tracking TCP session hop by hop

Peter Phaal peter.phaal at
Wed Nov 29 19:34:24 UTC 2017

On Wed, Nov 29, 2017 at 9:06 AM, William Herrin <bill at> wrote:

> On Tue, Nov 28, 2017 at 3:48 PM, Yifeng Zhou <zhuifeng0426 at>
> wrote:
> > Is there any way that we can track TCP session hop by hop?
> >
> > Say we have 10 ECMP between A and Z point, what's the easiest way to
> track
> > specific session is using which path? How we can check between
> > servers(Linux/Unix) and between Routers(Cisco/Juniper etc)?
> >
> A TCP connection is uniquely identified by the combination of four numbers:
> The source IP address, the source port, the destination IP address and the
> destination port. You used the word session, but sessions happen above TCP
> in the stack and may use more than one TCP connection.  Every packet in the
> connection contains all four numbers and no packet from any other
> connection contains the same four numbers.
> If you want to track the connections, you capture the packets at each point
> in the path (router products have vendor-specific ways of doing this) and
> see which unique sets of the four numbers went through which router and
> router interface.
> If you want to -test- which path a TCP connection -would- take, Ruairi's
> afore-mentioned tcptraceroute is the way to go. The regular traceroute with
> modern Linux servers also supports the "-T" flag which does the same thing.
> It works just like regular traceroute but uses synthetic TCP SYN packets
> instead of ICMP or UDP packets, allowing the packets to pass firewalls
> which would otherwise block the trace.
> Bear in mind that in each case you will likely only see the path taken at
> the IP level. Underlying transits at the Ethernet or MPLS level are
> intentionally invisible to the endpoints.
In the data center context, enabling sFlow continuously captures packets
from all paths and can be used to trace multi-path packet flows, whether
layer 2 (MLAG/LAG), or layer 3 (ECMP). sFlow reports physical switch ports
and captures Ethernet packet headers, so you can relate paths to MPLS
labels, Ethernet headers, IP headers, TCP/UDP headers, VxLAN tunnels, etc.

The following article provides an example:

More information about the NANOG mailing list