Traceroute

What is Traceroute?

Traceroute is a network testing tool that discovers all the routers (or “routing hops”), and associated latency, between a source and a destination host. The source host is the client that starts the trace. For each router, the command returns its IP address, Fully Qualified Domain Name (FQDN) if available, and Round-Trip Time (RTT) for network latency. Advanced option could also include the Autonomous Systems traversed and Maximum Transmission Unit (MTU). The traceroute tool is one of the most important utilities that network engineers use every day to identify a network issue or troubleshoot network connectivity.

The most beneficial use of this command is that it can help to identify routing issues that could impact end-users and applications. Traceroute also has some limitations that every network engineer should be aware. This utility is available on most modern operating systems, such as Unix, Linux, Windows, and Mac OS X. Some operating systems may also name the executable as tracepath (e.g. Linux) and or the tracert command (e.g. Windows).

Time To Live (TTL)

Using the Internet Control Message Protocol’s (ICMP) Time Exceeded message, this utility discovers hops to the destination. In fact, each IP packet has a field called Time To Live (TTL) that routers use to limit a packet’s lifespan. All routers inspect this field so that packets won’t circulate indefinitely. The TTL’s maximum value is 255. Typically, most TCP/IP implementations set this field to 64. When a router or host receives a packet, it decrements the TTL value by one. When a router receives a packet with TTL equal to 1, its time has exceeded. The router or host will discard the packet and send an ICMP error message Time Exceeded (Code 11) to the source. This mechanism prevents routing loops to cause broadcast storms, like in the case of layer two switching.

TTL and traceroute

Example of a Time Exceeded packet notification as captured with tcpdump:

IP my.meraki.net > 10.1.36.5: ICMP time exceeded in-transit, length 60

How Traceroute Works

Traceroute works by using the Time Exceeded mechanism to identify routers at each hop. For simplicity, we’ll call the packets sent by traceroute “probes”. By default, the utility sends three probes for each hop. As a result, probes could discover more than one path, in case of multi-path routing, or return three RTT measurements for a specific hop.

At each iteration, traceroute sends three probes with an increased TTL value, starting from TTL equal to one. To discover the first hop, the utility first sets TTL one. To discover the second hop, the utility sets the TTL to two, and so on. The command terminates when it either reaches the destination host, or it reaches the maximum number of hops set. By default, the maximum number of hops is set to 30. This value can be changed via the command line. Please consult your documentation for the appropriate flag.

Hop by hop, the command builds the list of routing hops to destination, assuming everything goes well (as I will explain further in the next section).

How to Run Traceroute

To run traceroute, open the command prompt and type the command followed by the destination host. Below are the traceroute results to www.google.com that reports all round trip times to intermediate hops:

$ traceroute www.google.com
traceroute to www.google.com (172.217.7.132), 64 hops max, 52 byte packets
 1  my.meraki.net (10.1.36.1)  10.140 ms  2.565 ms  3.272 ms
 2  164.52.244.85 (164.52.244.85)  5.580 ms  4.006 ms  3.104 ms
 3  64.58.254.226 (64.58.254.226)  4.069 ms  2.501 ms  5.308 ms
 4  * * *
 5  * * *
 6  google-level3-60g.washingtondc.level3.net (4.68.71.186)  85.500 ms  9.336 ms  8.873 ms
 7  108.170.246.1 (108.170.246.1)  10.156 ms  10.853 ms  13.887 ms
 8  216.239.54.205 (216.239.54.205)  8.865 ms  9.400 ms  9.387 ms
 9  iad30s08-in-f132.1e100.net (172.217.7.132)  9.145 ms  9.527 ms  12.434 ms
$

By default, probes are sent using ICMP on Windows and UDP on Linux and Mac OS X. Both operating systems also have the option to change the transport protocols, such as TCP and GRE (on Mac OS X).

Traceroute Limits

Traceroute has known limits that, in some cases, impact its ability to draw an accurate picture of the network. Here’s a list of known limitations that a network engineer should be aware of.

Unresponsive hops

Firewalls between a source and the destination host may block the probe packets, causing traceroute to reach the maximum hops without returning any result; when no response is received from a router, it will display an asterisk instead of a router’s IP address or FQDN (see hops 4 and 5 of the traceroute output in the previous paragraph). In such cases, it’s recommended to test different transport protocols, and perhaps change ports. Some firewalls may block all traffic, so there’s very little that you can do in this case.

Equal Cost Multi Path (ECMP) networks

Networks like the internet are highly redundant networks. As a result, routers implement load balancing so they can use more than one route to reach a destination. In this case, traceroute may return an inaccurate path between source and destination. A research team developed and released a working solution to this problem in the next paragraph.

Traceroute Alternatives

There are two valid open source alternatives and they are:

  • MTR – This utility also reports the packet loss at each hop; the utility works by sending continuous packets against each hop to determine packet loss and identify performance issues caused by that.
  • Paris traceroute – This version overcomes the load balancing limit of traceroute by revealing the real underlying network topology. This utility works by manipulating the header information of the probe packets in order to identify the multiple paths available.
  • Dublin traceroute – This command is similar to paris traceroute with some enhancements such as detecting NAT devices.

These commands are ‘open source’ so can be easily installed and run on a Linux host.

NetBeez and Traceroute

Currently, NetBeez agents are capable of running the regular traceroute command as well as the dublin traceroute. The regular command support most traceroute options, including selecting TCP, UDP, or ICMP as protocol, so it’s easier to circumvent firewall rules. The data reported from the traceroute output includes network latency, IP, FQDN and MTU per hop (when using UDP or ICMP as transport protocol).

Here’s a quick screenshot of a traceroute output in NetBeez:

traceroute image
Visualization of a traceroute tests on the NetBeez network monitoring dashboard.

The following screenshot instead reports the output of dublin traceroute, which detects multiple routes to the destination.

Network Monitoring Path Analysis

Closing remarks

Traceroute is, along with ping, one of the most important network tools engineers use every for network diagnostics. With traceroute, network engineers can identify high response times at a particular hop, or routing changes.

decoration image

Request a demo now

Spot VPN, ISP, WiFi issues and more with Netbeez

You can share

Twitter Linkedin Facebook

Let's keep in touch

decoration image