A Middlebox Detection Tool


Middleboxes are widely deployed on the Internet mostly at the edge of the network, in enterprise and home networks. Middleboxes plays therefore an important role -- even if they are often criticized -- in today's Internet. Unfortunately, the widespread of middlebox contributed to the ossification of the Internet making it very difficult to innovate. As an example, Multipath TCP, a recent extension to TCP, includes a complex mechanism which constitute the major part of the protocol to deal with those middleboxes.

Middleboxes manipulates traffic for purposes other than simple packet forwarding and often transparently to the end-user (e.g. NAT, transparent proxies, DPI, etc.). Detecting such middleboxes is difficult today.

Tracebox is a tool that allows to detect middleboxes on any paths, i.e., between a source and any destination. Tracebox can be viewed as a tool similar to traceroute as it uses ICMP replies to identify changes in the packets. The fact that tracebox is able to detect middleboxes comes from the observation that ICMP messages are often not as defined in RFC792. Indeed it is quite common to receive a ICMP Time-to-Live exceeded message with the original datagram instead of 64 bits as described in the standard. This is caused by operating systems configured to reply with full ICMP (e.g., Linux, Cisco IOS-XR, etc.) as well as the ICMP Multi-Part Messages extension that standardize the fact that routers using MPLS tunnels replies and ICMP message containing the full datagram.

The tool is presented in the following paper: Gregory Detal, Benjamin Hesmans, Olivier Bonaventure, Yves Vanaubel and Benoit Donnet. Revealing Middlebox Interference with Tracebox. In Proceedings of the 2013 ACM SIGCOMM conference on Internet measurement conference, October 2013.


Tracebox is available in Docker Hub. Please note that by default, when used in Docker, Tracebox will be executed from a net namespace behind a NAT. It is possible to change this behaviour but in other words, this will add one entry at the beginning of the list, most likely with the IP set on docker0 interface on the host. Tracebox in Docker can be executed like that:

$ docker run -it --rm matttbe/tracebox:latest -h
$ docker run -it --rm -v "${PWD}:${PWD}" -w "${PWD}" matttbe/tracebox:latest -f my_capture.pcap -p 'IP/tcp{dst=80}/MPCAPABLE/raw("12345678901234567890")'

Tracebox is also available on Mac OS X using Homebrew with brew install tracebox. Yosemite and El Capitan users need to first ensure they installed the full command line developer tools provided by Apple using xcode-select --install

Source can be found at

Tracebox requires:

To build Tracebox:

$ ./
$ make
$ sudo make install


There are two possible ways to use tracebox either with the python scripts (see some samples scripts in /tracebox/examples) or with the default binary. The later only send one TCP probe and look for changes in the path. The following example sends a TCP SYN probe (to port 80 by default) with the TCP Maximum Segment Size, Multipath TCP and Window Scale options. The output shows that a middlebox close to the server removes the last two options and change the MSS value.

tracebox to ( 64 hops max
1: IP::CheckSum
2: IP::TTL IP::CheckSum
3: IP::TTL IP::CheckSum
4: IP::TTL IP::CheckSum
5: IP::TTL IP::CheckSum
6: IP::TTL IP::CheckSum
7: IP::TTL IP::CheckSum
8: IP::TTL IP::CheckSum
9: IP::TTL IP::CheckSum
10: TCP::CheckSum IP::TTL IP::CheckSum TCPOptionMaxSegSize::MaxSegSize -TCPOptionMPTCPCapable -TCPOptionWindowScale

Support or Contact

Feedback or comments are welcome @oliviertilmans


This work has been partially funded by the FP7 EU project CHANGE and mPlane.