Traceroute

tracert
Developer(s)	Microsoft, ReactOS Contributors
Platform	Windows, ReactOS
Type	Command
License	Microsoft Windows: Proprietary commercial software ; ReactOS: GNU General Public License

Traceroute
	The traceroute command
Original author(s)	Van Jacobson
Initial release	1987;37 years ago
Platform	Unix-like systems
Type	Command

Last updated April 22, 2024

In computing, traceroute and tracert are computer network diagnostic commands for displaying possible routes (paths) and measuring transit delays of packets across an Internet Protocol (IP) network. The history of the route is recorded as the round-trip times of the packets received from each successive host (remote node) in the route (path); the sum of the mean times in each hop is a measure of the total time spent to establish the connection. Traceroute proceeds unless all (usually three) sent packets are lost more than twice; then the connection is lost and the route cannot be evaluated. Ping, on the other hand, only computes the final round-trip times from the destination point.

Implementations

The command traceroute is available on many modern operating systems. On Unix-like systems such as FreeBSD, macOS, and Linux it is available as a command line tool. Traceroute is also graphically accessible in macOS within the Network Utilities suite; these utilities have been deprecated since the release of macOS Big Sur.^[3]

Microsoft Windows and ReactOS provide a program named tracert that performs the same route-tracing function. Windows NT-based operating systems also provide PathPing, which combines the functionality of ping with that of tracert. The ReactOS version was developed by Ged Murphy and is licensed under the GPL.^[4]

On Unix-like operating systems, traceroute sends, by default, a sequence of User Datagram Protocol (UDP) packets, with destination port numbers ranging from 33434 to 33534; the implementations of traceroute shipped with Linux,^[5] FreeBSD,^[6] NetBSD,^[7] OpenBSD,^[8] DragonFly BSD,^[9] and macOS include an option to use ICMP Echo Request packets (-I), or any arbitrary protocol (-P) such as UDP, TCP using TCP SYN packets, or ICMP.^[10]

On Windows, tracert sends ICMP Echo Request packets, rather than the UDP packets traceroute sends by default.^[11]

The time-to-live (TTL) value, also known as hop limit, is used in determining the intermediate routers being traversed towards the destination. Traceroute sends packets with TTL values that gradually increase from packet to packet, starting with TTL value of one. Routers decrement TTL values of packets by one when routing and discard packets whose TTL value has reached zero, returning the ICMP error message ICMP Time Exceeded.^[10] For the first set of packets, the first router receives the packet, decrements the TTL value and drops the packet because it then has TTL value zero. The router sends an ICMP Time Exceeded message back to the source. The next set of packets are given a TTL value of two, so the first router forwards the packets, but the second router drops them and replies with ICMP Time Exceeded. Proceeding in this way, traceroute uses the returned ICMP Time Exceeded messages to build a list of routers that packets traverse, until the destination is reached and returns an ICMP Destination Unreachable message if UDP packets are being used or an ICMP Echo Reply message if ICMP Echo messages are being used.^[10]

The timestamp values returned for each router along the path are the delay (latency) values, typically measured in milliseconds for each packet.

The sender expects a reply within a specified number of seconds. If a packet is not acknowledged within the expected interval, an asterisk is displayed. The Internet Protocol does not require packets to take the same route towards a particular destination, thus hosts listed might be hosts that other packets have traversed. If the host at hop #N does not reply, the hop is skipped in the output.

If a network has a firewall and operates both Windows and Unix-like systems, more than one protocol must be enabled inbound through the firewall for traceroute to work and receive replies.

Some traceroute implementations use TCP packets, such as tcptraceroute and layer four traceroute (lft). PathPing is a utility introduced with Windows NT that combines ping and traceroute functionality. MTR is an enhanced version of ICMP traceroute available for Unix-like and Windows systems. The various implementations of traceroute all rely on ICMP Time Exceeded (type 11) packets being sent to the source.

On Linux, tracepath is a utility similar to traceroute, with the primary difference of not requiring superuser privileges.^[12]

Cisco's implementation of traceroute also uses a sequence of UDP datagrams, each with incrementing TTL values, to an invalid port number at the remote host; by default, UDP port 33434 is used. An extended version of this command (known as the extended traceroute command) can change the destination port number used by the UDP probe messages.^[13]

Usage

Most implementations include at least options to specify the number of queries to send per hop, time to wait for a response, the hop limit and port to use. Invoking traceroute with no specified options displays the list of available options, while man traceroute presents more details, including the displayed error flags. An example on Linux:

