Traceroute – Packet Path Analysis & Troubleshooting

1. What Is Traceroute?

Traceroute (called tracert on Windows) is a network diagnostic tool that maps the exact path packets take from a source device to a destination across a network, revealing every router (hop) along the way along with per-hop latency measurements.

Where ping/show ip route confirms whether a destination is reachable, traceroute shows where the path breaks, slows, or behaves unexpectedly — making it the essential next step in connectivity troubleshooting.

  Your Laptop                                   www.example.com
  192.168.1.10                                  93.184.216.34
        |
        | TTL=1 --> Router1 (192.168.1.1) responds: ICMP Time Exceeded
        |
        | TTL=2 --> Router2 (203.0.113.1) responds: ICMP Time Exceeded
        |
        | TTL=3 --> Router3 (198.51.100.1) responds: ICMP Time Exceeded
        |
        | TTL=4 --> 93.184.216.34 responds: ICMP Echo Reply (destination reached!)

Related pages: ipconfig / ifconfig | show ip route | show ip interface brief | show interfaces | Default Routes | ACL Overview | Troubleshooting Methodology

2. How Traceroute Works — TTL-Based Hop Discovery

Traceroute exploits the TTL (Time to Live) field in the IP packet header. Every router that forwards a packet decrements the TTL by 1. When TTL reaches 0, the router drops the packet and sends an ICMP Time Exceeded message back to the source — revealing its IP address.

Traceroute sends a series of probes with incrementally increasing TTL values:

ProbeTTL SentWho Drops It?Response Received
1st probeTTL = 1Router 1 (1st hop)ICMP Time Exceeded from Router 1's IP
2nd probeTTL = 2Router 2 (2nd hop)ICMP Time Exceeded from Router 2's IP
3rd probeTTL = 3Router 3 (3rd hop)ICMP Time Exceeded from Router 3's IP
Final probeTTL = NDestination hostICMP Echo Reply or Port Unreachable (destination)

Each hop is probed with 3 packets by default, producing 3 round-trip time (RTT) measurements that reveal consistency of latency at that hop. Traceroute continues until it reaches the destination or the maximum hop limit (default 30).

3. Traceroute Command Syntax

PlatformCommandDefault ProtocolKey Options
Windows tracert [destination] ICMP Echo Request -h <max_hops>, -w <timeout_ms>, -d (no DNS resolution)
Linux / macOS traceroute [destination] UDP (ports 33434+) -I (ICMP), -T (TCP), -p <port>, -q <probes>, -m <max_hops>, -n (no DNS)
Cisco IOS traceroute [destination] UDP Extended mode for protocol selection, source interface, timeout

Common examples:

tracert www.google.com                          # Windows — basic
tracert -h 15 -d 8.8.8.8                       # Windows — max 15 hops, no DNS
traceroute www.google.com                       # Linux/macOS — basic
traceroute -I www.google.com                    # Linux — use ICMP instead of UDP
sudo traceroute -T -p 443 www.example.com       # Linux — TCP to port 443 (HTTPS)
traceroute -n -m 20 8.8.8.8                     # Linux — numeric IPs, max 20 hops

4. Interpreting Traceroute Output

Tracing route to www.google.com [142.250.72.196] over a maximum of 30 hops:

  1     1 ms    1 ms    1 ms  192.168.1.1           <-- Default gateway (your router)
  2    10 ms   11 ms   10 ms  203.0.113.1            <-- ISP edge router
  3    24 ms   24 ms   25 ms  198.51.100.17          <-- ISP core
  4    35 ms   34 ms   36 ms  142.250.72.196         <-- Destination reached

Trace complete.
ColumnMeaningWhat to Look For
Hop numberSequence of routers traversed, starting at 1Count total hops — more hops means more latency accumulation
3× RTT values (ms)Round-trip time for each of the 3 probe packetsConsistent values = stable; variable = jitter or load-balancing; high = congestion
IP address / HostnameIdentity of the router at that hopPrivate IPs indicate internal hops; public IPs show ISP/internet path
* * *No response received within the timeout periodFirewall blocking ICMP/UDP, router rate-limiting ICMP, or truly unreachable hop
Key insight: Asterisks at a hop do NOT necessarily mean the path is broken. Many ISPs configure routers to suppress ICMP Time Exceeded messages (rate-limiting or firewall). If subsequent hops respond, the path is intact — only that specific router is not generating responses.

