How do traceroutes work

For example, take a look at the following topology:. When we send a ping from H1 If you know the IP addresses of all routers in the path then you could ping all of these routers one by one.

What if you have no idea how many routers are in between? Above I used the tracert traceroute command on a Windows computer to trace the path from my computer to facebook.

You can see all the IP addresses and hostnames of the routers in between my computer and the server that responds to www. The response times that you see is the round trip time from my computer to the router.

For each router, traceroute sends three probes. Normally, TTL is used to prevent packets from being forwarded forever when there is a routing loop. How do we use this for traceroute? H1 will now send a second packet with a TTL of R1 will decrease the TTL from two to one, forwards it and now R2 has to drop it. R2 will respond with a TTL exceeded message.

R1 will decrease the TTL from three to two, R2 decrease it from two to one and R3 will have to drop it. R3 sends the TTL exceeded message to R1. We now know that the destination is reachable and we have learned all routers in our path. Each IP packet that we send is called a probe. Above we have two host computers. H1 is a Windows computer Above we see all routers and the destination. For each hop, traceroute will send three IP packets.

We do this to get a good average of the round trip time for each hop. We can see that this is an ICMP request. When R1 receives this IP packet, it will respond like this:. In the capture file, you will see the two packets above three times. You can take a look at the capture file yourself if you want:. Windows Traceroute. Because its not the usage that helps you understand and troubleshoot an issue. But its the concept behind a tool that will always give you an insight into the problem.

How to use a command can always be found out online or even inside the Linux man and info pages. In this article I will explain the working of traceroute and types of traceroute tools along with their differences. We will also look at different switches available to traceroute command in Linux.

Although its called as Time To Live, its not actually the time in seconds, but its something else. Related: Packet vs Segment vs Frame. TTL is not measured by the no of seconds but the no of hops. Its the maximum number of hops that a packet can travel through across the internet, before its discarded. Hops are nothing but the computers, routers, or any devices that comes in between the source and the destination.

What if there was no TTL at all?. If there was no TTL in an IP packet, the packet will flow endlessly from one router to another and on and on forever searching for the destination. TTL value is set by the sender inside his IP packet the person using the system, or sending the packet, is unaware of these things going on under the hood, but is automatically handled by the operating system.

If the destination is not found after traveling through too many routers in between hops and TTL value becomes 0 which means no further travel the receiving router will drop the packet and informs the original sender. Original sender is informed that the TTl value exceeded and it cannot forward the packet further. Let's say i need to reach Which means i can travel a maximum of 30 hops to reach my destination, before which the packet is dropped.

But how will the routers in between determine the TTL value limit has reached. Each router that comes in between the source and destination will go on reducing the TTL value before sending to the next router. Which means if i have a default TTL value of 30, then my first router will reduce it to 29 and then send that to the next router across the path.

The receiving router will make it 28 and send to the next and so on. If a router receives a packet with TTl of 1 which means no more further traveling, and no forwarding , the packet is discarded. But the router which discards the packet will inform the original sender that the TTL value has exceeded.!

Of course in internet when you send something to a receiver, the receiver will come to know the address of the sender. Traceroute makes use of this TTL exceeded messages to find out routers that come across your path to destination Because these exceeded messages send by the router will contain its address.

That's correct, every router in between you and your receiver will not send TTL exceeded message. Because the main purpose of Traceroute is to identify the hops between you and your destination.

See an example diagram of the whole process in the below diagram, where a sender does a traceroute towards one of the servers a remote location. So let's say i want to do a traceroute to google's publicly available DNS server 8.

My traceroute command and its result will look something like the below. Let's see what's happening under the hood. When i fire that command of traceroute -n 8.

Don't worry we will be discussing this in detail. This UDP packet will contain the following things. So Let's see how this thing works. Step 1: My Source address will make a packet with destination ip address of 8. And the important thing it does it to make the TTL Value 1. Step 2: Of course my packet will reach my gateway server. Hence my gateway server will send me back a TTL Time exceeded message. Please remember that when my gateway server sends a TTL exceeded message back to me, it will send the first 28 byte header of the initial packet i send.

