# traceroute -I 69.12.32.2
Note: the -i and -I options were exchangedfor compability with LBL traceroute
Use -I for ICMP, and -i <ifname> to specify the interface name
unable to create ICMP send socket: Permission denied
Note that the command was done as root. This worked in 11.3.
And yes, it works without the “-I”. But it should work with the “-I”. One shouldn’t have to boot into Windows, just to run “tracert” there.
On Wed, 06 Apr 2011 11:36:01 +0530, nrickert
<nrickert@no-mx.forums.opensuse.org> wrote:
>
> Code:
> --------------------
> # traceroute -I 69.12.32.2
> Note: the -i and -I options were exchangedfor compability with LBL
> traceroute
> Use -I for ICMP, and -i <ifname> to specify the interface name
> unable to create ICMP send socket: Permission denied
> --------------------
>
> Note that the command was done as root. This worked in 11.3.
>
> And yes, it works without the “-I”. But it should work with the “-I”.
> One shouldn’t have to boot into Windows, just to run “tracert” there.
>
for me traceroute works as expected with the -I option (oS 11.4). another
program for this purpose, which i think is a little more flexible, is mtr,
available from the OSS repo.
–
phani.
Note that you can get misleading errors from network utils due to firewall rules and also due to installing a new kernel and not rebooting making the module unavailable. I suspect apparmor and selinux can also have an effect. Have a look in the logs to see if there is more to send socket permission denied.
Thanks for the hints. Apparently, this was due to apparmor.
type=AVC msg=audit(1302098571.660:201): apparmor="DENIED" operation="create" par
ent=446 profile="/usr/sbin/traceroute" pid=5840 comm="traceroute" family="inet"
sock_type="raw" protocol=255
I found that in "/var/log/audit/audit.log
I went into the Yast, and checked the apparmor settings. There was a choice for “edit profiles” (or similar).
I started by editing the profile for ping, since that works. I saw a line there “network inet raw”.
Aborting that edit, I then edited the entry for traceroute, and was able to add a similar permission for traceroute. It now works (as root).
Question is whether you missed an update to the apparmor profille or this is a distro bug that should be reported.
I am not aware of missing an update. Wouldn’t the update be offered again if I had missed it?
I tested this on my home computer, installed via the 64 bit NET install CD. I also did an ssh login to my work computer, installed via the 32 bit live CD. Both had the problem.
There were already apparmor rules for traceroute. But they did not include a rule for raw sockets. I am guessing that this is a distro bug (or distro oversight). Let me know if you think I should report it as a bug.
I don’t know about apparmor updates actually, as I don’t have apparmor turned on. Maybe phani knows better?
On 2011-04-06 21:06, nrickert wrote:
> There were already apparmor rules for traceroute. But they did not
> include a rule for raw sockets. I am guessing that this is a distro bug
> (or distro oversight). Let me know if you think I should report it as a
> bug.
I think so, yes.
–
Cheers / Saludos,
Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)
On Thu, 07 Apr 2011 00:36:02 +0530, ken yap
<ken_yap@no-mx.forums.opensuse.org> wrote:
>
> I don’t know about apparmor updates actually, as I don’t have apparmor
> turned on. Maybe phani knows better?
>
sorry, don’t use apparmor either.
–
phani.