Traceroute – Packet Path Analysis & Troubleshooting

What is Traceroute?

Traceroute is a network diagnostic tool used to map the path that packets take from a source device to a destination IP address or hostname across a network.
Purpose: It helps you identify the series of routers (hops) traversed by packets and highlights where delays, bottlenecks, or failures occur.

How Traceroute Works

TTL (Time to Live) Field: Traceroute manipulates the TTL field in IP packets. Each router decrements TTL by 1; if TTL hits 0, the router drops the packet and sends an ICMP Time Exceeded message back.
Incremental TTL: Traceroute starts with TTL=1, then 2, then 3, etc., to discover each hop.
ICMP/UDP/TCP: When the destination is reached, it replies (ICMP Echo Reply or Port Unreachable), allowing traceroute to confirm the final hop.
Result: Each ICMP Time Exceeded message reveals the IP address, hostname, and response time of each hop along the path.

Example: A traceroute from your laptop to www.google.com may show 10-20 intermediate routers (“hops”) between you and the Google server, each with its own latency measurement.

Traceroute Command Syntax

Platform	Command	Common Options
Windows	`tracert [destination]`	`-h` (max hops), `-w` (timeout)
Linux/macOS	`traceroute [destination]`	`-h` (max hops), `-w` (timeout), `-q` (queries per hop), `-I` (ICMP), `-T` (TCP)

Examples:

tracert www.google.com (Windows)
traceroute www.google.com (Linux/macOS)
sudo traceroute -T -p 443 www.example.com (Linux, TCP port 443)

Interpreting Traceroute Output

Tracing route to www.google.com [142.250.72.196] over a maximum of 30 hops:

  1     1 ms    1 ms    1 ms  192.168.1.1
  2    10 ms   11 ms   10 ms  203.0.113.1
  3    24 ms   24 ms   25 ms  198.51.100.17
  4    35 ms   34 ms   36 ms  142.250.72.196

Trace complete.

Hop #: Sequence of routers traversed
Times: Round-trip times for three probes per hop (in ms)
IP Address/Hostname: Each router along the path

Asterisks (* * *) indicate no reply—router/firewall may be blocking traceroute packets or ICMP.

Differences Between Platforms

Platform	Command	Default Protocol	Output Style
Windows	tracert	ICMP Echo Request	Simplified
Linux/macOS	traceroute	UDP by default; ICMP/TCP optional	More detailed/flexible

Common Use Cases

Diagnosing routing issues and finding network breaks
Detecting network bottlenecks (high-latency hops)
Observing path changes during outages or re-routing

Example: If ping to a server fails, use traceroute to determine where the connection is blocked or delayed.

Limitations of Traceroute

ICMP/UDP probes may be blocked by firewalls, causing false negatives
Shows only one direction—return path may be different (asymmetric routing)
Some routers do not send TTL-expired messages (hidden hops, * * *)
Information disclosure—can reveal internal network devices (sometimes blocked in secure environments)

Advanced Traceroute Techniques

Protocol selection: Use -I (ICMP) or -T (TCP) on Linux for more accurate or application-specific tracing
Paris Traceroute: Enhanced tool for multipath analysis
Adjusting probes: Customize max hops, queries per hop, or packet size for deeper diagnostics

Security Considerations

Traceroute may be restricted or blocked in secure networks to avoid disclosing internal topology
Always use with caution in sensitive or production environments

Troubleshooting with Traceroute

Use ping to confirm reachability; traceroute to find where the path breaks
Identify hops with high latency or timeouts (potential bottlenecks)
Repeated or looping hops may suggest routing misconfiguration

Exam Tips and Key Points

Know tracert (Windows) vs traceroute (Linux/macOS)
Understand how TTL, ICMP, and UDP/TCP make traceroute possible
Asterisks (* * *) mean no reply at that hop
Correlate traceroute and ping for best troubleshooting
Asymmetric paths are normal in large networks—don’t expect both directions to match
Try TCP traceroute if ICMP/UDP is blocked (traceroute -T)

Practical Example: Troubleshooting Flow

Scenario 1: Web Access Issue

tracert www.example.com    # Windows
traceroute www.example.com # Linux/macOS

Sample Output 1: All Hops Reachable

Tracing route to www.example.com [93.184.216.34]
  1     1 ms    1 ms     1 ms  192.168.1.1
  2    10 ms   11 ms    10 ms  203.0.113.1
  3    25 ms   23 ms    25 ms  198.51.100.1
  4    34 ms   34 ms    33 ms  93.184.216.34
Trace complete.

All hops reply; network path is clear. If ping/web fails, issue likely at application or firewall layer.

