What is Traceroute used for?

Traceroute is used to identify the path a packet takes between two points on the internet. It helps network engineers locate exactly where a connection is slow or where packets are being dropped by examining every intermediate router (hop) and its latency.

What does an asterisk (* * *) mean in a traceroute report?

An asterisk means that a specific router did not respond back with an ICMP 'Time Exceeded' message within the timeout period. This is often because the router is configured to drop diagnostic packets for security or is too busy to process low-priority control traffic. It doesn't mean the network is down unless all subsequent hops also fail.

What is the difference between ICMP and UDP Traceroute?

Windows systems use ICMP Echo Requests (pings) by default, while Linux/Unix systems typically use UDP packets. UDP traceroute is often more effective at bypassing strict firewalls that block ICMP but allow high-port UDP traffic.

How do I identify a network bottleneck in a trace?

A real bottleneck is identified by a permanent increase in latency that starts at one hop and remains high for all subsequent hops. A single spike at one hop that disappears at the next is usually just 'phantom latency' caused by the router's slow management CPU.

Why are there multiple IP addresses listed for the same hop?

Modern high-speed networks use 'Equal-Cost Multi-Path' (ECMP) routing. This means there are multiple parallel routers handling traffic at that stage. Traceroute sends multiple packets, and if they are balanced across different paths, you will see multiple IPs at the same hop number.

How does IPv6 change traceroute mechanics?

In IPv6, the TTL field is renamed to 'Hop Limit,' but the core mechanism remains identical. However, ICMPv6 is much more integral to the protocol's basic functioning, so firewalls are generally more likely to allow ICMPv6 'Time Exceeded' messages to pass than their IPv4 counterparts.

What is Equal-Cost Multi-Path (ECMP) and why does it break traces?

ECMP allows routers to load-balance traffic across multiple parallel paths. When you run a traceroute, different probe packets may travel across different physical cables. This can result in 'flapping' hops where you see IPs from different routers appearing at the same hop number.

Is traceroute safe to run against a production server?

Yes. Traceroute sends very small packets (typically 40-60 bytes) and requires negligible bandwidth. It is a passive diagnostic tool that does not interfere with production application traffic or data integrity.

How do I perform a traceroute on a specific port?

Standard traceroute doesn't support specific ports easily. However, using a TCP traceroute tool (like TCPing or custom scripts), you can send SYN packets to Port 80, 443, or 25 to see exactly how a specific application's traffic is being routed through the firewall.

Why do some ISPs show high latency on the first hop?

This is often due to 'Bufferbloat' or interleaving on DSL/Cable lines. The first hop is the connection between your modem and the ISP's head-end (CMTS/DSLAM). If your upload is saturated, your first-hop latency will skyrocket.

Can I traceroute through a VPN?

Yes, but you will only see the path from the VPN's exit node to the target. The path from your computer to the VPN server itself is encapsulated in an encrypted tunnel and will usually appear as a single hop (the VPN gateway).

What is the difference between 'tracert' and 'traceroute'?

'tracert' is the Windows implementation that uses ICMP by default. 'traceroute' is the Unix/Linux implementation that traditionally uses UDP. While they achieve the same goal, their protocol choice can lead to different firewall behaviors.

What is an AS (Autonomous System) Number in a trace?

An ASN represents a group of IP prefixes managed by a single organization (like an ISP or Google). Seeing the ASN in a trace helps you identify exactly which company is responsible for a delay—useful for filing BGP peering complaints.

BACK TO TOOLKIT

Global Traceroute Client

Enter a domain or IP to perform a real-time traceroute from our edge network nodes.

Layer 3 Path Analysis

Visual Traceroute Engine

Map the physical path of packets across the internet's backbone. Identify network bottlenecks, high-latency autonomous systems, and packet-loss hotspots.

The Physics of TTL: Forcing the Internet to Reveal Itself

To understand traceroute, one must first understand the **Time-to-Live (TTL)** field in the Internet Protocol (IP) header. TTL was never intended for diagnostics; it was designed as a defensive "dead-man switch" to prevent packets from looping infinitely through misconfigured routing tables. An IP packet with no expiration would circulate forever, consuming bandwidth and router CPU cycles until the network collapsed under its own weight.

Every router that processes a packet is mandated by **RFC 791** to decrement the TTL value by at least one. This is mathematically expressed as:

TTL_{final} = TTL_{initial} - \sum_{i=1}^{n} \text{Hop}_i

If the TTL reaches zero before the packet reaches its final destination, the router is obligated to discard the packet and notify the sender via an **ICMP Type 11, Code 0 (Time Exceeded)** message. This error message is the "reveal" that traceroute relies on.

The TTL field is an 8-bit integer, permitting a maximum value of 255. In the early days of the ARPANET, TTL represented seconds; today, it representing hops. Different operating systems use different initial values: Windows typically starts at **128**, while Linux/Unix systems default to **64**. This discrepancy allows network analysts to perform "OS Fingerprinting" by examining the TTL of incoming packets.

