We can use the traceroute (or tracert on Windows) command available on most hosts and network devices to ‘trace’ the route a packet takes through a network. This can be very helpful for identifying connectivity problems between devices on a local network. It can also help you understand what route your traffic takes across the internet – for example to a particular domain. Where possible, the command will return the IP addresses of intermediate hops (usually routers) which packets transit in order to reach the given destination.
Although the implementation of traceroute varies between platforms, the information returned typically includes:
Number of hops to destination
IP address of each hop
Hostname of hops (where possible)
Round trip time to each hop (usually repeated 3 times)
The magic of traceroute is achieved by using the Time To Live (TTL) field within IP packets. This field is present to prevent routing loops and to stop packets from endlessly traversing networks if they can’t find their destination. The TTL is initially set by the sender to a value such as 64 or 255 and gets decremented by each intermediate device. When the TTL reaches zero, the device (e.g. router) processing the packet will drop the packet and typically sends an ICMP packet back to the original sender. This ICMP packet will be a type 11 ‘Time Exceeded Message’ as specified in RFC-792. Whilst routers must drop packets with a TTL of zero, sending the ‘Time Exceeded Message’ is optional.
This feature is used by traceroute by sending packets to the given destination with different TTL values to identify the routers at each stage. First it sends a packet with TTL of 1, the first router will decrement this to zero, drop the packet and send back an ICMP message. When traceroute receives this ICMP packet, the source address of it will be the address of the router which dropped the original packet.
Then traceroute sends another packet to the destination but this time with a TTL of 2. This time, the packet successfully transits the first hop (where the TTL is decremented to 1) but when it reaches the second hop, the TTL is decremented to zero, the packet gets dropped and the router sends back an ICMP Time Exceeded Message.
The TTL is incremented by one each time until we reach the final destination.
A traceroute from our host a.a.a.a to 22.214.171.124 (Google Public DNS) might look like this:
In reality there would typically be a lot more hops as the packet first crosses the local network before crossing the internet.
Typically, traceroute uses either ICMP or UDP to a high destination port. When the packet reaches the destination the packet just gets dropped and typically the destination will respond with an ICMP port unreachable message. Intermediate hops may also respond to the sender with ICMP.
It is also possible to use TCP (SYN packets), usually specified as an option to the traceroute command. This will depend on what platform you use.
Sometimes a firewall will be configured to prevent the ICMP messages from being returned to the sender. Other times a router may be configured not to send the ICMP back; a device may be misconfigured; or a packet may get lost.
If this happens, traceroute will wait a while before timing out and trying again – it usually represents this with asterisks (e.g. * ). After a few attempts (usually 3) traceroute will increment the TTL and try to reach the next device. In some cases, subsequent devices may still return an ICMP reply allowing the remainder of the route to be identified. If the firewall is preventing this then it is likely that no more replies will be received. In this case, the command will stop after a maximum number of attempts – e.g. 30.
By default, traceroute will try to resolve the hostname for each hop by using the returned IP address. However, this may not always be possible and in that just the IP address will be printed.
The command varies depending on platform. On Windows (with PowerShell or Command Prompt), it is
tracert whilst on most other devices (such as Linux and other Unix platforms) it is simply
traceroute. To run a basic traceroute we simply give the IP address or hostname we want to reach.
tracert 126.96.36.199 # Windows traceroute google.com # Linux
Running the traceroute command without any arguments should print the help for the command on that platform. Options may be available to
Prevent trying to resolve hostnames from the returned IP addresses.
Specify whether to use IPv4 or IPv6
Set the maximum number of hops to try and reach the destination.
Specify whether to use ICMP, UDP or TCP