Traceroute : How it works

Traceroute is a computer network diagnostic tool for displaying the route (path) and measuring transit delays of packets across an Internet Protocol (IP) network. It utilizes the IP protocol’s time to live (TTL) field and attempts to elicit an ICMP TIME_EXCEEDED response from each gateway along the path to the host.

This tool verifies the path by which our packet should reach the destination, without actually sending the data. This post is not anything about how this tool works it’s rather about the concept this tools uses for fulfilling our purpose.

We can always refer the Linux man and info pages for gaining the knowledge about how to use this tool.

You should kow the basics first

Each IP packet that we send on the internet has a field called as TTL. TTL stands for Time To Live. we can measure TTL by the  no of hops. Its the maximum number of hops that a packet can travel through across the internet, before its discarded. Hops are the computers, routers, or any devices that comes in between the source and the destination. If there is no TTL in an IP packet, the packet will flow endlessly from one router to another and on and on forever searching for the destination. Operating System automatically handles TTL value, although we can change it with the help of few tools.

Now If the destination is not found after traveling through too many hops, the receiving router will drop the packet and informs the original sender. Let’s say I need to reach Ip address, and my default TTL value is 30 hops. Which means i can travel a maximum of 30 hops to reach my destination, before which the packet is dropping. Each router that comes in between the source and destination will go on reducing the TTL value before sending to the next router.

Which means if i have a default TTL value of 30, then my first router will reduce it to 29 and then send that to the next router across the path. Again the receiving router will make it 28 and send to the next and so on. If a router receives a packet with TTl of 1, the packet will be discarded. But the router which discards the packet will inform the original sender that the TTL value has exceeded. Once the receiver gets the message he will come to know about the sender.

How Traceroute comes to know about the address of every hop in between

From the above explanation it is clear that not every hop will send it’s address back, but what if we send a packet purposely with TTL value of 1 and keep this value increasing every time. What I understood is same as below picture.

Path of your Packet

Now let’s hit the track with our first trace-route to public DNS(

Just to note the fact that when we run traceroute command on any Linux System, it sends UDP packet by default. Although we can change the packet type to ICMP packet by sending the following command.

If you want your traceroute not to send the DNS queries to every hosts it finds in between, you can use -n as well.

So, what basically we are sending in a UDP packet when we create a traceroute request.

  • My source address
  • Destination address
  • Any random invalid UDP port (something between 33434 to 33534)

Let’s go back to the question that how Traceroute works, for that we need to see the packets flowing between the source and the destination once the traceroute is in progress. We need to use tcpdump while being in traceroute.  So run the traceroute in one terminal and run the following command in another terminal. the output of tcpdump will be huge and I have only selected those packets which will make some sense here. These are only “sent” packets, we will discuss about the “received” ones later.

Sent packets

Details of above dump

Let’s analyze the above dump which will describe the process of traceroute.

  • My machine will make a packet with destination ip address of and a destination port number between 33434 to 33534 and the main thing we should note that the TTL value is 1. But as you can see there are basically three UDP packets sent with TTL value of 1. The reason is traceroute sends 3 packets to calculate the round trip time. If you observe closely, all the packets are sent to different port numbers. It is done so that it can be identified later that which packet is in response of which packet so that the RTT can be calculated accurately.

    Round-trip time (RTT), also called round-trip delay, is the time for a signal pulse or packet to travel from a specific source to a specific destination and back again.

  • No my packet will reach to the next hop and it will reduce the TTL value by 1. It means the value is now zero(1-1). So the hop will send back the packet along with TTL time exceeded message. It will also contain the 28 byte header.
  • As the TTL time exceeded message is received by my source it will come to know about the address of the first hop. (cool isn’t it.. )
  • Now the same process will be repeated but with the TTL value of 2, so that it reaches the second hop before TTL becomes zero again.
  • Once the TTL is zero, it will send the TTL time exceeded message back to my source address along with 28 byte header. Thus now we know the address of the second hop as well.
  • The sequence goes on by increasing the the TTL value by 1 every time.
  • Finally once the packet reaches to the destination address), the destination will send a message saying ICMP Destination/PORT Unreachable, because we were sending the message to the invalid port  if you remember.
  • My source address knows that the packet has reached to the destination so traceroute will stop sending any further packets.

Analyze it further

Now, let’s analyze the packet which we received during the traceroute. Again this is not the complete one.

Above dump describes all the theory what we discussed above. Also observe the difference in reply once the packet reaches to the destination in below dump.

This was the mechanism behind the traceroute.

Traceroute Vs Tracert

The major difference between these two is the platform on which they work. While traceroute works on Unix based operating systems and Tracert works on windows OS. One more noted difference is in packet they send for traceroute. As we seen Unix sends an UDP packet unless we specify the packet type by using a separate flag, but Windows always send the ICMP packet for the same purpose. One sample command on windows interface looks like this.

You can analyze the traffic and the packets in windows as well although you need to install few softwares first.

  • WinPcap- Windows Packet Capture (WinPcap) is the Windows version of the libpcap library; it includes a driver to support capturing packets.
  • WinDump- Windump is nothing but the tcpdump for windows.
  • Wireshark- Wireshark is basically a network capture tool, we can use it for both capturing and analyzing purposes with many extra features as well(We can discuss it some other time).

We will go through the process quickly for windows as well.

Once you have downloaded all the software, open the command prompt with Administrator.

Go to the directory where you have windump downloaded and run the following command. It will list all the Network Adapters configured with numbers.

The output will look like something below(Masked for my safety. ;)).

Run the below command to capture packets and write on the file.

What are those switches

Well I know there are lots of things to explain in above commands. Below is about those switches.

  • -i is the number of NIC selected in the previous step( I have chosen the Ethernet Adapter)
  • -q is quiet mode
  • -w <name> is the prefix of the files to create
  • -n  the logging will not resolve host names, all data will be in IP address format
  • -W the number of circular log files to retain in addition to the current log file, specify in <path> where the files will be present
  • -U upon saving each packet, it will be written to the output file
  • -s decreases the amount of packet buffering, set this to zero
  • -C the size in Millions of Bytes the logs files so grow to before moving to the next file

Now If you go to the location, you will see one log file created, you can create this as a text file as well. Otherwise open this with the help of WireShark. You will see the same kind of packets as we already seen in case of Unix.

You can play around with the commands and the outputs. Do drop your valuable comments and feedback.

One comment