Modern traceroute implementations don't just record the IP; they measure the **Round-Trip Time (RTT)** for each probe. By sending three probes per hop (the industry default), engineers can calculate the minimum, maximum, and average latency at every single point in the chain, providing a high-resolution snapshot of network performance.

Protocol Forensics: ICMP, UDP, and TCP Traces

The original traceroute implementation by Van Jacobson used **UDP** packets targeting a range of "unlikely" high-numbered ports (33434 to 33534). However, as firewalls became more aggressive, network engineers had to diversify their probing strategies to ensure they could actually reach the target.

ICMP Echo (Windows)

The Microsoft Standard.

Sends standard Pings. Simple and efficient, but many edge firewalls (like AWS Security Groups) block ICMP by default, leading to the dreaded * * * on the final hop even if the server is up.

UDP Tracing

Standard on Linux/Unix.

Sends probe packets to high ports. When the destination is reached, the server typically replies with a "Port Unreachable" (Type 3, Code 3) instead of "Time Exceeded."

TCP SYN Tracing

Modern Infrastructure Probing.

Mimics a real connection attempt (usually on Port 443). Since firewalls must allow web traffic, TCP traceroutes bypass most blocks to reach the application layer.

The choice of protocol significantly impacts the visibility of the path. For instance, **Layer 4 Load Balancers** and **Application Delivery Controllers (ADCs)** might respond differently to a UDP probe than they would to a TCP SYN on port 443. Advanced tools like `tcptraceroute` or `paratrace` use various flags in the TCP header (like the ACK or FIN flags) to discover routers that would otherwise be invisible.

Path Anatomy: Deciphering the Hops

Every line in a traceroute report represents a unique node or interface. Understanding the taxonomy of these hops is key to isolating problems:

Hops 1-3:**Local Network & Edge Gateway.** This is your router, your ISP's local CMTS, or the data center edge. High latency here usually indicates local Wi-Fi interference or local link congestion.
Hops 4-8:**The Core ISP Network.** These are high-speed regional routers. You will typically see very stable, low latency here as packets stay within the provider's fiber backbone.
Hops 9-15:**Peering & Transit.** This is "The Wild West." Packets cross between Autonomous Systems (AS) at Internet Exchange Points (IXP). This is where 90% of internet performance issues occur due to BGP routing shifts or saturated peering capacity.

ECMP: Why Some Hops Have Multiple IPs

In high-density carrier networks, traffic is rarely sent down a single wire. Instead, **Equal-Cost Multi-Path (ECMP)** routing is used to balance the load across dozens of parallel links. For a traceroute, this presents a unique challenge.

Because traceroute sends multiple packets per hop, the router at Hop N might send Packet 1 over Link A and Packet 2 over Link B. If Link A and Link B lead to different physical routers at Hop N+1, you will see two or three different IP addresses listed for the same hop number. This is not a bug; it is a sign of a robust, high-capacity network. However, it makes isolating a single "bad link" much harder, as your traffic may only hit the failing interface 33% of the time.

The 7 Deadly Traces: Troubleshooting Guide

1. The Routing Loop

Identified by two IP addresses alternating until the max hop limit is reached. This is a fatal BGP misconfiguration where Router A thinks the path is via Router B, and Router B thinks it's via Router A.

2. The ICMP Black Hole

The trace proceeds normally until Hop X, and then shows nothing but asterisks (* * *) until the end. This usually means a firewall is dropping your specific probe type (ICMP/UDP) but allowing others.

3. Low-Priority CPU Overhead

Hop 5 shows 200ms latency, but Hops 6 through 15 show 15ms. This is "Phantom Latency." The router is busy and delayed responding to your probe, but it is forwarding customer traffic at full speed.

4. Asymmetric Return Path

A massive latency spike appears in the middle of a trace but has no logical physical reason (e.g., both routers are in the same city). This often means the *return* path from that router is congested.

Probability of Packet Delivery in Multi-Hop Paths

Packet loss is often a result of Bernoulli trials at each hop. In a path with n hops, the probability that a packet successfully completes the entire journey (P_success) is the product of the survival probabilities of each individual hop:

P_{success} = \prod_{i=1}^{n} (1 - P_{loss,i})

Note: If P_loss is non-zero at any point in the core network, TCP retransmissions will cause the perceived application-layer latency to increase significantly beyond the raw RTT.

Maintenance & Diagnostic Monitoring Strategies

Effective network maintenance requires moving beyond "one-off" traceroutes toward continuous path monitoring. Professional NetOps teams utilize **MTR (My Traceroute)**—a tool that combines ping and traceroute into a live-updating stream.

Continuous Delta Analysis

Baseline your path daily. A traceroute is only useful if you know what the path looked like *before* the issue started. Use tools like ThousandEyes or custom MTR scripts to log path deltas.

