please help me understand ip route

[childmild]

hello everyone

i have problem understanding something on my network

i have 3g dial up to my ISP and behind no any LAN between me and ISP(it is wireless)

so when i do "ip route get" i got this :
[root@coolmild]# ip -s route get 74.125.227.196
74.125.227.196 via 172.19.129.96 dev ppp0 src 10.70.21.45
cache users 3 age 436sec

what does "users" means on the result above ? and why it shows 3 , i search on google , no clue.

i am behind tor.

thanks for your attention !!

 

[Savatar]

From: http://is.muni.cz/th/207915/fi_b/iproute.pdf

The -s parameter can be added to the ip route command to show expanded information about the routes.

ip -s r show cache 192.168.77.1
may return:
192.168.77.1 dev eth0 src 192.168.77.25
cache users 1 used 4 age 11sec mtu 1500 advmss 1460 hoplimit 64
192.168.77.1 from 192.168.77.25 dev eth0
cache users 1 used 3 age 11sec mtu 1500 advmss 1460 hoplimit 64

The expanded information shows the number of users using the route (users 1), the number of times the route has been used (used 4) and the age of the routing cache entry (age 11sec) in addition to the maximum transmit unit (mtu), advertised maximum segment size (advmss) and hoplimit.

Note: The networking forum would be a better place for this, as using Tor seems irrelevant to the question.

 

[childmild]

From: http://is.muni.cz/th/207915/fi_b/iproute.pdf

The -s parameter can be added to the ip route command to show expanded information about the routes.

ip -s r show cache 192.168.77.1
may return:
192.168.77.1 dev eth0 src 192.168.77.25
cache users 1 used 4 age 11sec mtu 1500 advmss 1460 hoplimit 64
192.168.77.1 from 192.168.77.25 dev eth0
cache users 1 used 3 age 11sec mtu 1500 advmss 1460 hoplimit 64

The expanded information shows the number of users using the route (users 1), the number of times the route has been used (used 4) and the age of the routing cache entry (age 11sec) in addition to the maximum transmit unit (mtu), advertised maximum segment size (advmss) and hoplimit.

Note: The networking forum would be a better place for this, as using Tor seems irrelevant to the question.

thank you for your answer.

But what "the number of users using the route " means ? because sometime it can change from 1 to 7. i am directly connected with my ISP with ppp connection. so there should be only me using it , right ?


sorry for asking too much, hope not trouble you.

From: http://is.muni.cz/th/207915/fi_b/iproute.pdf

The -s parameter can be added to the ip route command to show expanded information about the routes.

ip -s r show cache 192.168.77.1
may return:
192.168.77.1 dev eth0 src 192.168.77.25
cache users 1 used 4 age 11sec mtu 1500 advmss 1460 hoplimit 64
192.168.77.1 from 192.168.77.25 dev eth0
cache users 1 used 3 age 11sec mtu 1500 advmss 1460 hoplimit 64

The expanded information shows the number of users using the route (users 1), the number of times the route has been used (used 4) and the age of the routing cache entry (age 11sec) in addition to the maximum transmit unit (mtu), advertised maximum segment size (advmss) and hoplimit.

Note: The networking forum would be a better place for this, as using Tor seems irrelevant to the question.

thank you for your answer.

But what "the number of users using the route " means ? because sometime it can change from 1 to 7. i am directly connected with ppp connection of my ISP. so there should be only me using it , right ?


sorry for asking too much, hope not trouble you.

 

[Savatar]

I forgot about this but did some research on it today... the users count (based on iproute source code) is populated from the rta_clntref value of an rta_cacheinfo struct. This, in turn, is populated from the __refcnt value of a dst_entry struct.