$ traceroute-w3-q1-m16example.com traceroute to example.com (93.184.216.34), 16 hops max, 52 byte packets 1  192.x.x.x (192.x.x.x)  5.152 ms 2  10.x.x.x (10.x.x.x)  12.767 ms 3  172.x.x.x (172.x.x.x)  11.638 ms 4  172.x.x.x (172.x.x.x)  13.193 ms 5  xxx.x.x.x.cox.net (68.x.x.x)  20.624 ms 6  xxx.xxx.xxx.edgecastcdn.net (192.x.x.x)  56.205 ms 7  xxx.xxx.xxx.edgecastcdn.net (192.x.x.x)  24.573 ms 8  * 9  *10  93.x.x.x (93.x.x.x)  22.810 ms11  93.x.x.x (93.x.x.x)  20.235 ms

In the example above, selected options are to wait for three seconds (instead of five), send out only one query to each hop (instead of three), limit the maximum number of hops to 16 before giving up (instead of 30), with example.com as the final host. On line 8 and 9 (TTLs 8 and 9) it shows asterisks where the router did not respond within the timeout.

Traceroute can be used to help identify incorrect routing table definitions or firewalls that may be blocking ICMP traffic, or high port UDP in Unix ping, to a site.^{[ clarify ]} A correct traceroute response does not guarantee connectivity for applications as a firewall may permit ICMP packets but not permit packets of other protocols.

Traceroute is also used by penetration testers to gather information about network infrastructure and IP address ranges around a given host.

It can also be used when downloading data, and if there are multiple mirrors available for the same piece of data, each mirror can be traced to get an idea of which mirror would be the fastest to use.

Origins

The traceroute manual page states that the original traceroute program was written by Van Jacobson in 1987 from a suggestion by Steve Deering, and that Guy Almes and Matt Mathis also had the idea concurrent with Deering.^[14] The author of the ping program, Mike Muuss, states on his website that traceroute was written using kernel ICMP support that he had earlier coded to enable raw ICMP sockets when he first wrote the ping program.^[15]

Limitations

Traceroute limitations^[16] are well known and should be taken into account when using the tool. For example, traceroute does not discover paths at the router level, but at the interface level. Another limitation appears when routers do not respond to probes or when routers have a limit for ICMP responses.^[17] In the presence of traffic load balancing, traceroute may indicate a path that does not actually exist; to minimize this problem there is a traceroute modification called Paris-traceroute,^[18] which maintains the flow identifier of the probes to avoid load balancing.

Related Research Articles

The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating success or failure when communicating with another IP address. For example, an error is indicated when a requested service is not available or that a host or router could not be reached. ICMP differs from transport protocols such as TCP and UDP in that it is not typically used to exchange data between systems, nor is it regularly employed by end-user network applications.

ping is a computer network administration software utility used to test the reachability of a host on an Internet Protocol (IP) network. It is available for virtually all operating systems that have networking capability, including most embedded network administration software.

Time to live (TTL) or hop limit is a mechanism which limits the lifespan or lifetime of data in a computer or network. TTL may be implemented as a counter or timestamp attached to or embedded in the data. Once the prescribed event count or timespan has elapsed, data is discarded or revalidated. In computer networking, TTL prevents a data packet from circulating indefinitely. In computing applications, TTL is commonly used to improve the performance and manage the caching of data.

The Routing Information Protocol (RIP) is one of the oldest distance-vector routing protocols which employs the hop count as a routing metric. RIP prevents routing loops by implementing a limit on the number of hops allowed in a path from source to destination. The largest number of hops allowed for RIP is 15, which limits the size of networks that RIP can support.

Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used to bypass the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced, but could not route the network's address space. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.

UUCP is a suite of computer programs and protocols allowing remote execution of commands and transfer of files, email and netnews between computers.

In computing, a stateful firewall is a network-based firewall that individually tracks sessions of network connections traversing it. Stateful packet inspection, also referred to as dynamic packet filtering, is a security feature often used in non-commercial and business networks.

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded. A SOCKS server accepts incoming client connection on TCP port 1080, as defined in RFC 1928.

Network utilities are software utilities designed to analyze and configure various aspects of computer networks. The majority of them originated on Unix systems, but several later ports to other operating systems exist.

In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It uses encryption ('hiding') only for its own control messages, and does not provide any encryption or confidentiality of content by itself. Rather, it provides a tunnel for Layer 2, and the tunnel itself may be passed over a Layer 3 encryption protocol such as IPsec.

