Thanks to my employer and to my boss, chief of the networking department, I have been a networking class for a week. More than 10 networking engineers and technicians has been attending. During a discussion of traceroute and IP, one engineer, a "IP veteran", a person with decades of operating IP and routing experience, who worked for a carrier back then, mentioned something very interesting. This is a citation from what I remember, as best as I can:
...major Linux distributions, from what I know at least Kali, (using it now), but any other major Linux distrubution should have this, UNIX supports this, IOS, JUNOS and other networking platfroms I have been working with, ship the ping route-record or record-route utility. This is particulary helpful if it is needed to record the route IP packet takes on its path. Particulary if dealing for example with asymmetric routing... It has only limited count of hops, 9 hops...
There is a RFC for this called RFC 791 . Published in September 1981. Record Route is the IP option 7. Verify with the IANA website
To be honest, I was not aware there actually is the IP option 7. Now exploring this particular, very specific IP protocol option.
OS Support
Speaking out the obvious: This is only for IPv4. RR - record rouce has been implemented on most operating systems that deal with TCP/IP stack. Below just a list where I find out by using the -h --help command or just in the vendors documentation:
- IOS
- JUNOS
- EXOS
- UNIX/Linux (iputils)
- Microsoft Windows (ping)
In fact if you look very deep into your operating systems TCP/IP implementation and its tools, there is a very good chance you will find this IP option implemented and most probably working using the ping utility. Read the friendly manual.
RR can record 9 hops, in RX and TX. So in best case your destination is only 2-3 or max 4 hops away. Yes, RR has limits.
IOS
This is a record route example on IOS. Notify you need to use the IOS ping assistant to get to the Record option. There is no one-liner to record-route on IOS. Use the ping command only and hit the enter button:
R1# ping
Enable extended commands. by default this is disabled , Press the y key:
...
Extended commands [n]: y
...
Go through the options until using _Loose, Strict, Record.. Then hit the r key:
...
Loose, Strict, Record, Timestamp, Verbose[none]: r
...
The source interface in the given example is loopback0. Choose whatever IP interface you need as source IP in current troubleshooting situation.
This is how to get to Route Record option show with command output:
R4#sh run int lo0 | i ip.ad
ip address 10.255.255.4 255.255.255.255
R4#ping
Protocol [ip]:
Target IP address: 128.255.255.101
Repeat count [5]: 2
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: loopback0
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]: r
Number of hops [ 9 ]:
Loose, Strict, Record, Timestamp, Verbose[RV]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 128.255.255.101, timeout is 2 seconds:
Packet sent with a source address of 10.255.255.4
Packet has IP options: Total option bytes= 39, padded length=40
Record route: <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
Reply to request 0 (1 ms). Received packet has options
Total option bytes= 40, padded length=40
Record route:
(10.0.0.5)
(10.0.0.33)
(10.0.0.34)
(10.0.0.34)
(10.0.0.6)
(10.0.0.5) <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
End of list
Reply to request 1 (1 ms). Received packet has options
Total option bytes= 40, padded length=40
Record route:
(10.0.0.5)
(10.0.0.33)
(10.0.0.34)
(10.0.0.34)
(10.0.0.6)
(10.0.0.5) <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
End of list
Success rate is 100 percent (2/2), round-trip min/avg/max = 1/1/1 ms
R4#sh ip route 128.255.255.101
Routing entry for 128.255.255.101/32
Known via "ospf 1", distance 110, metric 201, type intra area
Last update from 10.0.0.6 on Ethernet0/0, 00:28:54 ago
Routing Descriptor Blocks:
* 10.0.0.6, from 128.255.255.101, 00:28:54 ago, via Ethernet0/0
Route metric is 201, traffic share count is 1
Notice using IOS the 1-st output for the record route is empty. or full or zero's, the <*> is at first point. In the RFC 791 there is a passage about some details:
...
The originating host must compose this option with a large
enough route data area to hold all the address expected. The
size of the option does not change due to adding addresses. The
intitial contents of the route data area must be zero.
...
The initial contents of the route data are must be zero. Not sure if this is the reason behind it. But it matches the output, and looks like the author of the code implemented this literally, as described in the RFC. If you know something about this, or find something explaining this output, write me an email.
