Read here an explanation of tcptraceroute command

TCPTRACEROUTE(1)

NAME tcptraceroute - A traceroute implementation using TCP packets

SYNOPSIS tcptraceroute [-nNFSAE] [ -i interface ] [ -f first ttl ] [ -l length ] [ -q number of queries ] [ -t tos ] [ -m max ttl ] [ -p source port ] [ -s source address ] [ -w wait time ] host [ destination port ] [ length ]

DESCRIPTION tcptraceroute is a traceroute implementation using TCP packets.

   The  more  traditional  traceroute(8) sends out either UDP or ICMP ECHO
   packets with a TTL of one, and increments the TTL until the destination
   has  been  reached.   By  printing the gateways that generate ICMP time
   exceeded messages along the way, it is able to determine the path pack-
   ets are taking to reach the destination.

   The  problem is that with the widespread use of firewalls on the modern
   Internet, many of the packets that traceroute(8) sends out end up being
   filtered, making it impossible to completely trace the path to the des-
   tination.  However, in many cases, these firewalls will permit  inbound
   TCP  packets  to  specific ports that hosts sitting behind the firewall
   are listening for connections on.   By  sending  out  TCP  SYN  packets
   instead  of  UDP  or ICMP ECHO packets, tcptraceroute is able to bypass
   the most common firewall filters.

   It is worth noting that tcptraceroute never  completely  establishes  a
   TCP connection with the destination host.  If the host is not listening
   for incoming connections, it will respond with an RST  indicating  that
   the  port  is closed.  If the host instead responds with a SYN|ACK, the
   port is known to be open, and an RST is sent by the  kernel  tcptracer-
   oute  is  running  on  to  tear  down the connection without completing
   three-way handshake.  This is the  same  half-open  scanning  technique
   that nmap(1) uses when passed the -sS flag.

OPTIONS -n Display numeric output, rather than doing a reverse DNS lookup for each hop. By default, reverse lookups are never attempted on RFC1918 address space, regardless of the -n flag.

   -N     Perform  a  reverse  DNS  lookup for each hop, including RFC1918
          addresses.

   -f     Set the initial TTL used in  the  first  outgoing  packet.   The
          default is 1.

   -m     Set  the  maximum  TTL used in outgoing packets.  The default is
          30.

   -p     Use the specified local  TCP  port  in  outgoing  packets.   The
          default  is to obtain a free port from the kernel using bind(2).
          Unlike with traditional  traceroute(8),  this  number  will  not
          increase with each hop.

   -s     Set  the  source  address for outgoing packets.  See also the -i
          flag.

   -i     Use the specified interface for outgoing packets.

   -q     Set the number of probes to be sent to each hop.  The default is
          3.

   -w     Set  the  timeout,  in  seconds, to wait for a response for each
          probe.  The default is 3.

   -S     Set the TCP SYN flag in outgoing packets.  This is the  default,
          if neither -S or -A is specified.

   -A     Set  the  TCP  ACK flag in outgoing packets.  By doing so, it is
          possible to trace through stateless firewalls which permit  out-
          going TCP connections.

   -E     Send ECN SYN packets, as described in RFC2481.

   -t     Set the IP TOS (type of service) to be used in outgoing packets.
          The default is not to set any TOS.

   -F     Set the IP "don't fragment" bit in outgoing packets.

   -l     Set the total packet length to be used in outgoing packets.   If
          the length is greater than the minimum size required to assemble
          the necessary probe packet headers, this value is  automatically
          increased.

   -d     Enable debugging, which may or may not be useful.

EXAMPLES Please see the examples.txt file included in the tcptraceroute distri- bution for a few real world examples.

   To trace the path to a web server listening for connections on port 80:

          tcptraceroute webserver

   To  trace  the  path to a mail server listening for connections on port
   25:

          tcptraceroute mailserver 25

BUGS No error checking is performed on the source address specified by the -s flag, and it is therefore possible for tcptraceroute to send out TCP SYN packets for which it has no chance of seeing a response to.

AUTHOR Michael C. Toren mct@toren.net

AVAILABILITY For updates, please see: http://michael.toren.net/code/tcptraceroute/

SEE ALSO traceroute(8), ping(8), nmap(1)

                             2001 July 31                 TCPTRACEROUTE(1)