The __refcnt is commented as the 'client references' for that item. So it may not have anything to do with users in the sense that you're thinking about it - it is probably a way to keep track of how many references that object has, so that when it reaches 0 it can be destroyed without impacting anything. It's not uncommon for a web client to make several parallel connections to the same IP address (i.e. use the same route) because it needs to get the HTML then retrieve every referenced javascript and image (which are usually hosted on the same site). Could you test with other websites that have lots of images, for example, and see if it shows the users (reference) count goes up as well?

If netstat shows three active connections to that IP, then I would expect the users count to match that, if that's the case.

I'm not sure if this might be applicable too (if the app is heavily multi-threaded, perhaps): https://groups.google.com/forum/#!msg/fa.linux.kernel/zobgVxOipZE/epfydZRBqqQJ

A linux networking forum might also be a good place for this question, if they are more familiar with it: http://www.linuxquestions.org/questions/linux-networking-3/

Please let me know what you find! I'll see if I can do some tests tonight and let you know what I find, too.

 

[Savatar]

I couldn't reproduce this in any scenario that I tried... whether having multiple connections open to the same port on the same host, to different ports, or even with different users logged on and using the same route... the users count still stayed at '1' for me.

I suspect it's something that Tor is doing. Does that behaviour occur when you do not use Tor?

 

[John Connor]

This must be Linux because I'm not able to use those commands in Win7.

 

[Savatar]

Yep, they are linux commands.

 

[childmild]

I couldn't reproduce this in any scenario that I tried... whether having multiple connections open to the same port on the same host, to different ports, or even with different users logged on and using the same route... the users count still stayed at '1' for me.

I suspect it's something that Tor is doing. Does that behaviour occur when you do not use Tor?

yep, it still occurs even if not using Tor. I did try to open browser and test to browse to a website, the users increase when i try to ip route the site address.So it is true that is count of connections made by host to the ip.

"But problem is when i didn't open any webbrowser and no any connection to the site, it still shows lots of users"

so i did try some test, below are mtr report to google site
HOST: childmild Loss% Snt Last Avg Best Wrst StDev
1.|-- 172.19.129.96 0.0% 10 143.1 142.9 69.5 376.4 88.2
2.|-- 172.19.128.133 0.0% 10 178.6 173.5 93.6 409.9 92.4
3.|-- 172.19.128.254 0.0% 10 134.0 175.9 101.1 339.3 73.6
4.|-- 10.8.11.93 0.0% 10 129.5 163.8 79.8 267.7 58.3
5.|-- 10.8.11.145 50.0% 10 153.7 191.1 133.5 262.1 55.3
6.|-- 202.152.194.254 0.0% 10 85.4 151.5 85.4 290.4 61.6
7.|-- 202.152.207.105 0.0% 10 93.9 168.4 93.9 258.9 54.4
8.|-- 202.152.207.33 0.0% 10 89.4 175.2 89.4 332.1 71.7
9.|-- 202.152.207.22 0.0% 10 103.8 194.2 103.8 292.5 66.9
10.|-- 202.152.207.70 0.0% 10 106.3 178.2 106.3 297.4 63.4
11.|-- 66.249.95.124 0.0% 10 101.7 194.8 101.7 354.6 80.7
12.|-- 64.233.174.109 0.0% 10 123.2 194.3 87.4 351.9 83.3
13.|-- ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
14.|-- 74.125.200.100 10.0% 10 221.7 227.7 108.1 556.0 137.0

what i did is very simple, i just do "ip -s route get" on each ip between me and google
so here is the result :
1. ip route to my ppp gateway (172.19.129.96 ) :
ip -s route get 172.19.128.96
172.19.129.96 dev ppp0 src 10.70.107.152
cache users 1

2. ip route to 172.19.128.133
ip -s route get 172.19.128.133
172.19.128.133 dev ppp0 src 10.70.107.152
cache users 10 age 601sec

so there is a lots of users after my ppp gateway (as i mention before i use direct modem -- no any LAN between me and my ISP)

could it be....ESN/MEID hack (because my ISP use same login / password for all their client)?

thank you