What is traceroute?

We can use the traceroute (or tracert on Windows) command available on most hosts and network devices to ‘trace’ the route a packet takes through a network. This can be very helpful for identifying connectivity problems between devices on a local network. It can also help you understand what route your traffic takes across the internet – for example to a particular domain. Where possible, the command will return the IP addresses of intermediate hops (usually routers) which packets transit in order to reach the given destination.

Although the implementation of traceroute varies between platforms, the information returned typically includes:

  • Number of hops to destination

  • IP address of each hop

  • Hostname of hops (where possible)

  • Round trip time to each hop (usually repeated 3 times)

How does it work?

The magic of traceroute is achieved by using the Time To Live (TTL) field within IP packets. This field is present to prevent routing loops and to stop packets from endlessly traversing networks if they can’t find their destination. The TTL is initially set by the sender to a value such as 64 or 255 and gets decremented by each intermediate device. When the TTL reaches zero, the device (e.g. router) processing the packet will drop the packet and typically sends an ICMP packet back to the original sender. This ICMP packet will be a type 11 ‘Time Exceeded Message’ as specified in RFC-792. Whilst routers must drop packets with a TTL of zero, sending the ‘Time Exceeded Message’ is optional.

This feature is used by traceroute by sending packets to the given destination with different TTL values to identify the routers at each stage. First it sends a packet with TTL of 1, the first router will decrement this to zero, drop the packet and send back an ICMP message. When traceroute receives this ICMP packet, the source address of it will be the address of the router which dropped the original packet.

Then traceroute sends another packet to the destination but this time with a TTL of 2. This time, the packet successfully transits the first hop (where the TTL is decremented to 1) but when it reaches the second hop, the TTL is decremented to zero, the packet gets dropped and the router sends back an ICMP Time Exceeded Message.

The TTL is incremented by one each time until we reach the final destination.

Step by Step

A traceroute from our host a.a.a.a to (Google Public DNS) might look like this:


  1. Send a packet from a.a.a.a to with a TTL of 1.
  2. Router b.b.b.b decrements the TTL to zero, drops the packet and sends an ICMP message back.
  3. a.a.a.a receives the ICMP packet and now knows that b.b.b.b is the first hop from the source IP address in the ICMP packet.
  4. a.a.a.a sends a packet to with a TTL of 2.
  5. b.b.b.b decrements the TTL to 1 and forwards the packet to the next hop.
  6. c.c.c.c is the second hop, it receives the packet, decrements the TTL to zero and drops the packet. It the sends an ICMP packet back to the original sender (a.a.a.a).
  7. a.a.a.a receives this ICMP packet and knows that c.c.c.c is the second hop. The time taken to get to c.c.c.c and back is recorded as the round-trip time.
  8. a.a.a.a sends a packet to with a TTL of 3.
  9. The TTL is decremented to 2 by b.b.b.b.
  10. The TTL is decremented to 1 by c.c.c.c and sent on to
  11. The packet reaches it’s destination at which sends back a ‘Port Unreachable’ ICMP packet.
  12. a.a.a.a receives the ICMP packet and can see from the source address of that packet ( that the original packet reached it’s destination and so the full route has been traced.

In reality there would typically be a lot more hops as the packet first crosses the local network before crossing the internet.

What protocol does traceroute use?

Typically, traceroute uses either ICMP or UDP to a high destination port. When the packet reaches the destination the packet just gets dropped and typically the destination will respond with an ICMP port unreachable message. Intermediate hops may also respond to the sender with ICMP.

It is also possible to use TCP (SYN packets), usually specified as an option to the traceroute command. This will depend on what platform you use.

What stops traceroute from working?

Sometimes a firewall will be configured to prevent the ICMP messages from being returned to the sender. Other times a router may be configured not to send the ICMP back; a device may be misconfigured; or a packet may get lost.

If this happens, traceroute will wait a while before timing out and trying again – it usually represents this with asterisks (e.g. * ). After a few attempts (usually 3) traceroute will increment the TTL and try to reach the next device. In some cases, subsequent devices may still return an ICMP reply allowing the remainder of the route to be identified. If the firewall is preventing this then it is likely that no more replies will be received. In this case, the command will stop after a maximum number of attempts – e.g. 30.

By default, traceroute will try to resolve the hostname for each hop by using the returned IP address. However, this may not always be possible and in that just the IP address will be printed.

The traceroute command

The command varies depending on platform. On Windows (with PowerShell or Command Prompt), it is tracert whilst on most other devices (such as Linux and other Unix platforms) it is simply traceroute. To run a basic traceroute we simply give the IP address or hostname we want to reach.

tracert              # Windows

traceroute google.com        # Linux


Running the traceroute command without any arguments should print the help for the command on that platform. Options may be available to

  • Prevent trying to resolve hostnames from the returned IP addresses.

  • Specify whether to use IPv4 or IPv6

  • Set the maximum number of hops to try and reach the destination.

  • Specify whether to use ICMP, UDP or TCP

Related Courses

IP, the Internet Protocol, underpins all modern communication technology. This course teaches some of the theory behind building IP networks.