In computing, netstat is a command-line network utility that displays network connections for Transmission Control Protocol, routing tables, and a number of network interface and network protocol statistics. It is available on Unix, Plan 9, Inferno, and Unix-like operating systems including macOS, Linux, Solaris and BSD. It is also available on IBM OS/2 and on Microsoft Windows NT-based operating systems including Windows XP, Windows Vista, Windows 7, Windows 8 and Windows 10.

A default gateway is the node in a computer network using the Internet protocol suite that serves as the forwarding host (router) to other networks when no other route specification matches the destination IP address of a packet.

Layer Four Traceroute (LFT) is a fast, multi-protocol traceroute engine, that also implements numerous other features including AS number lookups through regional Internet registries and other reliable sources, Loose Source Routing, firewall and load balancer detection, etc. LFT is best known for its use by network security practitioners to trace a route to a destination host through many configurations of packet-filters / firewalls, and to detect network connectivity, performance or latency problems.

My traceroute, originally named Matt's traceroute (MTR), is a computer program that combines the functions of the traceroute and ping programs in one network diagnostic tool.

A network socket is a software structure within a network node of a computer network that serves as an endpoint for sending and receiving data across the network. The structure and properties of a socket are defined by an application programming interface (API) for the networking architecture. Sockets are created only during the lifetime of a process of an application running in the node.

An ICMP tunnel establishes a covert connection between two remote computers, using ICMP echo requests and reply packets. An example of this technique is tunneling complete TCP traffic over ping requests and replies.

The Internet Mapping Project was started by William Cheswick and Hal Burch at Bell Labs in 1997. It has collected and preserved traceroute-style paths to some hundreds of thousands of networks almost daily since 1998. The project included visualization of the Internet data, and the Internet maps were widely disseminated.

In wired computer networking, including the Internet, a hop occurs when a packet is passed from one network segment to the next. Data packets pass through routers as they travel between source and destination. The hop count refers to the number of network devices through which data passes from source to destination.

Firewalking is a technique developed by Mike Schiffman and David Goldsmith that utilizes traceroute techniques and TTL values to analyze IP packet responses in order to determine gateway ACL filters and map networks. It is an active reconnaissance network security analysis technique that attempts to determine which layer 4 protocols a specific firewall will allow.

SoftEther VPN is free open-source, cross-platform, multi-protocol VPN client and VPN server software, developed as part of Daiyuu Nobori's master's thesis research at the University of Tsukuba. VPN protocols such as SSL VPN, L2TP/IPsec, OpenVPN, and Microsoft Secure Socket Tunneling Protocol are provided in a single VPN server. It was released using the GPLv2 license on January 4, 2014. The license was switched to Apache License 2.0 on January 21, 2019.

References

↑ "Traceroute6(8) - Linux man page".
↑ "Tracert6(8): IPv6 traceroute tool - Linux man page".
↑ Rossingol, Joe (23 June 2020). "Network Utility Deprecated in macOS Big Sur". MacRumors.
↑ tracert.cpp on GitHub
↑ traceroute(8) – Linux Programmer's Manual – Administration and Privileged Commands
↑ traceroute(8) – FreeBSD System Manager's Manual
↑ traceroute(8) – NetBSD System Manager's Manual
↑ traceroute(8) – OpenBSD System Manager's Manual
↑ traceroute(8) – DragonFly BSD System Maintenance and Operation Commands Manual
1 2 3 Comer, Douglas (2004). Computer Network and Internets with Internet Applications. Pearson Education, Inc. pp. 360–362. ISBN 978-0131433519.
↑ "Tracert". Microsoft Docs . 3 February 2023. Retrieved July 29, 2023.
↑ "tracepath(8) – Linux man page". linux.die.net. Retrieved 2015-06-21.
↑ "Understanding the Ping and Traceroute Commands". Cisco IOS Software Releases 12.1 Mainline. cisco.com. 2006-11-29. Retrieved 2013-12-08.
↑ "traceroute6.c source code". 2022-10-04. Retrieved 2023-09-17.
↑ "The Story of the PING Program".
↑ Ray Belleville (March 3, 2017). "Limitations of Traceroute Explained".
↑ Marchetta, P.; Montieri, A.; Persico, V.; Pescapé, A.; Cunha, Í; Katz-Bassett, E. (June 2016). How and how much traceroute confuses our understanding of network paths. 2016 IEEE International Symposium on Local and Metropolitan Area Networks (LANMAN). pp. 1–7. doi:10.1109/lanman.2016.7548847. ISBN 978-1-4673-9882-4. S2CID 4643833.
↑ "Paris Traceroute". paris-traceroute.net. Retrieved 2017-06-10.

External links

RFC 1393: Traceroute using an IP Option Internet RFC
How traceroute works – InetDaemon
Tracert – Windows XP Command-line reference

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Traceroute6(8) - Linux man page".

