Linux for Network Engineers: Layer Four Traceroute (LFT)

Layer Four Traceroute (LFT) is a version of traceroute that adds several nice features to the basic traceroute we are all familiar with. In most cases it’s faster, but also might discover routers that the traditional traceroute doesn’t discover unless you tweak the running parameters. In addition, it can perform AS Number Lookup by using a few different sources. The traditional traceroute can also do AS Lookup but has only one source for the lookup and it doesn’t seem to be as accurate.


For Debian/Ubuntu Linux LFT is available as a package and can be installed with:

However, if you want to make sure you install the latest version you’d have to install libpcap, and download and compile LFT as follows:

After that you should be able to run and check the LFT version with:

LFT comes with WhoB which is a utility to look up Internet DNS and network number records, similar to whois. Like LFT, WhoB puts a new spin to whois by providing an output that is easy to parse and doesn’t include all the output of whois which is usually redundant (e.g. general inquiries email, physical address, etc).

It looks like this:


Let’s start by showing the difference between LFT and traceroute with a tracer to without using any options for each utility:

To try to compare apples to apples as much as possible, for LFT we use the IP traceroute targeted for

As you can see, traceroute couldn’t identify hops 6, 9, and 10, while LFT couldn’t identify hops 3 and 4. In this case, it looks like the outputs from the two utilities could be complementary to get the complete picture.

Let’s try another example, that shows better the difference between the two:

Traceroute without any options couldn’t reach the destination after 30 hops, and couldn’t discover any routers after hop 7.

In this case, the default LFT managed to get to the destination and discover the vast majority of intermediate hops. It still is not able to discover hops 3 and 4.
Another utility that can do route discovery is nmap, and let’s see what its output looks like:

We added the “-sn” and “-Pn” options to skip the unnecessary port scan and host discovery for this test. As you can see, nmap discovered the most routers between LFT and traceroute.

LFT has several more options that you can find here or by typing lft --help. Similar to traceroute, you have the option to fine tune the probing by choosing between TCP or UDP packets, specify ports, etc. With LFT you can also choose between Prefix WhoIs, RIPE NCC, RADB, and Cymru for ASN lookup. In addition, you can print the output in XLM format for easier parsing, or in GraphViz.

All in all, I consider LFT an evolution of traceroute that is more than 30 years old at this point, and basically hasn’t changed in several years. LFT is currently under active maintenance and receives regular updates and improvements. 

However, all of these tools are complementary to each other, and in this blog we’ve talked about other tracing tools such as dublin-traceroute and path-ping, concluding that you might need to try a couple of different utilities to get a complete trace between two hosts.