Traceroutes with a single hop - Parallels NAT mode force a new TTL

Yesterday we troubleshooted a traceroute issue with a customer and we think it might be useful to share the results with everyone.

The customer found out that all the traceroutes coming out of his monitoring agent reported only a single hop (router) and that it was the final destinations. That’s weird because the destination is over 20 hops away from the agent. All the network performance metrics (latency, jitter, packet loss) were reported correctly but only for the final destination.

The agent was the Windows Software Agent running inside a Windows VM (Win10, x64, Family 20H2) on a Mac computer (macOS Big Sur 11.6) virtualized with Parallels (16.5.1).

After some Wireshark Packet Capture on the Mac, we found out that the Parallels NAT Network Mode did not copy the TTL of the original packet and forced a TTL of 64. Usually when there is NAT, only the IP addresses and ports are changed but not in this case.

In this case, a quick workaround is to change the Network Mode to Bridge which removes the NAT on Parallels.

We hope this might be useful for some users. If you are interested in learning more about Traceroutes, Obkio published a blog series on that: https://obkio.com/traceroutes/

1 Like