JUNOS
This is a ping record-route example. Some JUNOS versions seems to use 'iputils':
JUNOS > ping record-route 192.168.1.2
PING 192.168.1.2 (192.168.1.2): 56 data bytes
64 bytes from 192.168.1.2: icmp_seq=0 ttl=63 time=1.477 ms
RR: 192.168.1.2
192.168.1.2
172.16.16.105
64 bytes from 192.168.1.2: icmp_seq=1 ttl=63 time=1.017 ms (same route)
64 bytes from 192.168.1.2: icmp_seq=2 ttl=63 time=1.254 ms (same route)
...
I have no access to JUNOS ATM. A friendly IRC user in the #junos channel on Libera.chat generated this output, using his gear or netlab. Thanks to Olen in #junos channel on Libera.chat. o/
Compare the upper output with the Linux example output below, it looks exactly the same. Notify the RR: prefix.
Notify the (same route) refers to the packet path output depicted above. Same path as shown above. It does NOT mean: same route in both directions, rx and tx the IP packet has taken.
EXOS
On the Extreme's website, there is an suggestive interesting question:
How is PING with record-route option better than traceroute and how it can be used?
To find out why it is better, read the explanation on the vendors website actually it is explained more generic and lists interesting facts. It is the IP option 7.
Example usage command short version
Ping 192.0.2.1 record-route
Example usage command using the source-interface or source-ip
ping 192.0.2.1 from 192.0.2.2 with record-route
Example record-route output:
R1# ping 10.2.1.1 from 10.2.1.2 with record-route
Ping(ICMP) 10.2.1.1: 4 packets, 8 data bytes, interval 1 second(s).
16 bytes from 10.2.1.1: icmp_seq=0 ttl=63 time=10 ms
RR: 10.2.1.2
10.2.0.21
10.2.1.1
10.2.1.1
10.2.0.1
10.2.1.2
Now the careful and experienced IP output reader will recognise the output is almost exact the same as in iptuils ping. See more below in the Linux entry. 
Example traceroute output for comparison that the above is "actually" better than the depicted below using traceroute
R1# traceroute 10.2.1.1 from 10.2.1.2
traceroute to 10.2.1.1, 30 hops max
1 10.2.0.1 1 ms 4 ms 4 ms
2 10.2.1.1 4 ms 0 ms 0 ms
Now compare both outputs for yourself. Make up your own mind. 
Linux
help and manual
ping -R record route. This option records the route IP packets take towards the destination and back:
Verify the ping -help command:
ping -h
...
IPv4 options:
-4 use IPv4
-b allow pinging broadcast
-R record route
...
Consult the ping manual, and read the description:
man ping
...
-R
ping only. Record route. Includes the RECORD_ROUTE option in the
ECHO_REQUEST packet and displays the route buffer on returned
packets. Note that the IP header is only large enough for nine such
routes. Many hosts ignore or discard this option.
...
With this IP option it is possible to record up to 9 hops.
IP configuration
This is a example linux node in a routed network environment. Node IP address is 10.4.10.53/24
node [~]$ ip add show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 0c:c1:2b:46:00:00 brd ff:ff:ff:ff:ff:ff
inet 10.4.10.53/24 brd 10.4.10.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::ec1:2bff:fe46:0/64 scope link
valid_lft forever preferred_lft forever
The routing table of the node, only a default route and its prefix, and the default-gateway 10.4.10.254
node [~]$ ip route
default via 10.4.10.254 dev eth0 metric 202
10.4.10.0/24 dev eth0 scope link src 10.4.10.53
The target IP address is reachable via IP:
node [~]$ ping 10.255.255.203
PING 10.255.255.203 (10.255.255.203) 56(84) bytes of data.
64 bytes from 10.255.255.203: icmp_seq=1 ttl=253 time=1.25 ms
64 bytes from 10.255.255.203: icmp_seq=2 ttl=253 time=1.70 ms
64 bytes from 10.255.255.203: icmp_seq=3 ttl=253 time=1.58 ms
--- 10.255.255.203 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.254/1.511/1.697/0.187 ms
symmetric routing example
Ping route-record example, this is symmetric routing example:
node [~]$ ping -R 10.255.255.200"
output="PING 10.255.255.200 (10.255.255.200) 56(124) bytes of data.
64 bytes from 10.255.255.200: icmp_seq=1 ttl=254 time=1.79 ms
RR: 10.4.10.53
10.0.3.2
10.0.3.2
10.4.10.53
64 bytes from 10.255.255.200: icmp_seq=2 ttl=254 time=2.10 ms (same route)
64 bytes from 10.255.255.200: icmp_seq=3 ttl=254 time=2.17 ms (same route)
--- 10.255.255.200 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2007ms
rtt min/avg/max/mdev = 1.786/2.016/2.165/0.165 ms
Notify the (same route) refers to the packet path output depicted above. Same path as shown above. It does NOT mean: same route in both directions, rx and tx the IP packet has taken.