[2] "Tracert6(8): IPv6 traceroute tool - Linux man page".

[3] Rossingol, Joe (23 June 2020). "Network Utility Deprecated in macOS Big Sur". MacRumors.

[4] tracert.cpp on GitHub

[5] traceroute(8) – Linux Programmer's Manual – Administration and Privileged Commands

[6] traceroute(8) – FreeBSD System Manager's Manual

[7] traceroute(8) – NetBSD System Manager's Manual

[8] traceroute(8) – OpenBSD System Manager's Manual

[9] traceroute(8) – DragonFly BSD System Maintenance and Operation Commands Manual

[comer_book-10] 1 2 3 Comer, Douglas (2004). Computer Network and Internets with Internet Applications. Pearson Education, Inc. pp. 360–362. ISBN 978-0131433519.

[11] "Tracert". Microsoft Docs . 3 February 2023. Retrieved July 29, 2023.

[12] "tracepath(8) – Linux man page". linux.die.net. Retrieved 2015-06-21.

[13] "Understanding the Ping and Traceroute Commands". Cisco IOS Software Releases 12.1 Mainline. cisco.com. 2006-11-29. Retrieved 2013-12-08.

[14] "traceroute6.c source code". 2022-10-04. Retrieved 2023-09-17.

[15] "The Story of the PING Program".

[16] Ray Belleville (March 3, 2017). "Limitations of Traceroute Explained".

[17] Marchetta, P.; Montieri, A.; Persico, V.; Pescapé, A.; Cunha, Í; Katz-Bassett, E. (June 2016). How and how much traceroute confuses our understanding of network paths. 2016 IEEE International Symposium on Local and Metropolitan Area Networks (LANMAN). pp. 1–7. doi:10.1109/lanman.2016.7548847. ISBN 978-1-4673-9882-4. S2CID 4643833.

[18] "Paris Traceroute". paris-traceroute.net. Retrieved 2017-06-10.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

v t e Unix command-line interface programs and shell builtins
File system	cat chattr chmod chown chgrp cksum cmp cp dd du df file fuser ln ls mkdir mv pax pwd rm rmdir split tee touch type umask
Processes	at bg crontab fg kill nice ps time
User environment	env exit logname mesg talk tput uname who write
Text processing	awk basename comm csplit cut diff dirname ed ex fold head iconv join m4 more nl paste patch printf read sed sort strings tail tr troff uniq vi wc xargs
Shell builtins	alias cd echo test unset wait
Searching	find grep
Documentation	man
Software development	ar ctags lex make nm strip yacc
Miscellaneous	bc cal expr lp od sleep true and false
Categories Standard Unix programs Unix SUS2008 utilities List

v t e Windows command-line programs and shell builtins
COMMAND.COM Command Prompt Windows PowerShell Recovery Console
File system navigation	cd (chdir) dir popd pushd tree
File management	attrib cacls cipher compact copy del (erase) deltree icacls mkdir (md) mklink move openfiles recover ren (rename) replace rmdir (rd) robocopy takeown xcopy
Archiving	expand extrac32 extract makecab pax tar
Disk management	chkdsk convert defrag diskcomp diskcopy diskpart diskraid diskshadow drvspace fdisk format fsutil label manage-bde refsutil subst scandisk sys vol vssadmin
Processes	at exit kill powercfg runas sc schtasks shutdown start taskkill tasklist
Registry	assoc ftype reg regini regsvr32
User environment	chcp cmdkey date graftabl mode path set setver setx time title ver where whoami
File contents	comp edit edlin fc find findstr print type
Scripting	choice clip cscript doskey echo for forfiles goto if more pause prompt rem timeout
Networking	arp bitsadmin curl getmac hostname ipconfig nbtstat net netsh netstat nslookup PathPing ping rpcping route scp setspn sftp ssh ssh-add ssh-agent ssh-keygen ssh-keyscan tracert winrm winrs
Maintenance and care	auditpol dispdiag driverquery eventcreate eventtriggers logman mofcomp msiexec ntbackup pnpunattend pnputil REAgentC relog sfc sxstrace systeminfo tracerpt typeperf w32tm WBAdmin wecutil wevtutil winmgmt winsat wmic
Boot management	bcdedit bootcfg bootsect fixboot fixmbr
Software development	debug exe2bin QBasic
Miscellaneous	break cls dism dpath gpresult gpupdate help MSCDEX pentnt tpmtool tpmvscmgr wsl
List of DOS commands Environment variables Windows Support Tools

Traceroute

Contents