How does traceroute work?
What is traceroute?
We can use the traceroute (or
tracert on Windows) command available on most hosts
and network devices to 'trace' the route a packet takes through a network. Traceroute
can be very helpful for identifying connectivity problems between devices on a
local network. It can also help you understand what route your traffic takes across
the internet – for example, to a particular domain. Where possible, the command
will return the IP addresses of intermediate hops (usually routers) which packets
transit to reach the given destination.
Although the implementation of traceroute varies between platforms, the information returned typically includes:
- Number of hops to the destination
- The IP address of each hop
- The hostname of each hop (where possible)
- Round trip time to each hop (usually repeated three times)
How does it work?
The magic of traceroute is achieved by using the Time To Live (TTL) field within IP packets. This field is present to prevent routing loops and to stop packets from endlessly traversing networks if they can't find their destination.
The sender sets the TTL to a specific value (such as 64 or 255). The TTL value then gets decremented by each intermediate device the packet transits. When the TTL reaches zero, the device (e.g. router) processing the packet will drop the packet and typically sends an ICMP packet back to the original sender. This ICMP packet will be a type 11 'Time Exceeded Message' as specified in RFC-792. Whilst routers must drop packets with a TTL of zero, sending the 'Time Exceeded Message' is optional.
This feature is used by traceroute by sending packets to the given destination with different TTL values to identify the routers at each stage. First, it sends a packet with TTL of 1, and the first router (first hop) will decrement this to zero, drop the packet and send back an ICMP message. When traceroute receives this ICMP packet, the source address of it will be the address of the router which dropped the original packet.
Then traceroute sends another packet to the destination but this time with a TTL of 2. This time, the packet successfully transits the first hop (where the TTL is decremented to 1), but when it reaches the second hop, the TTL is decremented to zero, the packet gets dropped, and the router sends back an ICMP Time Exceeded Message.
The TTL is incremented by one each time until we reach the final destination.
Step by Step
A traceroute from our host a.a.a.a to 126.96.36.199 (Google Public DNS) might look like this:
- Send a packet from a.a.a.a to 188.8.131.52 with a TTL of 1.
- Router b.b.b.b decrements the TTL to zero, drops the packet, and then sends an ICMP message back.
- a.a.a.a receives the ICMP packet and now knows that b.b.b.b is the first hop from the source IP address in the ICMP packet.
- a.a.a.a sends a packet to 184.108.40.206 with a TTL of 2.
- b.b.b.b decrements the TTL to 1 and forwards the packet to the next hop.
- c.c.c.c is the second hop, it receives the packet, decrements the TTL to zero and drops the packet. It then sends an ICMP packet back to the original sender (a.a.a.a).
- a.a.a.a receives this ICMP packet and knows that c.c.c.c is the second hop. The time taken to get to c.c.c.c and back is recorded as the round-trip time.
- a.a.a.a sends a packet to 220.127.116.11 with a TTL of 3.
- The TTL is decremented to 2 by b.b.b.b.
- The TTL is decremented to 1 by c.c.c.c and sent on to 18.104.22.168.
- The packet reaches its destination at 22.214.171.124 which sends back a 'Port Unreachable' ICMP packet.
- a.a.a.a receives the ICMP packet and can see from the source address of that packet (126.96.36.199) that the original packet reached its destination and so the full route has been traced.
In reality, there would typically be a lot more hops as the packet first crosses the local network before crossing the internet.
What protocol does traceroute use?
Typically, traceroute uses either ICMP or UDP to a high destination port. When the packet reaches the destination, the packet just gets dropped, and typically the destination will respond with an ICMP port unreachable message. Intermediate hops may also respond to the sender with ICMP.
It is also possible to use TCP (SYN packets), usually specified as an option to the traceroute command. Ultimately, tracert implementation will depend on what platform you use.
What stops traceroute from working?
Sometimes a firewall will be configured to prevent the ICMP messages from being returned to the sender. Other times a router may be configured not to send the ICMP back, a device may be misconfigured, or a packet may get lost.
If this happens, traceroute will wait a while before timing out and trying again
– it usually represents this with asterisks (e.g.
* * *). After a few attempts
(usually 3) traceroute will increment the TTL and try to reach the next device.
In some cases, subsequent devices may still return an ICMP reply allowing the remainder
of the route to be identified. If the firewall is preventing this, then it is likely
that no more responses will be received. In this case, the command will stop after
a maximum number of attempts – e.g. 30.
By default, traceroute will try to resolve the hostname for each hop by using the returned IP address. However, this may not always be possible, which will result in just the IP address being displayed.
The traceroute command
The command varies depending on the platform. On Windows (with PowerShell or Command
Prompt), it is
tracert whilst on most other devices (such as Linux and other
Unix platforms) it is
traceroute. To run a basic traceroute we give the IP address
or hostname we want to reach.
tracert 188.8.131.52 # Windows
traceroute google.com # Linux
Running the traceroute command without any arguments should print the help pages for that platform. Options may be available to
- Prevent trying to resolve hostnames from the returned IP addresses.
- Specify whether to use IPv4 or IPv6
- Set the maximum number of hops to try and reach the destination.
- Specify whether to use ICMP, UDP or TCP