Step 3: On receiving this TTL Time exceeded message, my traceroute program will come to know the source address and other details about the first hop Which is my gateway server. Step 4: Now the traceroute program will again send the same UDP packet with the destination of 8. But this time i will make the initial TTL 2. Step 5: On receiving UDP packet, the next hop to my gateway server will once again reduce it to 1 which means now the TTL has once again become 0. Hence it will send me back a ICMP Time exceeded message with its source address, and also the first 28 byte header of the packet which i send.

Step 7: Now again my traceroute program will make a similar UDP packet with again a random udp port with the destination address of 8. But how will my traceroute program come to know that the final destination of 8.

The traceroute program will come to know about that because, when the original receiver of the packet 8. When the original receiver 8. This is bound to happen because we are always sending a random UDP port between to Hence my Traceroute program will come to know that we have reached the final destination and will stop sending any further packets.

Now anything described in words is called a theory. We need to confirm this, by doing a tcpdump while doing a traceroute. Let's see the tcpdump output.

Please note that i will not show you the entire output of tcpdump because it too long. Run traceroute on one terminal of your linux machine. And on another terminal run the below tcpdump command to see what happens. The above output only shows the UDP packets my machine send..

I will show the reply messages seperate to make this more clear. Notice the TTL value on each line. The reason behind this is to calculate an average Round Trip Time. Traceroute program sends three UDP packets to each hop to measure the exact average round trip time. Round trip time is nothing but the time it took to send and then receive the reply in milliseconds.

I purposely didn't mention about this in the beginning to avoid confusion. So the bottom line is my traceroute program sends three UDP packets to each hop to simply calculate the round trip average.

Please see the traceroute output more closely. It shows three millisecond values for each hop. To get a clear idea about the round trip time.

Please note that the reply messages am showing below are part of the same tcpdump i did above, but showing you seperately to make this more clear. One more interesting thing to note is that each time my traceroute program is sending a different random UDP port number.

This is to identify the reply belonged to which packet. As told before the reply messages send by the hops and destination contains the header of original packet we send, hence traceroute program can accurately calculate the round trip time For each three UDP packets send to each hop , as it can easily identify the reply and correlate. The random port numbers are sort of identifiers to identify the reply. The reply messages looks like the below. Please note the ICMP time exceeded messages in the reply shown above I have not shown all reply messages.

Now let me show the final message which is different than the ICMP time exceeded message. This messages is a destination port unreachable, as told before. And my traceroute program will come to know that our destination has reached. Note that there are three replies from 8. As told before traceroute sends three similar UDP packets with different ports to simply calculate the round trip time.

What does Traceroute Do? What is Traceroute Used For? How To Run a Traceroute, Explained. To run traceroute on a Mac or Linux system, do the following: Open up an instance of Terminal. On a Windows system, you can: Go to the Start menu. Select Run. How To Read a Traceroute Report. Typical Hop Sequence. Do You See an Asterisk?

What Does It Mean? If you get several timeouts in a row, it can be because: The packets arrived at a router with a firewall that prevents traceroute online requests. The packets arrived at the subsequent router, but they were not able to return to the computer that sent them. The router has a connection problem.

Are Traceroute and Tracert the Same? Troubleshooting with Traceroute. What Factors Impact Hop Times? When Does High Latency Matter? For instance: There can be an issue with your network setup if the round-trip times are high for the first entries in the report.

This provides information about managed devices on your network. If you use a managed service provider MSP , you can ask them about what can be causing the problem.

You may notice a drop in network speed, and this can be an issue with your service provider. Check your agreement with the ISP before reaching out to support, however, because the speed you are getting may be all that you are entitled to. This can be your VoIP or videoconferencing provider, for example. Your provider can also use synthetic application performance monitoring APM to isolate performance issues. How Fortinet Can Help. What is traceroute?