Sample Output 2: Failure at a Hop

Tracing route to www.example.com [93.184.216.34]
  1     1 ms    1 ms     1 ms  192.168.1.1
  2    11 ms   10 ms    10 ms  203.0.113.1
  3    24 ms   25 ms    25 ms  198.51.100.1
  4     *        *        *    Request timed out.
  5     *        *        *    Request timed out.

Trace fails beyond hop 3. Possible: firewall blocks, router down, route break. Check up to hop 3, try alternate protocols.

Sample Output 3: Intermittent Delays

Tracing route to www.example.com [93.184.216.34]
  1     1 ms    1 ms     1 ms  192.168.1.1
  2    10 ms   11 ms    10 ms  203.0.113.1
  3   250 ms  300 ms   200 ms  198.51.100.1
  4    32 ms   35 ms    33 ms  93.184.216.34

High latency at hop 3—possible congestion, overloaded router, or queuing issue.

Scenario 2: Internal Network Problem

traceroute to 10.10.10.10 (10.10.10.10), 30 hops max
 1  192.168.1.1    1 ms    1 ms    1 ms
 2  10.0.0.1       2 ms    2 ms    2 ms
 3  10.10.10.10    *       *       *

Destination reached but no reply—host may be up but firewall blocks ICMP; application may still work.

Scenario 3: Asymmetric Routing

Site A → Site B

 1  192.168.10.1    1 ms
 2  172.16.1.1      3 ms
 3  203.0.113.1    15 ms
 4  10.100.1.2     20 ms
 5  10.200.1.2     25 ms

Site B → Site A

 1  10.200.1.2     1 ms
 2  10.100.1.2     2 ms
 3  198.51.100.2   5 ms
 4  172.16.1.1    10 ms
 5  192.168.10.1  15 ms

Paths are different in each direction. This is normal in complex networks.

Advanced: Using TCP Traceroute

If ICMP/UDP is blocked, test using TCP (simulates web/application traffic):

sudo traceroute -T -p 443 www.example.com

This sends TCP SYN packets to port 443 (HTTPS); useful if only web traffic is allowed.

Practice Exercise

Run traceroute 8.8.8.8 or tracert www.cisco.com
Try traceroute -T -p 80 www.google.com to use TCP
Analyze where the trace slows or fails. What do you observe?

Traceroute – Track Packet Path Quiz

1. What field does traceroute use to discover each hop along the packet's path?

A. Sequence Number B. Checksum C. TTL (Time to Live) D. Window Size

Correct answer is C. Traceroute manipulates the TTL field to force routers to send back ICMP Time Exceeded messages for each hop.

2. What type of message does a router send back when a packet's TTL reaches zero during traceroute?

A. ICMP Time Exceeded B. TCP Reset C. DNS Query D. UDP Broadcast

Correct answer is A. When TTL expires, routers respond with an ICMP Time Exceeded message to inform the sender.

3. What command is used on Windows to perform a traceroute?

A. traceroute B. tracepath C. ping D. tracert

Correct answer is D. Windows uses the "tracert" command for traceroute functionality.

4. What default protocol does Linux traceroute use?

A. ICMP B. UDP C. TCP D. HTTP

Correct answer is B. Linux traceroute sends UDP packets by default, though ICMP and TCP options exist.

5. What does the appearance of "* * *" (asterisks) in traceroute output usually mean?

A. The hop responded immediately B. The traceroute command finished successfully C. No response received; packet lost or blocked by firewall D. The destination host is offline

Correct answer is C. Asterisks indicate the probe packet timed out or was blocked and no response was received.

6. How can traceroute help in diagnosing network problems?

A. By showing the path and identifying hops with delays or failures B. By encrypting data between hosts C. By changing IP addresses dynamically D. By blocking unauthorized devices

Correct answer is A. Traceroute maps the route and shows where packets face delays or get dropped.

7. Why might traceroute results show different paths when run from source to destination and vice versa?

A. DNS resolution failure B. Asymmetric routing in the network C. Firewall blocking traceroute D. Router malfunction

Correct answer is B. Asymmetric routing causes different forward and return paths in large networks.

8. What traceroute option can be used on Linux to send TCP SYN packets for path tracing?

A. -I B. -U C. -p D. -T

Correct answer is D. The -T option makes traceroute send TCP SYN packets, useful when ICMP/UDP are blocked.

9. If traceroute output shows increasing latency on a specific hop, what does this likely indicate?

A. Network congestion or bottleneck at that hop B. Router at that hop is offline C. DNS failure at that hop D. Firewall blocking ICMP

Correct answer is A. Higher latency at a hop suggests congestion, queuing, or overload.

10. What does the traceroute option "-h" specify?

A. Hostname resolution B. Hide output C. Maximum number of hops to probe D. Help information

Correct answer is C. The -h option sets the maximum number of hops to attempt in traceroute.

← Back to Home