IP record route only records the route_. It will show you nothing more but the recorded route, 9 recorded hops maximum. in TX (transmission) and RX (receiving). The analysis of the recorded output is up to the reader, The girls and guys sitting in front of the command line.
asymmetric routing example
Ping route-record example, this is asymmetric routing example. Compare this output carefully with the shown above and count the HOPS, point on which HOP in the shown below record, the IP packet gets back to the sender.
node [~]$ ping -R 10.255.255.203
PING 10.255.255.203 (10.255.255.203) 56(124) bytes of data.
64 bytes from 10.255.255.203: icmp_seq=1 ttl=254 time=2.30 ms
RR: 10.4.10.53
10.0.2.2
10.0.0.21
10.0.2.5
10.0.2.6
10.0.3.6
10.4.10.53
64 bytes from 10.255.255.203: icmp_seq=2 ttl=254 time=1.82 ms (same route)
64 bytes from 10.255.255.203: icmp_seq=3 ttl=254 time=2.62 ms (same route)
64 bytes from 10.255.255.203: icmp_seq=4 ttl=254 time=2.63 ms (same route)
--- 10.255.255.203 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 1.821/2.341/2.629/0.328 ms
Notice the RR: prefix shown in the output. Same route refers in the output to same route as the upper output. It literally means: the IP packet has taken the (same route) as in previous display, i will not show it to you to not clutter the output and make it unreadable. It is the same as above, just you know it.
Windows
native Windows
The ping utility used in windows has the Record Route IP option. Verify the windows-commands/ping official reference.
...
/r <count> Specifies the Record Route option in the IP header is used to record the
path taken by the echo Request message and corresponding echo Reply
message (available on IPv4 only). Each hop in the path uses an entry in the
Record Route option. If possible, specify a count equal to or greater than
the number of hops between the source and destination. The count must
be a minimum of 1 and a maximum of 9.
...
A usage example taken from the document linked, to ping the destination 10.255.255.100 and record the route for 4 hops, type:
ping /r 4 10.255.255.100
No access to Windows nodes. Verify with the reference URL to the knowledge-base or vendor learn platform on your own.
pwsh-bin on linux
Was unsure where to put this, linux or windows, so now it it in the Windows section. I could imagine pwsh-bin for Linux uses the operating systems TCP/IP stack and has somehow limited IP features. Well without even knowing it just installed this pwsh-bin. There you have it:
PS /home/pbogusze> ping -h
...
For more details see ping(8).
Microsoft's pwsh-bin for Linux uses iputils. But does not have limited features, it is fully usable. At least according to the depicted documentation.
PS /home/pbogusze> ping -R -n fritz.box
PING fritz.box (10.0.249.1) 56(124) bytes of data.
64 bytes from 10.0.249.1: icmp_seq=1 ttl=64 time=0.334 ms
RR: 10.0.249.20
10.0.249.1
10.0.249.1
10.0.249.20
64 bytes from 10.0.249.1: icmp_seq=2 ttl=64 time=0.346 ms (same route)
64 bytes from 10.0.249.1: icmp_seq=3 ttl=64 time=0.348 ms (same route)
^C
--- fritz.box ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 0.334/0.342/0.348/0.006 ms
PS /home/pbogusze>
Technically, this might be only easy way to do this. And if the TCP/IP stack of linux is more powerful then add specific linux features into that powershell implementation on linux. Imagine for example crafting IPv6 packets using pwsh-bin and putting it immediately on the wire.
Summary
This option will not work in every network environment. In most small to middle enterprise networks MIGHT block this IP option and probably will. But in big network ( ~50 and up to hundreds of routers) and very big networks (more than thousand routers) this might be helpful. Environments where
- ping
- traceroute
- telnet
are the only tools at hand to troubleshoot an networking issue and the only thing on e have at hand: is a router.
Well you might ask yourself, why bother to write a article about a IP legacy option. The truth is, it might help someone who is troubleshooting a networking problem, and has limited tools access. IP and a router are the only tools. There you go.
Challenge yourself! Troubleshoot a networking problem using only a router, ping, traceroute, telnet
With limited tooling need to explore the used protocol and its implementation on a platform, You need to get creative in a different environment.