BGP Peering Audits

If your traceroute shows a jump into a Tier-1 provider (like NTT or GTT) and latency spikes, audit your BGP advertisements. You may be accidentally preferring a trans-continental path for regional traffic.

When maintaining high-availability applications (VoIP, Fintech, Gaming), a traceroute should be the first step in the **"Triangulation Protocol"**:

Baseline RTT: Measure the minimum RTT to establish the "Physical Floor" (Propagation limit).
Path Stability: Look for IP flapping (ECMP imbalance). If IPs are changing every second, a router in the core may be failing.
MTU Discovery: Use the "Do Not Fragment" bit in your trace to detect MTU mismatches (Black Hole Routers).

Security & Reconnaissance: The Defender's Dilemma

Traceroute is a double-edged sword. For administrators, it is a scalpel for diagnostics. For attackers, it is a map for reconnaissance. By analyzing a traceroute, an adversary can:

Identify the physical location of servers (via IP Geolocation of intermediate hops).
Discover the internal IP addressing schemes of a corporate network.
Detect the presence of Web Application Firewalls (WAFs) and IDS/IPS systems.
Target specific "weakest link" routers for DDoS attacks (the "Zero-TTL" attack).

To mitigate this, many enterprises configure their edge routers to be "Stealthy." They will still forward packets (decrementing TTL) but will refuse to send the ICMP Time Exceeded response back to the requester. This maintains network health while obscuring the infrastructure from potential attackers.

Advanced Diagnostics: Anycast and CDN Pathing

In the modern internet, the destination IP you are tracing might not be a single server. **IP Anycast** allows multiple globally distributed servers to share the same IP address. When you run a traceroute to an Anycast IP (like Cloudflare's 1.1.1.1 or Google's 8.8.8.8), BGP routing protocols direct your packets to the "topologically closest" node.

CDNs use traceroute data to optimize their edge delivery. By measuring the latency from thousands of "Vantage Points" (VPs), CDNs calculate the optimal path for high-bandwidth content delivery. The performance metric used is the **Normalized Path Latency**:

\Lambda_{norm} = \frac{RTT_{total}}{H_{count} \times L_{fiber}}

Where H_count is the hop count and L_fiber is the physical length of the fiber link. A high Lambda_norm indicates inefficient peering or "tromboning"—where traffic travels far out of its way only to return to a nearby point.

Frequently Asked Questions

Technical Standards & References

IETF

RFC 791: Internet Protocol (IP) Specification

VIEW OFFICIAL SOURCE

IETF

RFC 792: Internet Control Message Protocol (ICMP)

VIEW OFFICIAL SOURCE

F. Baker

RFC 1812: Requirements for IP Version 4 Routers

VIEW OFFICIAL SOURCE

NANOG (Richard Steenbergen)

Traceroute Demystified

VIEW OFFICIAL SOURCE

CAIDA

A Survey of Traceroute Tools

VIEW OFFICIAL SOURCE

Linode Engineering

Understanding MTR Reports

VIEW OFFICIAL SOURCE

Cloudflare

Path MTU Discovery (PMTUD) Basics

VIEW OFFICIAL SOURCE

Mathematical models derived from standard engineering protocols. Not for human safety critical systems without redundant validation.

Related Engineering Resources

Interactive Tool

Ping Latency Tool

Measure RTT and packet loss for a specific destination.

Interactive Tool

DNS Lookup Utility

Query DNS records and identify authoritative nameservers.

Interactive Tool

Port Scanner

Audit open ports and firewall security on your infrastructure.

Partner in Accuracy

"You are our partner in accuracy. If you spot a discrepancy in calculations, a technical typo, or have a field insight to share, don't hesitate to reach out. Your expertise helps us maintain the highest standards of reliability."

Contributors are acknowledged in our technical updates.

Path
Visualization.

In a Nutshell

Global Traceroute Client

Visual Traceroute Engine

The Physics of TTL: Forcing the Internet to Reveal Itself

Protocol Forensics: ICMP, UDP, and TCP Traces

ICMP Echo (Windows)

UDP Tracing

TCP SYN Tracing

Path Anatomy: Deciphering the Hops

ECMP: Why Some Hops Have Multiple IPs

The 7 Deadly Traces: Troubleshooting Guide

1. The Routing Loop

2. The ICMP Black Hole

3. Low-Priority CPU Overhead

4. Asymmetric Return Path

Probability of Packet Delivery in Multi-Hop Paths

Maintenance & Diagnostic Monitoring Strategies

Continuous Delta Analysis

BGP Peering Audits

Security & Reconnaissance: The Defender's Dilemma

Advanced Diagnostics: Anycast and CDN Pathing

Frequently Asked Questions

Frequently Asked Questions

Technical Standards & References

Related Engineering Resources

Ping Latency Tool

DNS Lookup Utility

Port Scanner