not getting all ICMP time-exceeded messages: why?

Question

I'm using Scapy to replay some dumped packets in which I change the TTL value. I've been getting very odd results even with TTL=1.

When I run my test hours apart from each other, I can get from roughly 40% to 95% of packets replied to with an ICMP time-exceeded message. Then I can recursively replay unanswered packets and get each time more or less the same percentage of answered packets as before.

Why is that?

I've been sending packets with an interval of 0.1 seconds between each other. This should be ok, right? My timeout value is 10s, which should be very conservative.

What's wrong here?

Answer 1

What you're saying is essentially you can only test for so many unreachable hosts in a given span of time. One possible reason: many routers rate-limit ICMP messages.

It is much better to test for a ping success to a host before doing something else; this way you have positive confirmation of reachability. The downside is MS Windows blocks pings by default.

If you can't ping first, then you'll need to increase the time between your probes, or raise the ICMP unreachable rate on the router that is returning the ICMP messages.

EDIT:

Based on the comments, it looks like you're hitting a wall for scapy's ability to process traffic. I have improved throughput in the past by sending with scapy and spawning tcpdump in the background to receive traffic.