5. Reading Traceroute Scenarios

Scenario A — All Hops Reachable (Healthy Path)

  1     1 ms    1 ms    1 ms  192.168.1.1
  2    10 ms   11 ms   10 ms  203.0.113.1
  3    25 ms   23 ms   25 ms  198.51.100.1
  4    34 ms   34 ms   33 ms  93.184.216.34
All hops respond with consistent RTTs. If ping or web access still fails at the destination, the issue is application-layer (firewall blocking the port, service down) — not routing.

Scenario B — Path Breaks at a Specific Hop

  1     1 ms    1 ms    1 ms  192.168.1.1
  2    11 ms   10 ms   10 ms  203.0.113.1
  3    24 ms   25 ms   25 ms  198.51.100.1
  4     *        *        *   Request timed out.
  5     *        *        *   Request timed out.
Trace fails beyond hop 3. The device at hop 3 (198.51.100.1) is the last responding device. Possible causes: firewall on hop 4, hop 4 router down, routing loop beyond hop 3. Try TCP traceroute as ICMP may be blocked.

Scenario C — High Latency at a Single Hop

  1     1 ms    1 ms    1 ms  192.168.1.1
  2    10 ms   11 ms   10 ms  203.0.113.1
  3   250 ms  300 ms  200 ms  198.51.100.1    <-- Spike!
  4    32 ms   35 ms   33 ms  93.184.216.34
High latency at hop 3 but normal latency at hop 4. This is often normal — many routers deprioritise ICMP TTL responses for management traffic. A latency spike that does NOT carry forward to later hops is usually not a real bottleneck. If latency remains elevated at hop 4 and beyond, then hop 3 is genuinely congested.

Scenario D — Asymmetric Routing

Forward (A→B):  192.168.10.1 → 172.16.1.1 → 203.0.113.1 → 10.100.1.2
Reverse (B→A):  10.100.1.2 → 198.51.100.2 → 172.16.1.1 → 192.168.10.1
Forward and return paths use different routers — this is asymmetric routing, completely normal in large networks where multiple paths exist. Traceroute only shows one direction. You must run it from both ends to see the full picture.

6. Platform Differences

FeatureWindows (tracert)Linux/macOS (traceroute)
Default protocolICMP Echo RequestUDP (ports 33434+)
TCP optionNot available natively-T flag (requires root/sudo)
ICMP optionDefault-I flag
Output styleSimplified — shows ms and hostnameMore flexible — AS numbers, packet sizes available
Disable DNS-d-n
Max hops-h-m

7. Advanced: TCP Traceroute

When ICMP and UDP are blocked by firewalls, TCP traceroute simulates real application traffic, making it far more likely to traverse restrictive firewalls:

sudo traceroute -T -p 443 www.example.com   # TCP to HTTPS port
sudo traceroute -T -p 80 www.example.com    # TCP to HTTP port
sudo traceroute -T -p 22 192.168.1.1        # TCP to SSH port

This sends TCP SYN packets to the specified port with incrementing TTL — the same way your browser would connect, so corporate firewalls that permit web traffic will pass it.

8. Limitations of Traceroute

LimitationImpactWorkaround
ICMP/UDP may be blocked by firewallsFalse asterisks, path appears broken when it isn'tUse TCP traceroute (-T on Linux)
Shows only forward pathAsymmetric routing hides return path issuesRun traceroute from both ends
Routers may rate-limit ICMP TTL responsesHigh latency at a hop that doesn't affect actual trafficCheck if latency carries forward to later hops
Load balancing may show different hops per probeInconsistent IP addresses across the 3 probes per hopUse Paris Traceroute for consistent multipath tracing
Reveals internal network topologyPrivate IP addresses of internal devices exposedBlock ICMP TTL responses on internal routers in secure environments

9. Troubleshooting Workflow with Traceroute

  1. Run ping to the destination first — establishes whether the endpoint is reachable at all
  2. Run traceroute to find the last responding hop before failure begins
  3. Check the routing table on that device — is there a route to the destination?
  4. If ICMP traceroute shows asterisks but ping works, try TCP traceroute (-T)
  5. Check ACLs and firewall rules on the last responding device
  6. If path is looping (same hops repeating), check routing for route loops
Practice Exercise:
Run traceroute 8.8.8.8 (Linux) or tracert 8.8.8.8 (Windows). Count the hops. Find where the path transitions from your ISP to Google's network. Then try sudo traceroute -T -p 443 www.google.com and compare — does the path look different?

