What is Traceroute?
Traceroute is an IP utility that discovers all the routers (or “routing hops”) between the source host that issues the command and the destination one. For each router, the command returns its IP address, Fully Qualified Domain Name (FQDN) if available, and Round-Trip Time (RTT) to it. Advanced option could also include the Autonomous Systems traversed and Maximum Transmission Unit (MTU). Traceroute is one of the most important utilities that network engineers use every day to identify and troubleshoot network issues.
The most beneficial use of this command is that it can help to identify routing issues that could impact end-users and applications. Traceroute also has some limitations that every network engineer should be aware. This utility is available on most modern operating systems, such as Unix, Linux, Windows, and Mac OS X. Some operating systems may also name the executable as tracepath (e.g. Linux) and or tracert (e.g. Windows).
Time To Live (TTL)
Using the ICMP Time Exceeded message, this utility discovers hops to the destination. In fact, IP packets have a field called Time To Live (TTL) that routers use to limit a packet’s lifespan. All routers inspect this field so that packets won’t circulate indefinitely. The TTL’s maximum value is 255. Typically, most TCP/IP implementations set this field to 64. When a router or host receives a packet, it decrements the TTL value by one. When a router receives a packet with TTL equal to 1, its time has exceeded. The router or host will discard the packet and send an ICMP error message Time Exceeded (Code 11) to the source. This mechanism prevents routing loops to cause broadcast storms, like in the case of layer two switching.
Example of a Time Exceeded packet notification as captured with tcpdump:
IP my.meraki.net > 10.1.36.5: ICMP time exceeded in-transit, length 60
How Traceroute Works
Traceroute works by using the Time Exceeded mechanism to identify routers at each hop. For simplicity, we’ll call the packets sent by traceroute “probes”. By default, the utility sends three probes for each hop. As a result, probes could discover more than one path, in case of multi-path routing, or return three RTT measurements for a specific hop.
At each iteration, traceroute sends three probes with an increased TTL value, starting from TTL equal to one. To discover the first hop, the utility first sets TTL one. To discover the second hop, the utility sets the TTL to two, and so on. The command terminates when it either reaches the destination host, or it reaches the maximum number of hops set. By default, the maximum number of hops is set to 30. This value can be changed via the command line. Please consult your documentation for the appropriate flag.
Hop by hop, the command builds the list of routing hops to destination, assuming everything goes well (as I will explain further in the next section). Here’s the example of a traceroute to www.google.com with default options:
$ traceroute www.google.com
traceroute to www.google.com (126.96.36.199), 64 hops max, 52 byte packets
1 my.meraki.net (10.1.36.1) 10.140 ms 2.565 ms 3.272 ms
2 188.8.131.52 (184.108.40.206) 5.580 ms 4.006 ms 3.104 ms
3 220.127.116.11 (18.104.22.168) 4.069 ms 2.501 ms 5.308 ms
4 * * *
5 * * *
6 google-level3-60g.washingtondc.level3.net (22.214.171.124) 85.500 ms 9.336 ms 8.873 ms
7 126.96.36.199 (188.8.131.52) 10.156 ms 10.853 ms 13.887 ms
8 184.108.40.206 (220.127.116.11) 8.865 ms 9.400 ms 9.387 ms
9 iad30s08-in-f132.1e100.net (18.104.22.168) 9.145 ms 9.527 ms 12.434 ms
By default, probes are sent using ICMP on Windows and UDP on Linux and Mac OS X. Both operating systems also have the option to change the transport protocols, such as TCP and GRE (on Mac OS X).
Traceroute has known limits that, in some cases, impact its ability to draw an accurate picture of the network. Here’s a list of known limitations that a network engineer should be aware of:
- Firewalls between a source and the destination host may block the probe packets, causing traceroute to reach the maximum hops without returning any result; when no response is received from a router, it will display an asterisk instead of a router’s IP address or FQDN (see hops 4 and 5 in the example I reported in the previous paragraph). In such cases, it’s recommended to test different transport protocols, and perhaps change ports. Some firewalls may block all traffic, so there’s very little that you can do in this case.
- Routers that implement load balancing based on the packet’s header could use more than one path to route traffic towards a destination. In this case, traceroute may return an inaccurate path between source and destination. I will report a solution to this problem in the next paragraph.
There are two valid open source alternatives and they are:
- MTR – This utility also reports the packet loss at each hop; the utility works by sending continuous packets against each hop to determine packet loss and identify performance issues caused by that.
- Paris-Traceroute – This version overcomes the load balancing limit of traceroute by revealing the real underlying network topology. This utility works by manipulating the header information of the probe packets in order to identify the multiple paths available.
Both commands are ‘open source’ so can be easily installed and run on a Linux host.
NetBeez and Traceroute
Currently, NetBeez agents are capable of running traceroute tests! They support TCP, UDP, and ICMP protocols to circumvent the firewall limitation I described earlier. The data reported from the traceroute tests include path RTT, IP, FQDN and MTU per hop (when using UDP or ICMP as transport protocol).
Here’s a quick screenshot of a this test in NetBeez:
If you are a NetBeez user and want to run MTR or paris-traceroute, you can install it via the agent console. Please reach out via chat or support if you need help.
Traceroute is, along with ping, one of the most important utilities network engineers use every day to identify and troubleshoot network issues.