can drop the -z 2.

Another helpful flag when generating data is the -c. Using that will set the count aka time. So if you do -c 120 that will test for 2 minutes.

Bonus Trick

Use openssl to test your endpoint for life!

Example

openssl s_client -connect hostname.local:443

You can test any other port too, eg http, ssh, smtp, mysql, etc. If there's life it will give you something to work with. If you do test a TLS connection with it you will back all the cert data. However this is what it looks like on an active non-tls port

Success

❯ openssl s_client -connect duckduckgo.com:80
CONNECTED(00000005)
8188707136:error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version:/AppleInternal/Library/BuildRoots/9e200cfa-7d96-11ed-886f-a23c4f261b56/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/ssl/tls13_lib.c:151:
--no peer certificate available
--No client certificate CA names sent
--SSL handshake has read 5 bytes and written 294 bytes
--New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Start Time: 1679671320
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---