10. Summary

  • Traceroute uses incrementing TTL values to elicit ICMP Time Exceeded messages from each hop along the path
  • Windows uses tracert (ICMP by default); Linux/macOS uses traceroute (UDP by default)
  • * * * means no response — could be a firewall, rate-limiting, or a truly unresponsive hop; does not always mean the path is broken
  • High latency at a single hop that doesn't carry forward is usually not a real problem
  • Use TCP traceroute (-T) when ICMP/UDP is filtered by firewalls
  • Asymmetric routing is normal — run traceroute from both ends for the full picture

Traceroute – Packet Path Analysis Quiz

1. What IP header field does traceroute manipulate to discover each hop along the path?

Correct answer is C. Traceroute sends probes with TTL starting at 1 and incrementing by 1 for each round. Every router decrements TTL by 1 — when it hits 0, the router drops the packet and sends an ICMP Time Exceeded message back to the source, revealing its IP address. This TTL trick is what makes hop-by-hop path discovery possible.

2. What ICMP message type does a router send when a packet's TTL expires during traceroute?

Correct answer is A. When a router decrements TTL to 0, it discards the packet and sends an ICMP Type 11 — Time Exceeded message back to the source. This message contains the router's source IP address, which traceroute records and displays as a hop in the output.

3. What command is used on Windows to perform a traceroute?

Correct answer is D. Windows uses tracert (a shortened form of "trace route"). Linux and macOS use traceroute. Both accomplish the same TTL-based path discovery but differ in their default protocol — Windows uses ICMP Echo Requests by default, while Linux uses UDP datagrams by default.

4. What is the default protocol used by Linux traceroute?

Correct answer is B. Linux traceroute sends UDP packets to high-numbered destination ports (33434+) by default. The destination host responds with an ICMP Port Unreachable message when the packet arrives (since nothing listens on those ports), confirming the final hop. Use -I for ICMP mode or -T for TCP mode.

5. What does "* * *" in traceroute output most commonly indicate?

Correct answer is C. Asterisks mean no ICMP Time Exceeded message was received within the timeout period. This is commonly caused by firewalls blocking ICMP, routers configured to suppress TTL-expired messages, or rate-limiting. Crucially, if subsequent hops respond normally, the path is NOT broken — only that specific router is not generating TTL responses.

6. How does traceroute help in diagnosing network connectivity problems?

Correct answer is A. Traceroute maps the complete end-to-end path and provides per-hop RTT measurements, making it straightforward to identify the last responding hop before a failure, pinpoint high-latency segments, and detect routing anomalies like loops or unexpected paths.

7. Why might traceroute results show completely different paths when run from source to destination compared to destination to source?

Correct answer is B. Asymmetric routing is completely normal in the internet and enterprise networks. Routing decisions are made independently at each hop — the forward path from A to B and the return path from B to A may traverse entirely different sets of routers based on routing tables, BGP policies, and load balancing. This is not a problem; traceroute only shows one direction at a time.

8. What Linux traceroute option sends TCP SYN packets for path tracing through firewalls?

Correct answer is D. The -T flag makes Linux traceroute send TCP SYN packets instead of UDP/ICMP. This is particularly useful when corporate or ISP firewalls block ICMP and UDP but allow TCP traffic to specific ports (e.g., port 443 for HTTPS). Use with -p to specify the destination port: sudo traceroute -T -p 443 target.com.

9. A traceroute shows hop 5 with 280ms latency, but hops 6, 7, and 8 show normal latency (30–40ms). What does this most likely indicate?

Correct answer is A. When high latency appears at a single hop but does NOT carry forward to subsequent hops, it is almost always caused by the router deprioritising ICMP TTL Exceeded message generation (a common practice to save CPU). Actual forwarded traffic passes through without delay. Only investigate a latency spike as a real bottleneck if the high latency persists at all subsequent hops too.

10. What does the traceroute option "-h" (or "-m" on some Linux versions) specify?

Correct answer is C. The -h option (Windows tracert) and -m option (Linux traceroute) set the maximum TTL value — the maximum number of hops traceroute will probe before giving up. The default is 30 hops. Reduce it with -h 15 to speed up traces on known short paths, or increase it if the destination is more than 30 hops away (rare).

← Back to Home